Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
764
Views
0
Helpful
11
Replies

Not able to ping Management Tools

Manu Shankar
Level 1
Level 1

‎08-17-2015 10:45 PM - edited ‎03-08-2019 01:23 AM

I am facing an issue, not able add one switch in Monitoring and management tools. My observations are; 

1: Not able to ping the management tools (Solarwinds, Ciscowors etc) from my switch.

2: Trace route to any IP from switch is completing. But the trace to these Management tool's IPs are not even going to the first hop (I have an ACL configured for this management IPs)

3: Able to ping from Router. The router is CDP neighbor to this switch. 

4: Able to ping from the Management tool's Vlan to the switch IP. 

 

Anyone have idea why this is not working. I have attached the switch config. Router interface is configured with sub interface (router on a stick).  

 

Thanks, 

Manu 

 

Labels:
Preview file
16 KB
0 Helpful
11 Replies 11

Mark Malone
VIP Alumni
VIP Alumni

‎08-18-2015 12:31 AM

Hi

if its router on a stick setup to the switch where is the trunk on the switch side I just see vlan 2 access port connected to the router ? usually on router on stick setup switch it would be configured as below going by your config , or maybe im missing some other config as it looks like only partial sh run

interface GigabitEthernet1/0/20
description ***Connection to Router****
switchport trunk encapsulation dot1q
switchport mode trunk
spanning-tree portfast trunk
 srr-queue bandwidth share 10 10 60 20
 queue-set 2
 priority-queue out
 mls qos trust device cisco-phone
 storm-control broadcast level 75.00 50.00
 storm-control multicast level 75.00 50.00
 storm-control action shutdown
 spanning-tree portfast
 spanning-tree bpduguard enable
 spanning-tree guard root
 service-policy input lync

 

0 Helpful

Manu Shankar
Level 1
Level 1
In response to Mark Malone

‎08-18-2015 01:33 AM

Hi Mark, 

Thank you for the quick response. 

I also noticed and have doubt on the 'trunk config'. But it was working fine till 15th Aug. The MPLS link flapped once on 15th Aug, and after that the switch is not reachable from Solarwinds. 

0 Helpful

Mark Malone
VIP Alumni
VIP Alumni
In response to Manu Shankar

‎08-18-2015 02:06 AM

This is an example of an r&s setup

http://www.firewall.cx/cisco-technical-knowledgebase/cisco-routers/336-cisco-router-8021q-router-stick.html

you should have a trunk as you have more than 1 vlan that's just the way its configured by design, you should always follow best practice where possible.

The mpls flapped but you stated you can reach the mgmt. devices from the router yes? show ip route and ping will verify this on the router , if your trace stops at the 1st hop from the switch then the issue is between switch and the router

 

0 Helpful

Manu Shankar
Level 1
Level 1
In response to Mark Malone

‎08-18-2015 02:21 AM

 

Thank you Mark. Yes the routes are there in the routing and table. Able to ping from the router to the Management tools and back. Also from Management tool's Vlan interface to the switch IP. 

Is there a chance the issue belongs to the ACL (SNMP-ACL). Because those are the only IPs i am not able ping. The below output is from the previous config file. 

ip access-list standard SNMP-ACL

 permit 10.1.128.129

 permit 10.1.128.11

 permit 10.1.130.10

 permit 10.1.90.151

 permit 10.1.91.181

 permit 10.1.91.190

!

!

snmp-server community ***** RO SNMP-ACL

snmp-server community ***** RW SNMP-ACL

0 Helpful

Mark Malone
VIP Alumni
VIP Alumni
In response to Manu Shankar

‎08-18-2015 02:30 AM

that acl is just for snmp and its permitting ips as well

If your uncertain just temporarily remove it but I don't think that would be causing the issue , if you blocking ping you would need an acl with deny icmp in it , that acl is just for snmp traffic it should have no effect on what you can ping , ping is a network layer issue reachability

if you ping from the source of the vlan is it blocked , have you set the trunk yet and tried that ?

0 Helpful

Manu Shankar
Level 1
Level 1
In response to Mark Malone

‎08-18-2015 02:54 AM

Source of the Vlan is not blocked. I will configure the trunk and let you know. May be tomorrow. Thank you. 

 

 

0 Helpful

Mark Malone
VIP Alumni
VIP Alumni
In response to Manu Shankar

‎08-18-2015 04:10 AM

sorry what I meant was try ping from the source --ping x.x.x.x source vlan 1

separate from the issue just looking at your config , the qos is overlapping , you do not need to have a service policy applied when using mls qos

the phone/softphone lync will mark the packet at the source with EF DSCP 46 and AF41/42 for video on ingress going to the port and then you trust the port to carry the marking

you only need to have  mls qos trust dscp on your edge ports where phones/lync etc are and  on your uplink instead of using  mls qos trust device cisco-phone as your mapping cos-dscp already mls qos map cos-dscp 0 8 16 24 32 46 48 56 just use mls qos trust dscp

you would still on your router need a service policy on the wan for egress traffic going outbound to carry youor marking on the wan  , anyway just something I noticed this has nothing to do with the original fault

0 Helpful

Manu Shankar
Level 1
Level 1
In response to Mark Malone

‎08-18-2015 09:47 PM

No, the source ping is not working. 

Thanks for notifying the QoS config. So you meant, instead of the 'mls qos trust device cisco-phone' I have to put 'mls qos trust dscp' ?

 

0 Helpful

Mark Malone
VIP Alumni
VIP Alumni
In response to Manu Shankar

‎08-19-2015 12:36 AM

Morning ,yes you should only use 'mls qos trust device cisco-phone if all you have connected to the port is a Cisco phone , but from your config it looks like your marking for Lync as well,  its the same as our network so in that case you would want to trust the marking Lync sets at the source too, to do this and to cover you for the Cisco phones you would trust the dscp marking that both the Lync and the Cisco phone generate at the source, "mls qos trust dscp" will do this for you and again at the uplink you would want to continue to carry and trust these markings so you use the command again

Even if your phone/softphone uses cos as some older models do you are already covered for that as well as you have the cos-dscp mapping in place in your config so if the phone sends a cos 5(voice) the switch will map it to dscp 46(voice) and your uplink will trust it and carry it through

 

You can always test in on a switch by setting up a span port and span your trunk to the router captutring all traffic , then open up the wireshark look for an ip packet from a phone and you will see that your packet has a marking as below

0 Helpful

Manu Shankar
Level 1
Level 1
In response to Mark Malone

‎09-03-2015 09:51 AM

Hi Mark, 

Thanks for all the advice. I have configured the port as as trunk. That didn't resolve the issue. Finally I rebooted the switch. That solved the problem..:-) 

Thanks,

Manu 

0 Helpful

Manu Shankar
Level 1
Level 1
In response to Mark Malone

‎12-23-2015 11:25 PM

Hi Mark,

How are you. Merry X'Mas..!

Finally I got the solution to this issue. There was redirect entry in the switch. After clearing the entry the issue got resolved. 

Thanks, 

Manu 

0 Helpful
Customers Also Viewed These Support Documents