Solved: Communication across switch works but not across LAGG.

erasedhammer · ‎04-03-2020

I can ssh into a host from one port on my 3560 to another, but from my firewall down a channel group or from the host through the channel group to the firewall there is no communication at layer 3, but arp makes it.

I have no settings set on the port channel, and nothing set on the interfaces that are part of the port channel.

My desktop, connected through a cisco unmanaged switch can communicate with the firewall and the internet, but the host directly connected to the switch can't do anything but inner lan.

balaji.bandi · ‎04-13-2020

Port 0/10 should be VLAN 5, since your Gatewway resides in PFSense, not sure what kind of FW rules there in the PFSENSE.

Port 0/9 configured as Trunk, as per diagram it is connected to cisco unmaaged Sw, what model ?

I suggested to change Port 0/9 and 0/10 as access port and make sure you confiured access port vlan 5 ( as per your config i did not see you configured VLAN 5 on port 0/10)

Once you configured, you should be able to communicate with :

1. From .5 you able to ping .1

2. From .2 are you able to ping .1

3. from .3 are you able to ping .1

4. then 2. .3 .5 should be able to ping and able to SSH.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

View solution in original post

Reza Sharifi · ‎04-03-2020

but the host directly connected to the switch can't do anything but inner lan.

Can you make sure the host is in the right vlan on the switch?

Is your desktop and the host on the same vlan?

Can you provide more info regarding vlans and IPs?

HTH

balaji.bandi · ‎04-03-2020

not sure if we understand your question correctly can you post the configuraiton and explain where is these host connected in the switch (port numbers)

If the device are point to gateway to FW, by default FW denies.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

erasedhammer · ‎04-03-2020

My desktop, at 10.10.0.2 (across gig0/9), can ssh to the host on gig0/10, 10.10.0.3. 10.10.0.2 can go to the internet up port channel 1. 10.10.0.3 cannot go anywhere. I am definitely missing a configuration here, not sure what though.

!
interface Port-channel1
!

!
interface GigabitEthernet0/2
description RTR-UPLINK-MGNT
channel-group 1 mode on
!
interface GigabitEthernet0/3
description RTR-UPLINK-MGNT
channel-group 1 mode on
!

!
interface GigabitEthernet0/9
description Cisco-Desktop-Switch
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 5

!
interface GigabitEthernet0/10
description NMS
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 5
no cdp enable
spanning-tree portfast
!

balaji.bandi · ‎04-03-2020

what is that device 10.10.0.3, if this is PC, then i compare the config as 10.10.0.2 ( like gateway/mask/dns)

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

erasedhammer · ‎04-03-2020

The .3 is a debian box acting as a server. The .2 is just a PC. Confirmed, they are in the same subnet.

The .3 is supposed to receive syslog traffic. If I try to go anywhere out from the .3, I get no route to host, so its not even getting to the firewall.

balaji.bandi · ‎04-03-2020

from debian

post output below :

ifconfig

route -n

by default some Linux have fw build in.

try below command :

iptables -F (flush FW and Try)

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

erasedhammer · ‎04-03-2020

Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0 10.10.0.1 0.0.0.0 UG 0 0 0 enp2s0
10.10.0.0 0.0.0.0 255.255.255.240 U 0 0 0 enp2s0

I have UFW on it, but it does not block outgoing.

Default: deny (incoming), allow (outgoing), disabled (routed)

51/tcp ALLOW IN 10.10.0.2

514/udp ALLOW IN 10.10.0.1

balaji.bandi · ‎04-03-2020

can we know what is the device 10.10.0.1 ?

connect to switch and perform below steps :

default interface GigabitEthernet0/10

!

interface GigabitEthernet0/10
switchport mode access
switchport vlan
!

on the Linux side disable FW for testing :

sudo ufw disable

ping from Linux

10.10.0.1 and 10.10.0.2

can you provide Pc config output :

ipconfig /all

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Reza Sharifi · ‎04-03-2020

Is it possible that the device that has .3 address does not support trunking or not configured as trunk?

If that is the case, change the switch port to an access port and try again.

switchport mode access

switchport vlan x

HTH

erasedhammer · ‎04-03-2020

Now I cannot ssh into the device. I have tried changing to switchport access before, but it just hangs any connection into the device every time.

It seems to only allow my ssh connection when its set to trunk.

erasedhammer · ‎04-07-2020

I am really confused as to why this is happening. any ideas??

balaji.bandi · ‎04-07-2020

Not sure we may have missunderstood after your test.

can you post information and let us know what is current status to assits better.

Since linux device not able to partiicipate in Truk Mode, we suggest to make as access port rigt ?

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

erasedhammer · ‎04-07-2020

Current status:

I was able to get the end host ( the .3) to communicate with other hosts on the switch (my PC, the .2) with the port set to switchport host.

!
interface GigabitEthernet0/10
description NMS
switchport mode access
no cdp enable
spanning-tree portfast
!

Unfortunately, that host still cannot talk to the gateway rtr/fw/internet even though my own PC can talk to the FW/internet. (there is currently an allow any any rule on the firewall)

balaji.bandi · ‎04-07-2020

interface GigabitEthernet0/10
description NMS
switchport mode access

switchport access vlan 5 < this part missing, add this line and let us know.
no cdp enable
spanning-tree portfast

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help