02-13-2021 12:21 PM
I have a Cisco 3850 switch with IP services.
Inter-vlan routing in configured.
My computer is on the default vlan (1).
I have an SVI for vlan 192.
My Cisco ASA is connected to an access port on the 3850 on port 48 and is on vlan 192.
I added another host with an IP in the same vlan and connected to port 47 which is in vlan 192 and the mode is access.
From my computer I can ping the SVI and the ASA but not the new host on port 47.
When logged into the switch, I can ping the SVI, ASA and the new host on port 47.
What am I missing?
02-13-2021 12:32 PM
Hello,
post the full running configuration of your 3850 switch (sh run)...
02-13-2021 12:38 PM
version 16.9
no service pad
service timestamps debug datetime msec localtime
service timestamps log datetime msec localtime
service password-encryption
service compress-config
service call-home
service unsupported-transceiver
no platform punt-keepalive disable-kernel-core
!
hostname flmswitch1
!
!
vrf definition Mgmt-vrf
!
address-family ipv4
exit-address-family
!
address-family ipv6
exit-address-family
!
enable secret 5
enable password 7
!
no aaa new-model
clock timezone EST -5 0
clock summer-time EDT recurring
switch 1 provision ws-c3850-48u
!
!
!
!
!
coap http enable
!
call-home
! If contact email address in call-home is configured as sch-smart-licensing@cisco.com
! the email address configured in Cisco Smart License Portal will be used as contact email address to send SCH notifications.
contact-email-addr sch-smart-licensing@cisco.com
profile "CiscoTAC-1"
active
destination transport-method http
no destination transport-method email
ip routing
!
!
!
!
!
ip admission watch-list expiry-time 0
ip name-server 8.8.8.8
ip domain name bottomlinepros.com
ip device tracking probe auto-source
ip dhcp excluded-address 10.1.10.1 10.1.10.200
ip dhcp excluded-address 10.1.1.1 10.1.1.199
!
ip dhcp pool VLAN10
network 10.1.10.0 255.255.255.0
default-router 10.1.10.1
dns-server 8.8.8.8
!
ip dhcp pool VLAN1
network 10.1.1.0 255.255.255.0
default-router 10.1.1.1
dns-server 8.8.8.8
!
!
!
!
!
!
!
!
!
!
ipv6 neighbor tracking auto-source
!
!
crypto pki trustpoint TP-self-signed-3139843348
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-3139843348
revocation-check none
rsakeypair TP-self-signed-3139843348
!
crypto pki trustpoint SLA-TrustPoint
enrollment pkcs12
revocation-check crl
!
!
crypto pki certificate chain TP-self-signed-3139843348
......
!
license boot level ipservicesk9
!
!
diagnostic bootup level minimal
!
spanning-tree mode rapid-pvst
spanning-tree extend system-id
!
no errdisable detect cause gbic-invalid
!
username flmadmin privilege 15 password 7 dsdsa
username ctgadmin password 7 dsada
!
redundancy
mode sso
!
!
!
!
hw-switch switch 1 logging onboard message
vlan dot1q tag native
lldp run
!
!
class-map match-any system-cpp-police-topology-control
description Topology control
class-map match-any system-cpp-police-sw-forward
description Sw forwarding, L2 LVX data, LOGGING
class-map match-any system-cpp-default
description Inter FED, EWLC control, EWLC data
class-map match-any system-cpp-police-sys-data
description Learning cache ovfl, High Rate App, Exception, EGR Exception, NFL SAMPLED DATA, RPF Failed
class-map match-any system-cpp-police-punt-webauth
description Punt Webauth
class-map match-any system-cpp-police-l2lvx-control
description L2 LVX control packets
class-map match-any system-cpp-police-forus
description Forus Address resolution and Forus traffic
class-map match-any system-cpp-police-multicast-end-station
description MCAST END STATION
class-map match-any system-cpp-police-multicast
description Transit Traffic and MCAST Data
class-map match-any system-cpp-police-l2-control
description L2 control
class-map match-any system-cpp-police-dot1x-auth
description DOT1X Auth
class-map match-any system-cpp-police-data
description ICMP redirect, ICMP_GEN and BROADCAST
class-map match-any system-cpp-police-stackwise-virt-control
description Stackwise Virtual
class-map match-any non-client-nrt-class
class-map match-any system-cpp-police-routing-control
description Routing control and Low Latency
class-map match-any system-cpp-police-protocol-snooping
description Protocol snooping
class-map match-any system-cpp-police-dhcp-snooping
description DHCP snooping
class-map match-any system-cpp-police-system-critical
description System Critical and Gold Pkt
!
policy-map system-cpp-policy
policy-map port_child_policy
class non-client-nrt-class
bandwidth remaining ratio 10
!
!
!
!
!
!
!
!
!
!
!
interface Port-channel20
switchport trunk allowed vlan 20
switchport mode trunk
!
interface Port-channel100
description Unifi
switchport trunk native vlan 100
switchport trunk allowed vlan 100
spanning-tree portfast disable
!
interface GigabitEthernet0/0
vrf forwarding Mgmt-vrf
no ip address
speed 1000
negotiation auto
!
interface GigabitEthernet1/0/1
switchport access vlan 10
switchport mode access
!
interface GigabitEthernet1/0/2
!
interface GigabitEthernet1/0/3
!
interface GigabitEthernet1/0/4
!
interface GigabitEthernet1/0/5
!
interface GigabitEthernet1/0/6
!
interface GigabitEthernet1/0/7
switchport access vlan 10
switchport mode access
!
interface GigabitEthernet1/0/8
!
interface GigabitEthernet1/0/9
switchport access vlan 99
!
interface GigabitEthernet1/0/10
!
interface GigabitEthernet1/0/11
!
interface GigabitEthernet1/0/12
!
interface GigabitEthernet1/0/13
!
interface GigabitEthernet1/0/14
!
interface GigabitEthernet1/0/15
!
interface GigabitEthernet1/0/16
!
interface GigabitEthernet1/0/17
!
interface GigabitEthernet1/0/18
!
interface GigabitEthernet1/0/19
switchport access vlan 10
switchport voice vlan 80
spanning-tree portfast
!
interface GigabitEthernet1/0/20
!
interface GigabitEthernet1/0/21
!
interface GigabitEthernet1/0/22
!
interface GigabitEthernet1/0/23
switchport trunk allowed vlan 20
switchport mode trunk
channel-group 20 mode active
!
interface GigabitEthernet1/0/24
switchport trunk allowed vlan 20
switchport mode trunk
channel-group 20 mode active
!
interface GigabitEthernet1/0/25
!
interface GigabitEthernet1/0/26
!
interface GigabitEthernet1/0/27
!
interface GigabitEthernet1/0/28
!
interface GigabitEthernet1/0/29
!
interface GigabitEthernet1/0/30
!
interface GigabitEthernet1/0/31
!
interface GigabitEthernet1/0/32
!
interface GigabitEthernet1/0/33
!
interface GigabitEthernet1/0/34
!
interface GigabitEthernet1/0/35
!
interface GigabitEthernet1/0/36
!
interface GigabitEthernet1/0/37
!
interface GigabitEthernet1/0/38
!
interface GigabitEthernet1/0/39
!
interface GigabitEthernet1/0/40
!
interface GigabitEthernet1/0/41
!
interface GigabitEthernet1/0/42
!
interface GigabitEthernet1/0/43
!
interface GigabitEthernet1/0/44
!
interface GigabitEthernet1/0/45
switchport access vlan 99
!
interface GigabitEthernet1/0/46
switchport access vlan 99
switchport mode access
!
interface GigabitEthernet1/0/47
switchport access vlan 192
switchport mode access
!
interface GigabitEthernet1/0/48
switchport access vlan 192
switchport mode access
!
interface GigabitEthernet1/1/1
shutdown
!
interface GigabitEthernet1/1/2
shutdown
!
interface GigabitEthernet1/1/3
shutdown
!
interface GigabitEthernet1/1/4
shutdown
!
interface TenGigabitEthernet1/1/1
switchport trunk allowed vlan 1-500
switchport mode trunk
spanning-tree portfast trunk
!
interface TenGigabitEthernet1/1/2
switchport trunk allowed vlan 1-500
switchport mode trunk
spanning-tree portfast trunk
!
interface TenGigabitEthernet1/1/3
!
interface TenGigabitEthernet1/1/4
!
interface Vlan1
ip address 10.1.1.1 255.255.255.0
!
interface Vlan10
ip address 10.1.10.1 255.255.255.0
!
interface Vlan20
description NAS
ip address 10.1.20.1 255.255.255.0
!
interface Vlan30
description UCS
ip address 10.1.30.1 255.255.255.0
!
interface Vlan60
ip address 10.1.60.1 255.255.255.0
!
interface Vlan99
ip address 10.1.99.1 255.255.255.0
!
interface Vlan100
description Unifi
ip address 10.1.100.1 255.255.255.0
!
interface Vlan192
ip address 192.168.200.1 255.255.255.0
!
interface Vlan250
ip address 10.1.250.1 255.255.255.0
!
ip forward-protocol nd
ip http server
ip http authentication local
ip http secure-server
ip route 0.0.0.0 0.0.0.0 192.168.200.254
!
!
!
!
!
ipv6 neighbor tracking auto-source
!
!
!
control-plane
service-policy input system-cpp-policy
!
!
line con 0
login local
stopbits 1
line aux 0
stopbits 1
line vty 0 4
password 7 dasda
login local
transport input ssh
line vty 5 15
password 7 dsads
login local
transport input ssh
!
ntp master
ntp server time.nist.gov
mac address-table notification mac-move
wsma agent exec
profile httplistener
profile httpslistener
!
wsma agent config
profile httplistener
profile httpslistener
!
wsma agent filesys
profile httplistener
profile httpslistener
!
wsma agent notify
profile httplistener
profile httpslistener
!
!
wsma profile listener httplistener
transport http
!
wsma profile listener httpslistener
transport https
!
end
02-13-2021 12:46 PM
Hello,
does Vlan 192 actually exist on the switch (sh vlan) ?
02-13-2021 12:33 PM
This windows FW issue, disable on device Windows FW and test it. (if the FW disabled, check the Gateway settings ? is this point to FW or Switch SVI - post more information)
02-13-2021 12:47 PM - edited 02-13-2021 01:24 PM
I disabled Windows firewall but still CANNOT ping 192.168.200.253 (Port 47).
I CAN ping 192.168.200.1 (SVI) and 192.168.200.254 (ASA - Port 48).
My PC is on the default VLAN (1).
Default gateway of my PC is 10.1.1.1.
Here is the output of the tracert command output:
C:\Users\admin>tracert 192.168.200.1
Tracing route to 192.168.200.1 over a maximum of 30 hops
1 7 ms 1 ms 6 ms 192.168.200.1
Trace complete.
C:\Users\admin>tracert 192.168.200.254
Tracing route to 192.168.200.254 over a maximum of 30 hops
1 1 ms 1 ms <1 ms 10.1.1.1
2 <1 ms <1 ms <1 ms 192.168.200.254
Trace complete.
C:\Users\admin>tracert 192.168.200.253
Tracing route to 192.168.200.253 over a maximum of 30 hops
1 3 ms 1 ms 3 ms 10.1.1.1
2 * * * Request timed out.
3 * * * Request timed out.
4 * * * Request timed out.
5 * * * Request timed out.
6 ^C
02-13-2021 01:44 PM
Hello,
can 192.168.200.253 ping 192.168.200.1 and 10.1.1.1 ?
02-13-2021 02:07 PM
I cannot connect to .253. That is actually a pfSense firewall. I was able to connect to it when the IP address of the LAN interface was 10.1.1.70. I changed it to 192.168.200.253 and move it to port 47 which is on vlan 192 just like the ASA.
02-13-2021 02:30 PM
Hello,
is ping (ICMP) allowed in the pfsense firewall rules ?
02-13-2021 02:12 PM - edited 02-13-2021 02:13 PM
Can you post out put of ipconfig from device ?
post your network diagram how it look like
02-13-2021 02:28 PM
Attached is a diagram of the network.
Here is the ipconfig output:
C:\Users\admin>ipconfig
Windows IP Configuration
Ethernet adapter Ethernet 2:
Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Ethernet adapter Ethernet:
Connection-specific DNS Suffix . :
Link-local IPv6 Address . . . . . : fe80::95d0:3e8e:f9b4:ceb7%17
IPv4 Address. . . . . . . . . . . : 10.1.1.45
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 10.1.1.1
Ethernet adapter VirtualBox Host-Only Network:
Connection-specific DNS Suffix . :
Link-local IPv6 Address . . . . . : fe80::dcf4:8897:189e:1319%9
IPv4 Address. . . . . . . . . . . : 192.168.56.1
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . :
Ethernet adapter Local Area Connection* 10:
Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Ethernet adapter vEthernet (Default Switch):
Connection-specific DNS Suffix . :
Link-local IPv6 Address . . . . . : fe80::ccff:7b1f:4982:a803%45
IPv4 Address. . . . . . . . . . . : 172.17.208.209
Subnet Mask . . . . . . . . . . . : 255.255.255.240
Default Gateway . . . . . . . . . :
02-13-2021 02:34 PM
Thank you for the information :
your switch has routing pointing ASA :
ip route 0.0.0.0 0.0.0.0 192.168.200.254
Do you have route back to Switch from ASA and what is ASA default route ?
02-13-2021 03:00 PM
Yes, currently the ASA (.254) is being used as the firewall. I am trying to replace it with the pfSense since it has a GB interface.
Before I change the routing in the switch to point to the pfSense, I need to be able to access it on the .253 interface so I can manage it.
Right now, I am not able to ping or connect using the browser.
The current setup with the ASA is working.
Hope that makes sense.
02-13-2021 03:07 PM - edited 02-13-2021 03:50 PM
Add static entry in ASA/pfsense to minitigate the issue
02-13-2021 03:19 PM
I'm sorry but I do not understand why I would need to do that since inter-vlan routing is happening in the switch.
I should be able to get to 192.168.200.253 without having to go to the ASA. The ASA is NOT doing LAN side routing.
That is how other connections are working.
Am I missing something?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide