cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
9629
Views
0
Helpful
25
Replies

How to send traffic from a vlan out of a specific port

Uche Akunwafor
Level 1
Level 1

I received a lot of help from Cisco TAC before running into a wall.

 

I have a Catalyst 3750 running IOS 15.2 with an uplink to an ASA 5516-X FTD running version 6.6.4.

The ASA has the following interfaces:

GigabitEthernet 1: ISP

GigabitEthernet 2: inside

The inside interface has a DHCP server assigned to it with network 172.80.80.0/24

All devices on the switch receive an address of 172.80.80.x with internet access.

 

Recently, I wanted to add a second network for voice and configured a DHCP network 172.80.90.0/24 on ASA GigabitEthernet 3 for voice.

In the FTD GUI, under Policies, Access Control and NAT are configured properly for the new voice network.

Executing this command allows traffic:

Packet-tracer input voice tcp 172.80.90.2 5000 8.8.8.8 443

172.80.90.2 is the SVI for the voice vlan on the switch.

On the switch, access port g1/0/48 is the uplink to ASA interface 3 for the voice network. 

However extended pings to 8.8.8.8 from 172.80.90.2 on the switch fail.

TAC explained that all traffic is going out of 172.80.80.1 which is the default interface on the switch.

This was their explanation:

As discussed in our call, for what you are attempting to do QoS will be required as switch needs to know what to do with the traffic. Our scope within QoS is to troubleshoot scenarios where the configuration is already stablished and no configurations from scratch.

 

They provided me with a link to QoS configurations but it is beyond my scope. I need help with a configuration to send traffic from the voice vlan on the switch out of g1/0/48 to ASA interface 3 with the voice DHCP network.

 

I hope this makes sense.

 

 

25 Replies 25

Hello,

 

--> 172.80.90.2 is the SVI for the voice vlan on the switch.

 

Does this mean the switch is configured as layer 3 (ip routing enabled) ?

Hello,

Yes, ip routing is enabled on the switch.

Giuseppe Larosa
Hall of Fame
Hall of Fame

Hello @Uche Akunwafor ,

you don't need QoS forget about the switch it  is a speciale case use a PC connected to a port in the voice VLAN.

 

if in your DHCP pool for voice you provide a default gateway of 172.18.90.1 you are fine and your test PC will confirm this.

 

For the switch you would need local PBR Policy Based routing

 

access-list 111 remark for local PBR

access-list 111 deny ip host 172.18.90.2 172.18.80.0 0.0.0.255

access-list 111 permit ip host 172.18.90.2 any

 

route-map LOCAL-PBR permit 10

match address 111

set ip next-hop 172.18.90.1

 

at global level

ip local policy LOCAL-PBR

 

the switch SVI is the only host affected by this problem true hosts in voice VLANs are not affected.

 

Hope to help

Giuseppe

 

 

 

Hello @Giuseppe Larosa 

Thanks. I will try this configuration on the switch to see if it works.

Hello @Giuseppe Larosa 

I tried that and ran into a problem

2021-09-15 route map.png

It appears that the switch does not recognize those commands.

Please advise.

post show version, as i remember you need ip service License to use some features.

 

read the release notes :

 

https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst3750x_3560x/software/release/15-2_1_e/configuration/guide/scg3750x/swiprout.html

 

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Hello @balaji.bandi 

 

Show version:

 

OSB-Harlem#sh ver
Cisco IOS Software, C3750E Software (C3750E-UNIVERSALK9-M), Version 15.2(4)E6, RELEASE SOFTWARE (fc4)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2018 by Cisco Systems, Inc.
Compiled Thu 05-Apr-18 02:22 by prod_rel_team

ROM: Bootstrap program is C3750E boot loader
BOOTLDR: C3750E Boot Loader (C3750X-HBOOT-M) Version 12.2(58r)SE1, RELEASE SOFTWARE (fc1)

OSB-Harlem uptime is 1 year, 3 weeks, 4 days, 4 hours, 41 minutes
System returned to ROM by power-on
System restarted at 10:54:39 EST Fri Aug 21 2020
System image file is "flash:/c3750e-universalk9-mz.152-4.E6/c3750e-universalk9-mz.152-4.E6.bin"
Last reload reason: power-on

 

This product contains cryptographic features and is subject to United
States and local country laws governing import, export, transfer and
use. Delivery of Cisco cryptographic products does not imply
third-party authority to import, export, distribute or use encryption.
Importers, exporters, distributors and users are responsible for
compliance with U.S. and local country laws. By using this product you
agree to comply with applicable laws and regulations. If you are unable
to comply with U.S. and local laws, return this product immediately.

A summary of U.S. laws governing Cisco cryptographic products may be found at:
http://www.cisco.com/wwl/export/crypto/tool/stqrg.html

If you require further assistance please contact us by sending email to
export@cisco.com.

License Level: lanbase
License Type: Permanent
Next reload license Level: lanbase

cisco WS-C3750X-48P (PowerPC405) processor (revision A0) with 262144K bytes of memory.
Processor board ID FDO1818Z0BU
Last reset from power-on
2 Virtual Ethernet interfaces
1 FastEthernet interface
52 Gigabit Ethernet interfaces
2 Ten Gigabit Ethernet interfaces
The password-recovery mechanism is enabled.

512K bytes of flash-simulated non-volatile configuration memory.
Base ethernet MAC Address : 50:87:89:C8:88:00
Motherboard assembly number : 73-12553-11
Motherboard serial number : FDO181802LT
Model revision number : A0
Motherboard revision number : A0
Model number : WS-C3750X-48P-L
Daughterboard assembly number : 800-32727-03
Daughterboard serial number : FDO18171D3T
System serial number : FDO1818Z0BU
Top Assembly Part Number : 800-31324-09
Top Assembly Revision Number : B0
Version ID : V06
CLEI Code Number : CMMPS00DRA
Hardware Board Revision Number : 0x05


Switch Ports Model SW Version SW Image
------ ----- ----- ---------- ----------
* 1 54 WS-C3750X-48P 15.2(4)E6 C3750E-UNIVERSALK9-M


Configuration register is 0xF

OSB-Harlem#

Not sure it works "License Level: lanbase"  (i have never tried on Lab base)  May be you need up lift feature for ip services.

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

I have several comments about this.

- first I am surprised that TAC indicated that QOS was involved in solving this issue. I do not see how these symptoms relate to QOS.

- second I am surprised that your switch does not support the route-map command. What version of software and what license does it have? The output of show version might be helpful. Also might be helpful to have the output of the commands show ip interface brief, and of show ip route from the switch.

- I agree that PBR would normally be the solution that I would use and am surprised that it is not working. I believe that there is an alternative that you can use to test for the new vlan. I would only suggest this for a quick test. But if you want to check Internet access for the new vlan using the new vlan interface on the switch you might try this: ip route 8.8.8.8 255.255.255.255 172.18.90.1. It will send all traffic for 8.8.8.8 out the new vlan. Make the configuration change, test, remove the configuration change so that traffic for that address will use the normal path.

HTH

Rick

Hello Rick,

 

Here are the show version, show ip interface brief and show ip route command results:

 

 

OSB-Harlem#sh ver
Cisco IOS Software, C3750E Software (C3750E-UNIVERSALK9-M), Version 15.2(4)E6, RELEASE SOFTWARE (fc4)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2018 by Cisco Systems, Inc.
Compiled Thu 05-Apr-18 02:22 by prod_rel_team

ROM: Bootstrap program is C3750E boot loader
BOOTLDR: C3750E Boot Loader (C3750X-HBOOT-M) Version 12.2(58r)SE1, RELEASE SOFTWARE (fc1)

OSB-Harlem uptime is 1 year, 3 weeks, 4 days, 4 hours, 41 minutes
System returned to ROM by power-on
System restarted at 10:54:39 EST Fri Aug 21 2020
System image file is "flash:/c3750e-universalk9-mz.152-4.E6/c3750e-universalk9-mz.152-4.E6.bin"
Last reload reason: power-on

 

This product contains cryptographic features and is subject to United
States and local country laws governing import, export, transfer and
use. Delivery of Cisco cryptographic products does not imply
third-party authority to import, export, distribute or use encryption.
Importers, exporters, distributors and users are responsible for
compliance with U.S. and local country laws. By using this product you
agree to comply with applicable laws and regulations. If you are unable
to comply with U.S. and local laws, return this product immediately.

A summary of U.S. laws governing Cisco cryptographic products may be found at:
http://www.cisco.com/wwl/export/crypto/tool/stqrg.html

If you require further assistance please contact us by sending email to
export@cisco.com.

License Level: lanbase
License Type: Permanent
Next reload license Level: lanbase

cisco WS-C3750X-48P (PowerPC405) processor (revision A0) with 262144K bytes of memory.
Processor board ID FDO1818Z0BU
Last reset from power-on
2 Virtual Ethernet interfaces
1 FastEthernet interface
52 Gigabit Ethernet interfaces
2 Ten Gigabit Ethernet interfaces
The password-recovery mechanism is enabled.

512K bytes of flash-simulated non-volatile configuration memory.
Base ethernet MAC Address : 50:87:89:C8:88:00
Motherboard assembly number : 73-12553-11
Motherboard serial number : FDO181802LT
Model revision number : A0
Motherboard revision number : A0
Model number : WS-C3750X-48P-L
Daughterboard assembly number : 800-32727-03
Daughterboard serial number : FDO18171D3T
System serial number : FDO1818Z0BU
Top Assembly Part Number : 800-31324-09
Top Assembly Revision Number : B0
Version ID : V06
CLEI Code Number : CMMPS00DRA
Hardware Board Revision Number : 0x05


Switch Ports Model SW Version SW Image
------ ----- ----- ---------- ----------
* 1 54 WS-C3750X-48P 15.2(4)E6 C3750E-UNIVERSALK9-M


Configuration register is 0xF

OSB-Harlem#sh ip int br
Interface IP-Address OK? Method Status Protocol
Vlan1 172.80.80.2 YES NVRAM up up
Vlan444 172.80.90.2 YES manual up up
FastEthernet0 172.30.0.252 YES NVRAM down down
GigabitEthernet1/0/1 unassigned YES unset up up
GigabitEthernet1/0/2 unassigned YES unset up up
GigabitEthernet1/0/3 unassigned YES unset up up
GigabitEthernet1/0/4 unassigned YES unset up up
GigabitEthernet1/0/5 unassigned YES unset up up
GigabitEthernet1/0/6 unassigned YES unset up up
GigabitEthernet1/0/7 unassigned YES unset up up
GigabitEthernet1/0/8 unassigned YES unset down down
GigabitEthernet1/0/9 unassigned YES unset down down
GigabitEthernet1/0/10 unassigned YES unset down down
GigabitEthernet1/0/11 unassigned YES unset up up
GigabitEthernet1/0/12 unassigned YES unset up up
GigabitEthernet1/0/13 unassigned YES unset up up
GigabitEthernet1/0/14 unassigned YES unset down down
GigabitEthernet1/0/15 unassigned YES unset up up
GigabitEthernet1/0/16 unassigned YES unset up up
GigabitEthernet1/0/17 unassigned YES unset down down
GigabitEthernet1/0/18 unassigned YES unset up up
GigabitEthernet1/0/19 unassigned YES unset up up
GigabitEthernet1/0/20 unassigned YES unset down down
GigabitEthernet1/0/21 unassigned YES unset up up
GigabitEthernet1/0/22 unassigned YES unset down down
GigabitEthernet1/0/23 unassigned YES unset up up
GigabitEthernet1/0/24 unassigned YES unset down down
GigabitEthernet1/0/25 unassigned YES unset up up
GigabitEthernet1/0/26 unassigned YES unset down down
GigabitEthernet1/0/27 unassigned YES unset down down
GigabitEthernet1/0/28 unassigned YES unset up up
GigabitEthernet1/0/29 unassigned YES unset up up
GigabitEthernet1/0/30 unassigned YES unset up up
GigabitEthernet1/0/31 unassigned YES unset up up
GigabitEthernet1/0/32 unassigned YES unset up up
GigabitEthernet1/0/33 unassigned YES unset up up
GigabitEthernet1/0/34 unassigned YES unset up up
GigabitEthernet1/0/35 unassigned YES unset up up
GigabitEthernet1/0/36 unassigned YES unset down down
GigabitEthernet1/0/37 unassigned YES unset down down
GigabitEthernet1/0/38 unassigned YES unset up up
GigabitEthernet1/0/39 unassigned YES unset up up
GigabitEthernet1/0/40 unassigned YES unset down down
GigabitEthernet1/0/41 unassigned YES unset down down
GigabitEthernet1/0/42 unassigned YES unset up up
GigabitEthernet1/0/43 unassigned YES unset up up
GigabitEthernet1/0/44 unassigned YES unset down down
GigabitEthernet1/0/45 unassigned YES unset down down
GigabitEthernet1/0/46 unassigned YES unset up up
GigabitEthernet1/0/47 unassigned YES unset down down
GigabitEthernet1/0/48 unassigned YES unset up up
GigabitEthernet1/1/1 unassigned YES unset down down
GigabitEthernet1/1/2 unassigned YES unset down down
GigabitEthernet1/1/3 unassigned YES unset down down
GigabitEthernet1/1/4 unassigned YES unset down down
Te1/1/1 unassigned YES unset down down
Te1/1/2 unassigned YES unset down down
OSB-Harlem#sh ip route
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
a - application route
+ - replicated route, % - next hop override

