Solved: One Port channel. Blocking access outside Vlan

CrazyChickenDK · ‎11-07-2022

Server: HP DL580 - XCP-ng/Xen Orchestra
Switch: WS-C4900M - 12.2(53)SG8

VM connected to TenGigabitEthernet1/1-2 can only access devices inside its own vlan (Vlan10).

VM connected to GigabitEthernet2/19-20 can access everything. No restrictions.

Switch and server settings on those ports is the same.

Why can't VM on the TenGig, not access the web. Even when set to Vlan 11. It gets the correct IP from the DHCP server on vlan 10. But still unable to ping anything outside the Vlan.

Current configuration : 7004 bytes
!
version 12.2
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
service compress-config
!
hostname Core
!
boot-start-marker
boot-end-marker
!
enable secret 5 *******
!
username ******** secret 5 **********
aaa new-model
!
!
aaa authentication login default local
aaa authorization console
aaa authorization exec default local
!
!
!
aaa session-id common
ip subnet-zero
no ip domain-lookup
ip domain-name CORE.local
!
!
ip vrf mgmtVrf
!
vtp mode transparent
!
!
!
power redundancy-mode redundant
!
!
!
!
!
spanning-tree mode pvst
spanning-tree extend system-id
!
vlan internal allocation policy ascending
!
vlan 10-17
!
ip ssh version 2
!
!
interface Port-channel1
 description To ASA
 ip address 172.20.0.2 255.255.255.252
!
interface Port-channel17
 description To DL580
 switchport
 switchport mode trunk
!
interface Port-channel31
 description 10gig to DL580
 switchport
 switchport mode trunk
!
interface FastEthernet1
 ip vrf forwarding mgmtVrf
 no ip address
 shutdown
 speed auto
 duplex auto
!
interface TenGigabitEthernet1/1
 description 10gig til DL580
 switchport mode trunk
 channel-protocol lacp
 channel-group 31 mode active
!
interface TenGigabitEthernet1/2
 description 10gig til DL580
 switchport mode trunk
 channel-protocol lacp
 channel-group 31 mode active
!
interface GigabitEthernet2/1
 description To ASA
 no switchport
 no ip address
 channel-group 1 mode active
!
interface GigabitEthernet2/2
 description Til ASA
 no switchport
 no ip address
 channel-group 1 mode active
!
interface GigabitEthernet2/19
 description To DL580
 switchport mode trunk
 channel-protocol lacp
 channel-group 31 mode active
!
interface GigabitEthernet2/20
 description To DL580
 switchport mode trunk
 channel-protocol lacp
 channel-group 31 mode active
!
interface Vlan1
 no ip address
 shutdown
!
interface Vlan10
 description Server
 ip address 172.20.10.1 255.255.255.0
 ip helper-address 172.20.10.250
!
interface Vlan11
 description VIP Access 1-2-W0
 ip address 172.20.11.1 255.255.255.0
 ip helper-address 172.20.10.250
!
ip route 0.0.0.0 0.0.0.0 172.20.0.1
no ip http server
no ip http secure-server
!
!
!
!
!
snmp-server group ********* v3 priv read *********
snmp-server view *********** iso.* included
banner login ^C
We see what you did there!
^C
!
line con 0
 exec-timeout 30 0
 logging synchronous
 stopbits 1
line vty 0 4
 exec-timeout 30 0
 logging synchronous
 transport input ssh
line vty 5 15
 exec-timeout 30 0
 logging synchronous
 transport input ssh
!
end

CrazyChickenDK · ‎11-11-2022

Removed trunk from Te1/1-2. And made it into an access port.

But still in LACP port-channel.

View solution in original post

balaji.bandi · ‎11-07-2022

High level i do not see anything wrong in the config :

can you post below output :

show ip interface brief

show ip route

show ip arp

From VLAN 10 VM traceroute 172.20.0.1 same from VLAN11

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

CrazyChickenDK · ‎11-08-2022

10Gig portchannel is over CX4 Cable

show ip int brief
Interface IP-Address OK? Method Status Protocol
Vlan1 unassigned YES NVRAM administratively down down
Vlan10 172.20.10.1 YES NVRAM up up
Vlan11 172.20.11.1 YES NVRAM up up
Vlan12 172.20.12.1 YES NVRAM up up
Vlan13 172.20.13.1 YES NVRAM up up
Vlan14 172.20.14.1 YES NVRAM up up
Vlan15 172.20.15.1 YES NVRAM up up
Vlan16 172.20.16.1 YES NVRAM up up
Vlan17 172.20.17.1 YES NVRAM up up
FastEthernet1 unassigned YES NVRAM administratively down down
TenGigabitEthernet1/1 unassigned YES unset up up
TenGigabitEthernet1/2 unassigned YES unset up up
TenGigabitEthernet1/3 unassigned YES unset administratively down down
TenGigabitEthernet1/4 unassigned YES unset administratively down down
TenGigabitEthernet1/5 unassigned YES unset administratively down down
TenGigabitEthernet1/6 unassigned YES unset administratively down down
TenGigabitEthernet1/7 unassigned YES unset down down
TenGigabitEthernet1/8 unassigned YES unset down down
GigabitEthernet2/1 unassigned YES NVRAM up up
GigabitEthernet2/2 unassigned YES NVRAM down down
GigabitEthernet2/3 unassigned YES unset up up
GigabitEthernet2/4 unassigned YES unset down down
GigabitEthernet2/5 unassigned YES unset administratively down down
GigabitEthernet2/6 unassigned YES unset administratively down down
GigabitEthernet2/7 unassigned YES unset administratively down down
GigabitEthernet2/8 unassigned YES unset administratively down down
GigabitEthernet2/9 unassigned YES unset administratively down down
GigabitEthernet2/10 unassigned YES unset administratively down down
GigabitEthernet2/11 unassigned YES unset administratively down down
GigabitEthernet2/12 unassigned YES unset administratively down down
GigabitEthernet2/13 unassigned YES unset down down
GigabitEthernet2/14 unassigned YES unset up up
GigabitEthernet2/15 unassigned YES unset down down
GigabitEthernet2/16 unassigned YES unset up up
GigabitEthernet2/17 unassigned YES unset down down
GigabitEthernet2/18 unassigned YES unset down down
GigabitEthernet2/19 unassigned YES unset up up
GigabitEthernet2/20 unassigned YES unset up up
GigabitEthernet3/1 unassigned YES unset administratively down down
GigabitEthernet3/2 unassigned YES unset administratively down down
GigabitEthernet3/3 unassigned YES unset administratively down down
GigabitEthernet3/4 unassigned YES unset administratively down down
GigabitEthernet3/5 unassigned YES unset administratively down down
GigabitEthernet3/6 unassigned YES unset administratively down down
GigabitEthernet3/7 unassigned YES unset administratively down down
GigabitEthernet3/8 unassigned YES unset administratively down down
GigabitEthernet3/9 unassigned YES unset administratively down down
GigabitEthernet3/10 unassigned YES unset administratively down down
GigabitEthernet3/11 unassigned YES unset administratively down down
GigabitEthernet3/12 unassigned YES unset administratively down down
GigabitEthernet3/13 unassigned YES unset administratively down down
GigabitEthernet3/14 unassigned YES unset administratively down down
GigabitEthernet3/15 unassigned YES unset administratively down down
GigabitEthernet3/16 unassigned YES unset administratively down down
GigabitEthernet3/17 unassigned YES unset administratively down down
GigabitEthernet3/18 unassigned YES unset administratively down down
GigabitEthernet3/19 unassigned YES unset administratively down down
GigabitEthernet3/20 unassigned YES unset administratively down down
Port-channel1 172.20.0.2 YES NVRAM up up
Port-channel17 unassigned YES unset down down
Port-channel19 unassigned YES unset up up
Port-channel30 unassigned YES unset down down
Port-channel31 unassigned YES unset up up

Portchannel 1 is to an ASA 5525-x

sh ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route

Gateway of last resort is 172.20.0.1 to network 0.0.0.0

172.20.0.0/16 is variably subnetted, 9 subnets, 2 masks
C 172.20.16.0/24 is directly connected, Vlan16
C 172.20.17.0/24 is directly connected, Vlan17
C 172.20.10.0/24 is directly connected, Vlan10
C 172.20.11.0/24 is directly connected, Vlan11
C 172.20.12.0/24 is directly connected, Vlan12
C 172.20.13.0/24 is directly connected, Vlan13
C 172.20.14.0/24 is directly connected, Vlan14
C 172.20.15.0/24 is directly connected, Vlan15
C 172.20.0.0/30 is directly connected, Port-channel1
S* 0.0.0.0/0 [1/0] via 172.20.0.1

show ip arp
Protocol Address Age (min) Hardware Addr Type Interface
Internet 172.20.10.151 63 b00c.d159.fb42 ARPA Vlan10
Internet 172.20.10.242 0 ca06.868b.72f8 ARPA Vlan10 (Server IP when command ran)
Internet 172.20.10.243 18 7aa6.74eb.c843 ARPA Vlan10
Internet 172.20.10.250 2 ea25.3c84.ed32 ARPA Vlan10
Internet 172.20.10.63 32 1ee5.6d9b.015a ARPA Vlan10
Internet 172.20.10.60 0 063c.19c9.1f5b ARPA Vlan10
Internet 172.20.10.61 2 ca06.868b.72f8 ARPA Vlan10 (Normal Server static ip)
Internet 172.20.10.41 3 1cc1.de75.81c8 ARPA Vlan10
Internet 172.20.17.1 - 6c41.6a97.9d3f ARPA Vlan17
Internet 172.20.16.1 - 6c41.6a97.9d3f ARPA Vlan16
Internet 172.20.11.1 - 6c41.6a97.9d3f ARPA Vlan11
Internet 172.20.10.1 - 6c41.6a97.9d3f ARPA Vlan10
Internet 172.20.13.1 - 6c41.6a97.9d3f ARPA Vlan13
Internet 172.20.12.1 - 6c41.6a97.9d3f ARPA Vlan12
Internet 172.20.15.1 - 6c41.6a97.9d3f ARPA Vlan15
Internet 172.20.14.1 - 6c41.6a97.9d3f ARPA Vlan14
Internet 172.20.0.1 77 6c41.6aa1.3458 ARPA Port-channel1
Internet 172.20.0.2 - 6c41.6a97.9d3f ARPA Port-channel1

Traceroute

1. Vlan 10 - portchannel 19

traceroute to 172.20.0.1 (172.20.0.1), 30 hops max, 60 byte packets

1 _gateway (172.20.10.1) 2.093 ms 1.981 ms 1.920 ms

no trouble pinging 172.20.10.1 & 172.20.0.1

2. Vlan 10-11 - Portchannel 31

traceroute to 172.20.0.1 (172.20.0.1), 30 hops max, 60 byte packets

1 172.20.10.242 (172.20.10.242) 2573.885 ms !H 2573.885 ms !H 2573.885 ms !H

Ping can't reach 172.20.10.1 & 172.20.0.1

sh etherchannel summary
Flags: D - down P - bundled in port-channel
I - stand-alone s - suspended
R - Layer3 S - Layer2
U - in use f - failed to allocate aggregator

M - not in use, minimum links not met
u - unsuitable for bundling
w - waiting to be aggregated
d - default port

Number of channel-groups in use: 5
Number of aggregators: 5

Group Port-channel Protocol Ports
------+-------------+-----------+-----------------------------------------------
1 Po1(RU) LACP Gi2/1(P) Gi2/2(P)
17 Po17(SD) LACP Gi2/17(w) Gi2/18(w)
19 Po19(SU) LACP Gi2/19(P) Gi2/20(P)
30 Po30(SD) LACP Te1/7(D) Te1/8(D)
31 Po31(SU) LACP Te1/1(P) Te1/2(P)

CrazyChickenDK · ‎11-11-2022

Removed trunk from Te1/1-2. And made it into an access port.

But still in LACP port-channel.