Hi Riccardo,

Yeah! I am expecting that I can ping both sides but unfortunately not.

Yes, I am pinging Cisco Router interface 1 (41.78.162.46/27) from C6506. PING IS NOT GOOD. Even source ping from interface VLAN 774 is not good.

SW1-6506#sh ip route

Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP

       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area

       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2

       E1 - OSPF external type 1, E2 - OSPF external type 2

       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2

       ia - IS-IS inter area, * - candidate default, U - per-user static route

       o - ODR, P - periodic downloaded static route

Gateway of last resort is 195.219.214.10 to network 0.0.0.0

C       41.78.162.32/27 is directly connected, Vlan774

S    192.168.1.0/24 is directly connected, Vlan777

C    192.168.70.0/24 is directly connected, Vlan70

There is also the possibility that an access list on one of the interfaces is preventing ping in that direction. It could be on the 6505 or it could be on the router. Would you post the configuration of both interfaces?

HTH

Rick

Hi Rick,

Here's the access-list and interface config we have in C6506.

SW1-6506#sh run | beg access-list

ip as-path access-list 10 permit ^$

!

!

access-list 1 permit 41.78.162.0 0.0.7.255

access-list 10 permit any

access-list 101 permit ip any 0.0.0.0 255.255.255.0

SW1-6506#sh run int vlan 774

Building configuration...

Current configuration : 122 bytes

!

interface Vlan774

description CLIENT'S_INTERNET_VLAN

bandwidth 10000000

ip address 41.78.162.62 255.255.255.224

end

interface GigabitEthernet4/23  <<<=== Interface Connected to OLT

description GLO_GPON

switchport

switchport trunk encapsulation dot1q

switchport trunk allowed vlan 1,8,16,20,23,32,45,51,52,60,96,112-114,184,185

switchport trunk allowed vlan add 197,230,600,649-651,700,709,714,724,774,779

switchport trunk allowed vlan add 833,858,870,871,895,896

switchport mode trunk

bandwidth 10000000

storm-control broadcast level 5.00

storm-control multicast level 5.00

- For the Router config, no access-list just the ip address (41.78.162.46/27) assigned to interface.

Where is 195.219.214.10 come from?

I don't see this subnet as your connected interface.

Can you provide sh run from the router and the switch?

HTH

HI Reza,

195.219.214.10 is ip address for BGP peering...

I have very long run config in C6506 and for the router I dont have the run config but I am sure there's is no access-list and only the ip address on the interface facing to C6506 is configured.

Thank you,

Hi Arnold,

So, between the the router and the switch you have one subnet and that is 41.78.162.32/27

the IP address on the switch side is 41.78.162.62/27

and the IP address on the router side is 41.78.162.46/27

and the OLT and ONU are just layer-2

From the router you can ping 41.78.162.62

From the switch you can't ping 41.78.162.46

I know that OLT is capable of doing vlans, but how about ONU?

Is vlan 774 configured on the ONU?

HTH

I don't think this is a vlan issue on the intermediate switches or else it should not woork on the other direction either.

we first need to understand where the connectivity breaks (which device) and on which direction.

what we know until know is that icmp type 8 packets from right to left are ok

and

icmp type 0 packets left to right are ok too.

but we don't know if icmp type 8 left to right are not able to reach the router, or instead they do but the icmp type 0 right to left are dropped instead.

So first thing we need to see whether the router receives the icmp request from the cat6k.

you should configure and ACL on the ingress interface of the router (interface 1) to see if you receive the icmp packets from the c6k.

If you don't see it please make sure whether the ACL is actually working; for that you need to also start a ping from the router and see if you see the repliy packets from the cat6k. By doing this we can consider the ACL a valid capture method.

If the router receive the requests we need to check if the c6k receives the replies.

for that we need to sniff the cpu. we have an easy way on the cat6k which is the debug netdr capture.

I will share more detail on this after your next step.

Riccardo

Hi Reza,

Yes, VLAN is configured all the way to ONU. Ping from Router is good but ping from C6506 to Router is not good.

Hi Riccardo,

Is debug netdr can't affect the memory/cpu utilization of C6506? And how can I identify the icmp type 0 and 8?

Thank you,

just configure an ACL matching source and destination of the ping and also the same addresses in the reverse order and check in which directiom you have the hits

Hi Riccardo,

Can you please give me a sample config for that.

Thank you very much.

Hi Arnold,

on the router you just need an ACL like this

permit ip host 41.78.162.62 host 41.78.162.46

permit ip host 41.78.162.46 host 41.78.162.62

permit ip any any