05-16-2018 02:32 PM - edited 03-08-2019 03:02 PM
I have a new stack of three 9300s that seem to route traffic in some very confusing ways. I can reach the vlan address on the switch (10.214.184.1) from my workstation:
# mtr -rnc 10 10.214.184.1 HOST: c00464.lereta.com Loss% Snt Last Avg Best Wrst StDev 1. 198.204.114.232 0.0% 10 0.3 0.4 0.3 0.6 0.1 2. 10.212.3.178 0.0% 10 0.2 0.3 0.2 0.4 0.1 3. 10.214.184.1 0.0% 10 47.8 46.7 33.0 65.3 9.4
Next I plugged a laptop to the new stack and it got an address (10.214.184.50) from the DHCP server. However, when I try to traceroute to the laptop the traffic does not get there or the return packets are not getting through.
# mtr -rnc 10 10.214.184.50 HOST: c00464.lereta.com Loss% Snt Last Avg Best Wrst StDev 1. 198.204.114.232 0.0% 10 0.3 26.4 0.3 261.7 82.7 2. 10.212.3.178 0.0% 10 0.3 0.3 0.2 0.3 0.0 3. ??? 100.0 10 0.0 0.0 0.0 0.0 0.0
If I ping the laptop IP from the switch it works fine.
# ping 10.212.184.50 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 10.212.184.50, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 40/46/56 ms
If I scan the laptop IP things start to get really weird:
# nmap -A 10.214.184.50 Starting Nmap 7.60 ( https://nmap.org ) at 2018-05-16 14:07 PDT
Nmap scan report for 10.214.184.50
Host is up (0.055s latency).
Not shown: 997 filtered ports
PORT STATE SERVICE VERSION
80/tcp open http nginx
|_http-server-header: nginx
|_http-title: Site doesn't have a title (text/html).
443/tcp open ssl/http nginx
|_http-server-header: nginx
|_http-title: Site doesn't have a title (text/html).
| ssl-cert: Subject: commonName=IOS-Self-Signed-Certificate-909702223
| Not valid before: 2018-05-11T23:07:54
|_Not valid after: 2020-01-01T00:00:00
|_ssl-date: TLS randomness does not represent time
| tls-nextprotoneg:
|_ http/1.1
8090/tcp open http nginx
|_http-server-header: nginx
|_http-title: 502 Bad Gateway
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose|specialized|storage-misc
Running (JUST GUESSING): Linux 3.X|4.X (91%), Crestron 2-Series (87%), HP embedded (85%)
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4 cpe:/o:crestron:2_series cpe:/h:hp:p2000_g3
Aggressive OS guesses: Linux 3.2 - 4.8 (91%), Linux 3.10 - 4.8 (89%), Linux 3.18 (87%), Crestron XPanel control system (87%), Linux 3.16 (86%), HP P2000 G3 NAS device (85%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 3 hops TRACEROUTE (using port 80/tcp)
HOP RTT ADDRESS
1 0.35 ms 198.204.114.232
2 0.34 ms mx400-01.lereta.net (10.212.3.178)
3 64.13 ms 10.214.184.50 OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 27.81 seconds
I am absolutely certain there is no web server at all on the laptop much less nginx. When I use a browser to reach out to 10.214.184.50 I get the web management interface for the switch stack! I can log in and everything. What I cannot do is connect to anything beyond the stack and that makes no sense at all to me.
In the old days I could stack 3750s or 3850s, define some VLANs, set some routes, and everything worked. I cannot figure out what the 9300s do differently.
(Some of the preformatted text above did not format clearly so I hope it is readable.)
Solved! Go to Solution.
05-18-2018 11:59 PM
This was so simple I am still kicking myself over it.
# conf t
(config)# ip routing
^Z
It all works now.
When in the heck did Cisco stop turning on IP routing by default?
05-16-2018 03:57 PM
Hi,
Is laptop is getting correct IP configuration from DHCP server? Also, per your posting :I can reach the vlan address on the switch (10.212.184.1) -> I guess this is 10.214.184.1? Also check the IPs posted here that you try to Ping & traceroute. Make sure they are correct.
hth
MS
05-17-2018 07:47 AM
The laptop is picking up a correct configuration for the site.
Most of the local addresses here are 10.212.X.X but the new site will be 10.214.X.X and I typed 212 in a few place I meant 214. Sorry for the confusion. I edited the original post to fix that error.
JIC, Lat night I also shut down the stack (it's still in the lab) and scanned for any 10.214.0.0/16 addresses that might be laying around the LAN. I found none so I guess it is not a duplicate IP.
05-17-2018 03:45 PM
Someone elsewhere suggested the problem may be licensing. However they look OK to me:
#show license right-to-use Slot# License Name Type Period left ---------------------------------------------------- 1 network-essentials Permanent Lifetime 1 network-advantage Permanent Lifetime 1 dna-advantage Subscription CSSM Managed ---------------------------------------------------- License Level on Reboot: network-advantage+dna-advantage Subscription Slot# License Name Type Period left ---------------------------------------------------- 2 network-essentials Permanent Lifetime 2 network-advantage Permanent Lifetime 2 dna-advantage Subscription CSSM Managed ---------------------------------------------------- License Level on Reboot: network-advantage+dna-advantage Subscription Slot# License Name Type Period left ---------------------------------------------------- 3 network-essentials Permanent Lifetime 3 network-advantage Permanent Lifetime 3 dna-advantage Subscription CSSM Managed ---------------------------------------------------- License Level on Reboot: network-advantage+dna-advantage Subscription
OTOH, I do not know much about the so-called "smart" licensing.
05-18-2018 08:55 PM
Hi,
Your testing is related to simple basic switching/routing. So it should work irrespective of any 'smart' licenses :). Here what I suggest..
1. For traceroute -> make sure laptop does not have any built in firewall enabled. With unit ping and tracerroute uses different packets (icmp & udp)- so make sure no firewall rules blocking trace route.
2. Stack interface with laptop ip: To test this - I would remove the laptop from the switch and then ping and http to same IP (that laptop was getting and you see stack) and see if anything comes up. As this is Lab setup- try reboot the switch test again if you notice any anomalies.
hth
MS
05-18-2018 11:59 PM
This was so simple I am still kicking myself over it.
# conf t
(config)# ip routing
^Z
It all works now.
When in the heck did Cisco stop turning on IP routing by default?
12-15-2021 03:30 AM
Let me join you in the self kicking. I have two C9300 stacks, one was routing the other wasn't.
Took me forever to spot the minor difference.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide