07-29-2021 07:35 PM
Hi guys,
I have a scenario in the data centre where I have catalyst c9300 connected to the firewall. Two ports on c9300 are on port-channel LACP active mode where the ports on the firewall are LACP passive. I am seeing packets dropped on one of the switch interfaces that is part of the port channel and I am not sure why.
Could this be because of LACP config not matching on both devices?
Thanks in advance.
Solved! Go to Solution.
07-29-2021 11:43 PM
Hello,
does your monitoring tool allow you to see the exact traffic patterns, that is, between which hosts the traffic is flowing ?
The 'port-channel load-balance' command has a lot of options, you could also try:
dst-mixed-ip-port
Either way, it would be very useful to find out where the (only) inbound traffic on GigabitEthernet2/0/3 is going to...
07-29-2021 08:33 PM
What "drops? Total Output Drops?
07-29-2021 08:39 PM
Hi Leo,
Two ports are bundled in port-channel 1/0/3 and 2/0/3. Output drops can only be seen on one port on 1/0/3. Please see below
Thanks,
07-29-2021 09:18 PM
Show us the config for the Etherchannel.
07-29-2021 10:11 PM
GSUISW01#sh run interface port-channel 2
Building configuration...
Current configuration : 150 bytes
!
interface Port-channel2
description Portchannel to FW port ae1
switchport trunk allowed vlan 1000,4000,4003,4008,4010
switchport mode trunk
end
GSUISW01#sh run interface gigabitEthernet 1/0/3
Building configuration...
Current configuration : 203 bytes
!
interface GigabitEthernet1/0/3
description "Uplink to PA-port1"
switchport trunk allowed vlan 1000,4000,4003,4008,4010
switchport mode trunk
channel-protocol lacp
channel-group 2 mode active
end
GSUISW01#sh run interface gigabitEthernet 2/0/3
Building configuration...
Current configuration : 203 bytes
!
interface GigabitEthernet2/0/3
description "Uplink to PA-port2"
switchport trunk allowed vlan 1000,4000,4003,4008,4010
switchport mode trunk
channel-protocol lacp
channel-group 2 mode active
end
07-29-2021 10:54 PM
Hello,
it looks like the load on interface GigabitEthernet1/0/3 is a lot higher than that of the other interface.
The default load distribution is based on the source-MAC address of the incoming packet. You might want to change that to e.g.
destination-MAC address, and monitor if the load is distributed more evenly.
C9300(config)# port-channel load-balance dst-mac
07-29-2021 10:59 PM
Hi Georg,
Thanks for your comments.
There is one more thing that I would like to highlight is that on my bandwidth monitoring tool port 2/0/3 is not sending any traffic outbound to the firewall. It is receiving the packets though. Whereas port 1/0/3 is both outbound and inbound.
Not sure why.
Regards,
07-29-2021 11:43 PM
Hello,
does your monitoring tool allow you to see the exact traffic patterns, that is, between which hosts the traffic is flowing ?
The 'port-channel load-balance' command has a lot of options, you could also try:
dst-mixed-ip-port
Either way, it would be very useful to find out where the (only) inbound traffic on GigabitEthernet2/0/3 is going to...
07-30-2021 01:36 AM
Hi,
Yes, exactly. If this is a link between a firewall and some kind of router it would not make sense to load-balance on destination or source MAC as it would be the same for all packets.
The load-balancing algorithm needs to be moved higher up in the OSI model.
According to the destination the best option would be to use: src-dst-mixed-ip-port
Take a look at this article: https://www.cisco.com/c/en/us/support/docs/lan-switching/etherchannel/12023-4.html
07-30-2021 01:59 AM
HI Rasmus,
This is the link between switch C9300 and the firewall.
07-30-2021 08:37 AM
Hi,
Yes, but it seems like the traffic is coming from the same layer 3 network device, since it is all hitting the same LAG interface.
So my suggestion to move the load balancing algorithm up the OSI model still stands
08-01-2021 07:47 AM
Hi Rasmus,
the switch is only doing L2 and no routing. Can I still use src-dst-mixed-ip-port??
thanks
08-01-2021 10:57 PM
Hi,
Yes, I would think so. The switch is only making a bit matching of the headers. Try it out and see if it makes a better polarization.
And let us know how it goes.
08-11-2021 05:23 PM
HI Rasmus,
I have set the load-balancing to src-dst-mixed-ip-port and it has resolved the issue.
Thanks a lot for your help.
08-12-2021 02:34 PM
Hi,
Great news, Glad you got it to work.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: