cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1326
Views
0
Helpful
31
Replies

Communication across switch works but not across LAGG.

erasedhammer
Level 1
Level 1

I can ssh into a host from one port on my 3560 to another, but from my firewall down a channel group or from the host through the channel group to the firewall there is no communication at layer 3, but arp makes it.

I have no settings set on the port channel, and nothing set on the interfaces that are part of the port channel.

My desktop, connected through a cisco unmanaged switch can communicate with the firewall and the internet, but the host directly connected to the switch can't do anything but inner lan.

1 Accepted Solution

Accepted Solutions

Port 0/10 should be VLAN 5, since your Gatewway resides in PFSense, not sure what kind of FW rules there in the PFSENSE.

 

Port 0/9 configured as Trunk, as per diagram it is connected to cisco unmaaged Sw, what model ? 

I suggested to change Port 0/9 and 0/10 as access port and make sure you confiured access port vlan 5 ( as per your config i did not see you configured VLAN 5 on port 0/10)

 

Once you configured, you should be able to communicate with :

 

1. From .5 you able to ping .1

2. From .2 are you able to ping .1

3. from .3 are you able to ping .1

4. then 2. .3 .5 should be able to ping and able to SSH.

 

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

View solution in original post

31 Replies 31

Reza Sharifi
Hall of Fame
Hall of Fame

but the host directly connected to the switch can't do anything but inner lan.

Can you make sure the host is in the right vlan on the switch?

Is your desktop and the host on the same vlan?

Can you provide more info regarding vlans and IPs?

HTH

 

balaji.bandi
Hall of Fame
Hall of Fame

not sure if we understand your question correctly can you post the configuraiton and explain where is these host connected in the switch (port numbers)

 

If the device are point to gateway to FW, by default FW denies.

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

My desktop, at 10.10.0.2 (across gig0/9), can ssh to the host on gig0/10, 10.10.0.3. 10.10.0.2 can go to the internet up port channel 1. 10.10.0.3 cannot go anywhere. I am definitely missing a configuration here, not sure what though.

 

!
interface Port-channel1
!

!
interface GigabitEthernet0/2
description RTR-UPLINK-MGNT
channel-group 1 mode on
!
interface GigabitEthernet0/3
description RTR-UPLINK-MGNT
channel-group 1 mode on
!

!
interface GigabitEthernet0/9
description Cisco-Desktop-Switch
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 5

!
interface GigabitEthernet0/10
description NMS
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 5
no cdp enable
spanning-tree portfast
!

 

what is that device 10.10.0.3, if this is PC, then i compare the config as 10.10.0.2 ( like gateway/mask/dns)

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

The .3 is a debian box acting as a server. The .2 is just a PC. Confirmed, they are in the same subnet.

The .3 is supposed to receive syslog traffic. If I try to go anywhere out from the .3, I get no route to host, so its not even getting to the firewall.

from debian

 

post output below :

 

ifconfig

route -n

 

by default some Linux have fw build in.

 

try below command :

 

iptables -F  (flush FW and Try)

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0 10.10.0.1 0.0.0.0 UG 0 0 0 enp2s0
10.10.0.0 0.0.0.0 255.255.255.240 U 0 0 0 enp2s0

I have UFW on it, but it does not block outgoing.

Default: deny (incoming), allow (outgoing), disabled (routed)

51/tcp ALLOW IN 10.10.0.2

514/udp ALLOW IN 10.10.0.1

can we know what is the device 10.10.0.1 ?

 

connect to switch and perform below steps :

 

default  interface GigabitEthernet0/10

!

interface GigabitEthernet0/10
switchport mode access 
switchport vlan 
!

 

on the Linux side disable FW for testing :

 

sudo ufw disable

 

ping from Linux 

 

10.10.0.1 and 10.10.0.2

 

can you provide Pc config output :

 

ipconfig /all

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Is it possible that the device that has .3 address does not support trunking or not configured as trunk?

If that is the case, change the switch port to an access port and try again.

switchport mode access 

switchport vlan x

 

HTH

Now I cannot ssh into the device. I have tried changing to switchport access before, but it just hangs any connection into the device every time.

 

It seems to only allow my ssh connection when its set to trunk.

I am really confused as to why this is happening. any ideas??

Not sure we may have missunderstood after your test.

 

can you post information and let us know what is current status to assits better.

 

Since linux device not able to partiicipate in Truk Mode, we suggest to make as access port rigt ?

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Current status:

I was able to get the end host ( the .3) to communicate with other hosts on the switch (my PC, the .2) with the port set to switchport host.

!
interface GigabitEthernet0/10
description NMS
switchport mode access
no cdp enable
spanning-tree portfast
!

 

Unfortunately, that host still cannot talk to the gateway rtr/fw/internet even though my own PC can talk to the FW/internet. (there is currently an allow any any rule on the firewall)

 

interface GigabitEthernet0/10
description NMS
switchport mode access

 switchport access vlan  5   < this part missing, add this line and let us know.
no cdp enable
spanning-tree portfast

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco