09-15-2021 09:21 AM
I received a lot of help from Cisco TAC before running into a wall.
I have a Catalyst 3750 running IOS 15.2 with an uplink to an ASA 5516-X FTD running version 6.6.4.
The ASA has the following interfaces:
GigabitEthernet 1: ISP
GigabitEthernet 2: inside
The inside interface has a DHCP server assigned to it with network 172.80.80.0/24
All devices on the switch receive an address of 172.80.80.x with internet access.
Recently, I wanted to add a second network for voice and configured a DHCP network 172.80.90.0/24 on ASA GigabitEthernet 3 for voice.
In the FTD GUI, under Policies, Access Control and NAT are configured properly for the new voice network.
Executing this command allows traffic:
Packet-tracer input voice tcp 172.80.90.2 5000 8.8.8.8 443
172.80.90.2 is the SVI for the voice vlan on the switch.
On the switch, access port g1/0/48 is the uplink to ASA interface 3 for the voice network.
However extended pings to 8.8.8.8 from 172.80.90.2 on the switch fail.
TAC explained that all traffic is going out of 172.80.80.1 which is the default interface on the switch.
This was their explanation:
As discussed in our call, for what you are attempting to do QoS will be required as switch needs to know what to do with the traffic. Our scope within QoS is to troubleshoot scenarios where the configuration is already stablished and no configurations from scratch.
They provided me with a link to QoS configurations but it is beyond my scope. I need help with a configuration to send traffic from the voice vlan on the switch out of g1/0/48 to ASA interface 3 with the voice DHCP network.
I hope this makes sense.
09-15-2021 11:28 AM
Hello,
--> 172.80.90.2 is the SVI for the voice vlan on the switch.
Does this mean the switch is configured as layer 3 (ip routing enabled) ?
09-15-2021 11:29 AM - edited 09-15-2021 11:31 AM
Hello,
Yes, ip routing is enabled on the switch.
09-15-2021 11:29 AM - edited 09-15-2021 11:32 AM
Hello @Uche Akunwafor ,
you don't need QoS forget about the switch it is a speciale case use a PC connected to a port in the voice VLAN.
if in your DHCP pool for voice you provide a default gateway of 172.18.90.1 you are fine and your test PC will confirm this.
For the switch you would need local PBR Policy Based routing
access-list 111 remark for local PBR
access-list 111 deny ip host 172.18.90.2 172.18.80.0 0.0.0.255
access-list 111 permit ip host 172.18.90.2 any
route-map LOCAL-PBR permit 10
match address 111
set ip next-hop 172.18.90.1
at global level
ip local policy LOCAL-PBR
the switch SVI is the only host affected by this problem true hosts in voice VLANs are not affected.
Hope to help
Giuseppe
09-15-2021 11:36 AM
Hello @Giuseppe Larosa
Thanks. I will try this configuration on the switch to see if it works.
09-15-2021 11:56 AM
Hello @Giuseppe Larosa
I tried that and ran into a problem
It appears that the switch does not recognize those commands.
Please advise.
09-15-2021 12:24 PM - edited 09-15-2021 12:25 PM
post show version, as i remember you need ip service License to use some features.
read the release notes :
09-15-2021 12:29 PM
Hello @balaji.bandi
Show version:
OSB-Harlem#sh ver
Cisco IOS Software, C3750E Software (C3750E-UNIVERSALK9-M), Version 15.2(4)E6, RELEASE SOFTWARE (fc4)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2018 by Cisco Systems, Inc.
Compiled Thu 05-Apr-18 02:22 by prod_rel_team
ROM: Bootstrap program is C3750E boot loader
BOOTLDR: C3750E Boot Loader (C3750X-HBOOT-M) Version 12.2(58r)SE1, RELEASE SOFTWARE (fc1)
OSB-Harlem uptime is 1 year, 3 weeks, 4 days, 4 hours, 41 minutes
System returned to ROM by power-on
System restarted at 10:54:39 EST Fri Aug 21 2020
System image file is "flash:/c3750e-universalk9-mz.152-4.E6/c3750e-universalk9-mz.152-4.E6.bin"
Last reload reason: power-on
This product contains cryptographic features and is subject to United
States and local country laws governing import, export, transfer and
use. Delivery of Cisco cryptographic products does not imply
third-party authority to import, export, distribute or use encryption.
Importers, exporters, distributors and users are responsible for
compliance with U.S. and local country laws. By using this product you
agree to comply with applicable laws and regulations. If you are unable
to comply with U.S. and local laws, return this product immediately.
A summary of U.S. laws governing Cisco cryptographic products may be found at:
http://www.cisco.com/wwl/export/crypto/tool/stqrg.html
If you require further assistance please contact us by sending email to
export@cisco.com.
License Level: lanbase
License Type: Permanent
Next reload license Level: lanbase
cisco WS-C3750X-48P (PowerPC405) processor (revision A0) with 262144K bytes of memory.
Processor board ID FDO1818Z0BU
Last reset from power-on
2 Virtual Ethernet interfaces
1 FastEthernet interface
52 Gigabit Ethernet interfaces
2 Ten Gigabit Ethernet interfaces
The password-recovery mechanism is enabled.
512K bytes of flash-simulated non-volatile configuration memory.
Base ethernet MAC Address : 50:87:89:C8:88:00
Motherboard assembly number : 73-12553-11
Motherboard serial number : FDO181802LT
Model revision number : A0
Motherboard revision number : A0
Model number : WS-C3750X-48P-L
Daughterboard assembly number : 800-32727-03
Daughterboard serial number : FDO18171D3T
System serial number : FDO1818Z0BU
Top Assembly Part Number : 800-31324-09
Top Assembly Revision Number : B0
Version ID : V06
CLEI Code Number : CMMPS00DRA
Hardware Board Revision Number : 0x05
Switch Ports Model SW Version SW Image
------ ----- ----- ---------- ----------
* 1 54 WS-C3750X-48P 15.2(4)E6 C3750E-UNIVERSALK9-M
Configuration register is 0xF
OSB-Harlem#
09-15-2021 12:34 PM
Not sure it works "License Level: lanbase" (i have never tried on Lab base) May be you need up lift feature for ip services.
09-15-2021 12:32 PM
I have several comments about this.
- first I am surprised that TAC indicated that QOS was involved in solving this issue. I do not see how these symptoms relate to QOS.
- second I am surprised that your switch does not support the route-map command. What version of software and what license does it have? The output of show version might be helpful. Also might be helpful to have the output of the commands show ip interface brief, and of show ip route from the switch.
- I agree that PBR would normally be the solution that I would use and am surprised that it is not working. I believe that there is an alternative that you can use to test for the new vlan. I would only suggest this for a quick test. But if you want to check Internet access for the new vlan using the new vlan interface on the switch you might try this: ip route 8.8.8.8 255.255.255.255 172.18.90.1. It will send all traffic for 8.8.8.8 out the new vlan. Make the configuration change, test, remove the configuration change so that traffic for that address will use the normal path.
09-15-2021 12:37 PM
Hello Rick,
Here are the show version, show ip interface brief and show ip route command results:
OSB-Harlem#sh ver
Cisco IOS Software, C3750E Software (C3750E-UNIVERSALK9-M), Version 15.2(4)E6, RELEASE SOFTWARE (fc4)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2018 by Cisco Systems, Inc.
Compiled Thu 05-Apr-18 02:22 by prod_rel_team
ROM: Bootstrap program is C3750E boot loader
BOOTLDR: C3750E Boot Loader (C3750X-HBOOT-M) Version 12.2(58r)SE1, RELEASE SOFTWARE (fc1)
OSB-Harlem uptime is 1 year, 3 weeks, 4 days, 4 hours, 41 minutes
System returned to ROM by power-on
System restarted at 10:54:39 EST Fri Aug 21 2020
System image file is "flash:/c3750e-universalk9-mz.152-4.E6/c3750e-universalk9-mz.152-4.E6.bin"
Last reload reason: power-on
This product contains cryptographic features and is subject to United
States and local country laws governing import, export, transfer and
use. Delivery of Cisco cryptographic products does not imply
third-party authority to import, export, distribute or use encryption.
Importers, exporters, distributors and users are responsible for
compliance with U.S. and local country laws. By using this product you
agree to comply with applicable laws and regulations. If you are unable
to comply with U.S. and local laws, return this product immediately.
A summary of U.S. laws governing Cisco cryptographic products may be found at:
http://www.cisco.com/wwl/export/crypto/tool/stqrg.html
If you require further assistance please contact us by sending email to
export@cisco.com.
License Level: lanbase
License Type: Permanent
Next reload license Level: lanbase
cisco WS-C3750X-48P (PowerPC405) processor (revision A0) with 262144K bytes of memory.
Processor board ID FDO1818Z0BU
Last reset from power-on
2 Virtual Ethernet interfaces
1 FastEthernet interface
52 Gigabit Ethernet interfaces
2 Ten Gigabit Ethernet interfaces
The password-recovery mechanism is enabled.
512K bytes of flash-simulated non-volatile configuration memory.
Base ethernet MAC Address : 50:87:89:C8:88:00
Motherboard assembly number : 73-12553-11
Motherboard serial number : FDO181802LT
Model revision number : A0
Motherboard revision number : A0
Model number : WS-C3750X-48P-L
Daughterboard assembly number : 800-32727-03
Daughterboard serial number : FDO18171D3T
System serial number : FDO1818Z0BU
Top Assembly Part Number : 800-31324-09
Top Assembly Revision Number : B0
Version ID : V06
CLEI Code Number : CMMPS00DRA
Hardware Board Revision Number : 0x05
Switch Ports Model SW Version SW Image
------ ----- ----- ---------- ----------
* 1 54 WS-C3750X-48P 15.2(4)E6 C3750E-UNIVERSALK9-M
Configuration register is 0xF
OSB-Harlem#sh ip int br
Interface IP-Address OK? Method Status Protocol
Vlan1 172.80.80.2 YES NVRAM up up
Vlan444 172.80.90.2 YES manual up up
FastEthernet0 172.30.0.252 YES NVRAM down down
GigabitEthernet1/0/1 unassigned YES unset up up
GigabitEthernet1/0/2 unassigned YES unset up up
GigabitEthernet1/0/3 unassigned YES unset up up
GigabitEthernet1/0/4 unassigned YES unset up up
GigabitEthernet1/0/5 unassigned YES unset up up
GigabitEthernet1/0/6 unassigned YES unset up up
GigabitEthernet1/0/7 unassigned YES unset up up
GigabitEthernet1/0/8 unassigned YES unset down down
GigabitEthernet1/0/9 unassigned YES unset down down
GigabitEthernet1/0/10 unassigned YES unset down down
GigabitEthernet1/0/11 unassigned YES unset up up
GigabitEthernet1/0/12 unassigned YES unset up up
GigabitEthernet1/0/13 unassigned YES unset up up
GigabitEthernet1/0/14 unassigned YES unset down down
GigabitEthernet1/0/15 unassigned YES unset up up
GigabitEthernet1/0/16 unassigned YES unset up up
GigabitEthernet1/0/17 unassigned YES unset down down
GigabitEthernet1/0/18 unassigned YES unset up up
GigabitEthernet1/0/19 unassigned YES unset up up
GigabitEthernet1/0/20 unassigned YES unset down down
GigabitEthernet1/0/21 unassigned YES unset up up
GigabitEthernet1/0/22 unassigned YES unset down down
GigabitEthernet1/0/23 unassigned YES unset up up
GigabitEthernet1/0/24 unassigned YES unset down down
GigabitEthernet1/0/25 unassigned YES unset up up
GigabitEthernet1/0/26 unassigned YES unset down down
GigabitEthernet1/0/27 unassigned YES unset down down
GigabitEthernet1/0/28 unassigned YES unset up up
GigabitEthernet1/0/29 unassigned YES unset up up
GigabitEthernet1/0/30 unassigned YES unset up up
GigabitEthernet1/0/31 unassigned YES unset up up
GigabitEthernet1/0/32 unassigned YES unset up up
GigabitEthernet1/0/33 unassigned YES unset up up
GigabitEthernet1/0/34 unassigned YES unset up up
GigabitEthernet1/0/35 unassigned YES unset up up
GigabitEthernet1/0/36 unassigned YES unset down down
GigabitEthernet1/0/37 unassigned YES unset down down
GigabitEthernet1/0/38 unassigned YES unset up up
GigabitEthernet1/0/39 unassigned YES unset up up
GigabitEthernet1/0/40 unassigned YES unset down down
GigabitEthernet1/0/41 unassigned YES unset down down
GigabitEthernet1/0/42 unassigned YES unset up up
GigabitEthernet1/0/43 unassigned YES unset up up
GigabitEthernet1/0/44 unassigned YES unset down down
GigabitEthernet1/0/45 unassigned YES unset down down
GigabitEthernet1/0/46 unassigned YES unset up up
GigabitEthernet1/0/47 unassigned YES unset down down
GigabitEthernet1/0/48 unassigned YES unset up up
GigabitEthernet1/1/1 unassigned YES unset down down
GigabitEthernet1/1/2 unassigned YES unset down down
GigabitEthernet1/1/3 unassigned YES unset down down
GigabitEthernet1/1/4 unassigned YES unset down down
Te1/1/1 unassigned YES unset down down
Te1/1/2 unassigned YES unset down down
OSB-Harlem#sh ip route
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
a - application route
+ - replicated route, % - next hop override
Gateway of last resort is 172.80.80.1 to network 0.0.0.0
S* 0.0.0.0/0 [1/0] via 172.80.80.1
172.80.0.0/16 is variably subnetted, 4 subnets, 2 masks
C 172.80.80.0/24 is directly connected, Vlan1
L 172.80.80.2/32 is directly connected, Vlan1
C 172.80.90.0/24 is directly connected, Vlan444
L 172.80.90.2/32 is directly connected, Vlan444
OSB-Harlem#
09-15-2021 12:42 PM
Hello Rick,
The static route did not work.
I can ping ASA interface 3 with 172.80.90.1
OSB-Harlem#conf t
Enter configuration commands, one per line. End with CNTL/Z.
OSB-Harlem(config)#ip route 8.8.8.8 255.255.255.255 172.18.90.1
OSB-Harlem(config)#end
OSB-Harlem#ping
Protocol [ip]:
Target IP address: 8.8.8.8
Repeat count [5]:
Datagram size [100]:
Timeout in seconds [2]:
Extended commands [n]: y
Source address or interface: 172.80.90.2
Type of service [0]:
Set DF bit in IP header? [no]:
Validate reply data? [no]:
Data pattern [0xABCD]:
Loose, Strict, Record, Timestamp, Verbose[none]:
Sweep range of sizes [n]:
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 8.8.8.8, timeout is 2 seconds:
Packet sent with a source address of 172.80.90.2
.....
Success rate is 0 percent (0/5)
OSB-Harlem#ping 172.80.90.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.80.90.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/4/9 ms
OSB-Harlem#
09-15-2021 01:10 PM - edited 09-16-2021 06:58 AM
Thanks for the additional information. I am surprised that the static route did not work.
Perhaps you should connect some device to a port on the switch assigned to the new vlan and test from that device. If that device has an IP in subnet 172.80.90.0 and has its default gateway as 172.80.90.1 then its traffic should be forwarded to the ASA and not affected by the default route on the switch.
Another thought is that when you attempt access from the new vlan on the switch there should be entries in the ASA logs about that traffic. Does it recognize the source address in the new subnet? Does it create an entry in the translation table?
09-16-2021 12:11 AM
Hello @Uche Akunwafor ,
post
show sdm prefer
in addition to the license level you may need to change the SDM template and then reboot to support route-amp commands and PBR.
However, as already noted your license level might be too low
But the issue is limited to the switch not to the users of voice VLAN use a test PC that gets IP address from DHCP pool it should be able to get an IP address and to go out to the internet.,
Simple words: I would not spend money for a better license just to be solve the switch SVI issue.
Hope to help
Giuseppe
09-16-2021 06:36 AM
Hello @Giuseppe Larosa
Results of show sdm prefer
OSB-Harlem#sh sdm prefer
The current template is "desktop default" template.
The selected template optimizes the resources in
the switch to support this level of features for
0 routed interfaces and 255 VLANs.
number of unicast mac addresses: 8K
number of IPv4 IGMP groups + multicast routes: 1K
number of IPv4 unicast routes: 6K
number of directly-connected IPv4 hosts: 4K
number of indirect IPv4 routes: 2K
number of IPv6 multicast groups: 0
number of IPv6 unicast routes: 0
number of directly-connected IPv6 addresses: 0
number of indirect IPv6 unicast routes: 0
number of IPv4 policy based routing aces: 0
number of IPv4/MAC qos aces: 0.5K
number of IPv4/MAC security aces: 0.875k
number of IPv6 policy based routing aces: 0
number of IPv6 qos aces: 0
number of IPv6 security aces: 0
OSB-Harlem#
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide