06-17-2024 06:08 AM
[C9300-48P 17.03.04]
I had the L2 etherchannel (directly connected to a Fortinet 100E) working for maximum of a half day, now it seems incmoing packets are dropped.
Behind the etherchannel there are different MAC addresses. It's true that the switch is configured with many restrict rules at global level, but I removed them from the PoX and from the members of the etherchannel.
While pinging IP addresses on the Fortinet side, I can see the ICMP request and replies from the interfaces but it seems they are not allowed to enter the switch.
the MAC-address table looks good, port-security shows that the physical interfaces involved are not impacted. "ip arp insepction trust" is enabled on the PoX and the members.
Logs don't show anything (I anonymized the MAC addresses but be sure they are different in the output). Both sides the etherchannel is up, as well as the interfaces.
SWITCH#show port-security interface g1/0/15
Port Security : Disabled
Port Status : Secure-down
Violation Mode : Shutdown
Aging Time : 0 mins
Aging Type : Absolute
SecureStatic Address Aging : Disabled
Maximum MAC Addresses : 1
Total MAC Addresses : 0
Configured MAC Addresses : 0
Sticky MAC Addresses : 0
Last Source Address:Vlan : e81c.****.cccc:100
Security Violation Count : 0
SWITCH#show port-security interface g1/0/18
Port Security : Disabled
Port Status : Secure-down
Violation Mode : Shutdown
Aging Time : 0 mins
Aging Type : Absolute
SecureStatic Address Aging : Disabled
Maximum MAC Addresses : 1
Total MAC Addresses : 0
Configured MAC Addresses : 0
Sticky MAC Addresses : 0
Last Source Address:Vlan : e81c.****.bbbb:100
Security Violation Count : 0
I don't know what think more...
Gio
06-17-2024 06:27 AM
@Gioacchino hi, according to output your port security is not in effect. so its not blocking the traffic due to port security. check if your VLANs and Port channel status.
share the#sh vlan, #sh ether-channel sum
06-17-2024 06:42 AM
all looks good. The etherchannel is up
Group Port-channel Protocol Ports
------+-------------+-----------+-----------------------------------------------
99 Po99(SU) LACP Gi1/0/15(P) Gi1/0/18(P)
The VLAN is there from before, the MAC-address table shows the MAC addresses on the side of the Fortinet are behind the right interface, i.e. po99.
Gio
06-17-2024 07:01 AM
Yes mac is learn from po99 but in which vlan?
MHM
06-17-2024 07:07 AM - edited 06-17-2024 07:08 AM
Yes, in the right VLAN.
show mac address-table dynamic interface po99
shows that the MAC address has been learnt in the right VLAN.
06-17-2024 08:56 AM
9000#show controllers ethernet-controller interface x/x/x | i ValidOverSize
can you share this for interface connect to FW
also share
show port-channel summary
MHM
06-18-2024 12:25 AM
SWITCH#show controllers ethernet-controller g1/0/15 | i ValidOverSize
0 Deferred frames 0 ValidOverSize frames
SWITCH#show controllers ethernet-controller g1/0/18 | i ValidOverSize
0 Deferred frames 0 ValidOverSize frames
SWITCH#show etherchannel summary
Flags: D - down P - bundled in port-channel
I - stand-alone s - suspended
H - Hot-standby (LACP only)
R - Layer3 S - Layer2
U - in use f - failed to allocate aggregator
M - not in use, minimum links not met
u - unsuitable for bundling
w - waiting to be aggregated
d - default port
A - formed by Auto LAG
Number of channel-groups in use: 1
Number of aggregators: 1
Group Port-channel Protocol Ports
------+-------------+-----------+-----------------------------------------------
99 Po99(SU) LACP Gi1/0/15(P) Gi1/0/18(P)
06-18-2024 02:52 AM
ping from FW and use below in SW to see if SW see the packet or not
9300_54#monitor capture CL interface PO99 in
9300_54#monitor capture CL match any
9300_54#monitor capture CL start
9300_54#monitor capture CL stop <<- dont forget stop capture to not full your memory
9300_54#monitor capture CL export location flash:cl.pcap
9300_54#sh monitor capture file flash:cl.pcap display-filter arp
MHM
06-20-2024 12:11 PM
Any News
MHM
06-20-2024 12:35 PM
Maybe some punctuation?
Anyway, it's an ongoing process with TAC. So far, we can see that there is nothing wrong in the way how the etherchannel was built.
Let's see...
06-20-2024 12:42 PM
Ok' let wait TAC reply
Can yoh share
Show interface <PO99> accounting
When issue appear again
Thanks
MHM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide