Solved: Re: Communication across switch works but not across LAGG. - Page 2

erasedhammer · ‎04-03-2020

I can ssh into a host from one port on my 3560 to another, but from my firewall down a channel group or from the host through the channel group to the firewall there is no communication at layer 3, but arp makes it.

I have no settings set on the port channel, and nothing set on the interfaces that are part of the port channel.

My desktop, connected through a cisco unmanaged switch can communicate with the firewall and the internet, but the host directly connected to the switch can't do anything but inner lan.

erasedhammer · ‎04-07-2020

!
interface GigabitEthernet0/10
description NMS
switchport access vlan 5
switchport mode access
no cdp enable
spanning-tree portfast
!

Unless there is a long delay for the configuration to take place, that doesnt work.

I loose my ssh connection into the .3 from the .2 when I apply the vlan 5. And the firewall cannot ping the device still.

I just tried to change the port my PC is off of to switchport mode access and switchport access vlan 5 and it also breaks all connections.

erasedhammer · ‎04-07-2020

!
interface GigabitEthernet0/15
description TP-LINK-SW
switchport trunk encapsulation dot1q
switchport trunk native vlan 10
switchport trunk allowed vlan 10
!

I have this configuration for my dhcp hosts, and this seems to be the only configuration that works very well. I can communicate to all the hosts, and to the switch management interface as well from my vlan (5).

As far as I understand, that config allows only vlan 10 traffic, and any untagged traffic gets tagged as vlan 10. How does this differ from switchport access vlan ?

balaji.bandi · ‎04-08-2020

We are not sure about your whole network, we have advise based on the information you have provided.

since you have mentioned VLAN 5 working, we are in impression your Layer interface of VLAN5 was configured as .1

hope it was resolved, and good to hear.

BB

=====Preenayamo Vasudevam=====

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

erasedhammer · ‎04-08-2020

Well no configuration solves my problem. But if theres nothing that can be done, I guess I'll just keep trying things until something works.

balaji.bandi · ‎04-10-2020

until you provide all the information and some small network diagram and all the switch configuration, it is hard to understand what you tried and what is not working.

Suggest to provide all the configuration, rather just mentioning simple standard configuration. - most cases should work. since its not working as expected, required further advanced input to assits better here.

please provide the information so we can understand and assits better.

BB

=====Preenayamo Vasudevam=====

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

erasedhammer · ‎04-10-2020

!
version 15.0
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname lan-sw
!
boot-start-marker
boot-end-marker
!
enable secret *
!
username *
aaa new-model
aaa local authentication attempts max-fail 5
!
!
aaa authentication login default local
!
!
!
!
!
!
aaa session-id common
clock timezone UTC -5 0
system mtu routing 1500
!
!
no ip domain-lookup
ip domain-name *
!
!
crypto pki trustpoint TP-self-signed-2182805120
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-2182805120
revocation-check none
rsakeypair TP-self-signed-2182805120
!
!
crypto pki certificate chain TP-self-signed-2182805120
certificate self-signed 01 nvram:IOS-Self-Sig#1.cer
!
!
!
spanning-tree mode pvst
spanning-tree extend system-id
!
!
!
!
!
!
!
!
!
vlan internal allocation policy ascending
!
ip ssh time-out 90
ip ssh version 2
!
!
!
!
!
!
!
!
!
!
interface Port-channel1
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 5
!
interface Port-channel2
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 10
!
interface Port-channel3
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 30
!
interface FastEthernet0
no ip address
shutdown
!
interface GigabitEthernet0/1
description SSH
no switchport
ip address 10.10.0.5 255.255.255.240
!
interface GigabitEthernet0/2
description RTR-UPLINK-MGNT
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 5
channel-group 1 mode on
!
interface GigabitEthernet0/3
description RTR-UPLINK-MGNT
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 5
channel-group 1 mode on
!
interface GigabitEthernet0/4
description RTR-UPLINK-USERS
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 10
channel-group 2 mode on
!
interface GigabitEthernet0/5
description RTR-UPLINK-USERS
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 10
channel-group 2 mode on
!
interface GigabitEthernet0/6
description RTR-UPLINK-USERS
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 10
channel-group 2 mode on
!
interface GigabitEthernet0/7
description RTR-UPLINK-LAB
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 30
channel-group 3 mode on
!
interface GigabitEthernet0/8
description RTR-UPLINK-LAB
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 30
channel-group 3 mode on
!
interface GigabitEthernet0/9
description Cisco-Desktop-Switch
switchport trunk encapsulation dot1q
switchport trunk native vlan 5
switchport trunk allowed vlan 5
no cdp enable
!
interface GigabitEthernet0/10
description NMS
switchport trunk encapsulation dot1q
switchport trunk native vlan 5
switchport trunk allowed vlan 5
no cdp enable
!
interface GigabitEthernet0/11
description PORTMIRROR
!
interface GigabitEthernet0/12
shutdown
!
interface GigabitEthernet0/13
shutdown
!
interface GigabitEthernet0/14
description NAS
switchport mode access
no cdp enable
spanning-tree portfast
!
interface GigabitEthernet0/15
description TP-LINK-SW
switchport trunk encapsulation dot1q
switchport trunk native vlan 10
switchport trunk allowed vlan 10
no cdp enable
!
interface GigabitEthernet0/16
shutdown
!
interface GigabitEthernet0/17
shutdown
!
interface GigabitEthernet0/18
shutdown
!
interface GigabitEthernet0/19
shutdown
!
interface GigabitEthernet0/20
shutdown
!
interface GigabitEthernet0/21
shutdown
!
interface GigabitEthernet0/22
shutdown
!
interface GigabitEthernet0/23
shutdown
!
interface GigabitEthernet0/24
shutdown
!
interface GigabitEthernet1/1
shutdown
!
interface GigabitEthernet1/2
shutdown
!
interface GigabitEthernet1/3
shutdown
!
interface GigabitEthernet1/4
shutdown
!
interface TenGigabitEthernet1/1
shutdown
!
interface TenGigabitEthernet1/2
shutdown
!
interface Vlan1
no ip address
shutdown
!
no ip http server
no ip http secure-server
!
!
no cdp run
!
!
!
!
no vstack
!
line con 0
privilege level 0
line vty 0 4
exec-timeout 2 0
privilege level 0
transport input ssh
line vty 5 15
no exec
transport input none
!
exception memory ignore overflow processor
exception memory ignore overflow io
!
monitor session 1 source interface Gi0/1 - 10 , Gi0/12 - 17
monitor session 1 destination interface Gi0/11
end

erasedhammer · ‎04-10-2020

I should add when the .3 (gig0/10) is changed to switchport host (withOUT switchport access vlan X) the firewall receives ARP from the .3. But still no layer 3 communication.

In trunk (allowed vlan, native vlan) it does not see arp of the .3

balaji.bandi · ‎04-11-2020

Just looked at the config, something looks odd to me.

you have confiured point to Point interface here - I belive PFsense have 10.10.0.1 IP i guess here (not sure why so many bond interace created here between cisco switch and marwell switch).

if you like we can do re-do all the config or quick win here is.

interface GigabitEthernet0/1
description SSH
no switchport
ip address 10.10.0.5 255.255.255.240

!

ip route 0.0.0.0 0.0.0.0 10.10.0.1 < add this line here on switch

Point your device default gateway to 10.10.0.5 ( not 1) - make sure ports are access mode with vlan 5 as suggested.

let me know you able to get communication 10.10.0.2 to 10.10.0.3 after changing the Gateway to 10.10.0.5.

BB

=====Preenayamo Vasudevam=====

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

erasedhammer · ‎04-11-2020

Interesting, I only have the 10.10.0.5 setup on the interface for ssh access. Is there a better alternative to accessing the switch remotely without using a physical port?

I should also add that currently I cannot access the switch by ssh, so I probably need to find another way to setup remote access.

The reasoning I had behind setting up so many links between the switch and the firewall was to have physically separate cables to carry each vlans traffic. I also needed some more bandwidth so thats why I have the LAGGs

balaji.bandi · ‎04-12-2020

If you want to switch required management access

remove below config - ( you can put the intere in LAG)

interface GigabitEthernet0/1
description SSH
no switchport
ip address 10.10.0.5 255.255.255.240

Create a VLAN Interace

intervave vlan 5

ip address 10.10.0.5 255.255.255.240

no shutdown

add the route i have given in the past post.

you should be able to access the switch using 10.10.0.5 and rest all device still can have default gateway to 10.10.0.1

BB

=====Preenayamo Vasudevam=====

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

erasedhammer · ‎04-12-2020

I have added the lines:

!
interface Vlan5
ip address 10.10.0.5 255.255.255.240
!
no ip http server
no ip http secure-server
!
ip route 0.0.0.0 0.0.0.0 10.10.0.1
!

I cannot ssh into the 10.10.0.5 from the .2 still.

I cannot ssh into the .3 from the .2 when I change gig0/10 to access vlan 5, with the gateway change.

balaji.bandi · ‎04-12-2020

Post the complete config after changing.

If your device connected port belong to Switch VLAN 5 - you should have communication between .5 .2 .3 .1 - if not definatly we missing something hre.

Are you able to ping from 10.10.0.2 to 10.10.0.5 and 10.10.0.1 and 3 ? and viceversa. ?

Lets answer question below :

1. From switch .5 are you able to ping .1 ?

2. from .2 are you able to ping .1 and .5 ?

3. from .3 are you able to ping .1 and .5 ?

BB

=====Preenayamo Vasudevam=====

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

erasedhammer · ‎04-12-2020

I just restarted the firewall to see if that was the issue, and now I have communication between the .1 and .3.

BUT if I change gig0/10 to switchport access vlan 5 I no longer have ssh access from the .2 to the .3.

The switch cannot ping anything.

The .2 can only ping the .3

The .3 can only ping the .2

balaji.bandi · ‎04-13-2020

Port 0/10 should be VLAN 5, since your Gatewway resides in PFSense, not sure what kind of FW rules there in the PFSENSE.

Port 0/9 configured as Trunk, as per diagram it is connected to cisco unmaaged Sw, what model ?

I suggested to change Port 0/9 and 0/10 as access port and make sure you confiured access port vlan 5 ( as per your config i did not see you configured VLAN 5 on port 0/10)

Once you configured, you should be able to communicate with :

1. From .5 you able to ping .1

2. From .2 are you able to ping .1

3. from .3 are you able to ping .1

4. then 2. .3 .5 should be able to ping and able to SSH.

BB

=====Preenayamo Vasudevam=====

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

erasedhammer · ‎04-13-2020

The unmanaged switch is a sg110d.

I changed gig0/9 and gig0/10 both to access vlan 5 and now I have communication between the .2 and .3. But I do not have access to the firewall or the internet. Should I use another switchport option for the three uplink ports?

Disregard, I have changed the uplink ports to also switchport access vlan 5 and now the internet works as well.