Gateway of last resort is 172.80.80.1 to network 0.0.0.0

S* 0.0.0.0/0 [1/0] via 172.80.80.1
172.80.0.0/16 is variably subnetted, 4 subnets, 2 masks
C 172.80.80.0/24 is directly connected, Vlan1
L 172.80.80.2/32 is directly connected, Vlan1
C 172.80.90.0/24 is directly connected, Vlan444
L 172.80.90.2/32 is directly connected, Vlan444
OSB-Harlem#

Hello Rick,

The static route did not work.

I can ping ASA interface 3 with 172.80.90.1

 

OSB-Harlem#conf t
Enter configuration commands, one per line. End with CNTL/Z.
OSB-Harlem(config)#ip route 8.8.8.8 255.255.255.255 172.18.90.1
OSB-Harlem(config)#end
OSB-Harlem#ping
Protocol [ip]:
Target IP address: 8.8.8.8
Repeat count [5]:
Datagram size [100]:
Timeout in seconds [2]:
Extended commands [n]: y
Source address or interface: 172.80.90.2
Type of service [0]:
Set DF bit in IP header? [no]:
Validate reply data? [no]:
Data pattern [0xABCD]:
Loose, Strict, Record, Timestamp, Verbose[none]:
Sweep range of sizes [n]:
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 8.8.8.8, timeout is 2 seconds:
Packet sent with a source address of 172.80.90.2
.....
Success rate is 0 percent (0/5)
OSB-Harlem#ping 172.80.90.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.80.90.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/4/9 ms
OSB-Harlem#

Thanks for the additional information. I am surprised that the static route did not work.

Perhaps you should connect some device to a port on the switch assigned to the new vlan and test from that device. If that device has an IP in subnet 172.80.90.0 and has its default gateway as 172.80.90.1 then its traffic should be forwarded to the ASA and not affected by the default route on the switch.

Another thought is that when you attempt access from the new vlan on the switch there should be entries in the ASA logs about that traffic. Does it recognize the source address in the new subnet? Does it create an entry in the translation table?

HTH

Rick

Hello @Uche Akunwafor ,

post

show sdm prefer

 

in addition to the license level you may need to change the SDM template and then reboot to support route-amp commands and PBR.

 

However, as already noted your license level might be too low

 

But the issue is limited to the switch not to the users of voice VLAN use a test PC that gets IP address from DHCP pool it should be able to get an IP address and to go out to the internet.,

Simple words: I would not spend money for a better license just to be solve the switch SVI issue.

 

Hope to help

Giuseppe

Hello @Giuseppe Larosa 

Results of show sdm prefer

 

 

OSB-Harlem#sh sdm prefer
The current template is "desktop default" template.
The selected template optimizes the resources in
the switch to support this level of features for
0 routed interfaces and 255 VLANs.

number of unicast mac addresses: 8K
number of IPv4 IGMP groups + multicast routes: 1K
number of IPv4 unicast routes: 6K
number of directly-connected IPv4 hosts: 4K
number of indirect IPv4 routes: 2K
number of IPv6 multicast groups: 0
number of IPv6 unicast routes: 0
number of directly-connected IPv6 addresses: 0
number of indirect IPv6 unicast routes: 0
number of IPv4 policy based routing aces: 0
number of IPv4/MAC qos aces: 0.5K
number of IPv4/MAC security aces: 0.875k
number of IPv6 policy based routing aces: 0
number of IPv6 qos aces: 0
number of IPv6 security aces: 0

OSB-Harlem#

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: