07-29-2021 07:35 PM
Hi guys,
I have a scenario in the data centre where I have catalyst c9300 connected to the firewall. Two ports on c9300 are on port-channel LACP active mode where the ports on the firewall are LACP passive. I am seeing packets dropped on one of the switch interfaces that is part of the port channel and I am not sure why.
Could this be because of LACP config not matching on both devices?
Thanks in advance.
Solved! Go to Solution.
07-29-2021 11:43 PM
Hello,
does your monitoring tool allow you to see the exact traffic patterns, that is, between which hosts the traffic is flowing ?
The 'port-channel load-balance' command has a lot of options, you could also try:
dst-mixed-ip-port
Either way, it would be very useful to find out where the (only) inbound traffic on GigabitEthernet2/0/3 is going to...
07-29-2021 08:33 PM
What "drops? Total Output Drops?
07-29-2021 08:39 PM
Hi Leo,
Two ports are bundled in port-channel 1/0/3 and 2/0/3. Output drops can only be seen on one port on 1/0/3. Please see below
Thanks,
07-29-2021 09:18 PM
Show us the config for the Etherchannel.
07-29-2021 10:11 PM
GSUISW01#sh run interface port-channel 2
Building configuration...
Current configuration : 150 bytes
!
interface Port-channel2
description Portchannel to FW port ae1
switchport trunk allowed vlan 1000,4000,4003,4008,4010
switchport mode trunk
end
GSUISW01#sh run interface gigabitEthernet 1/0/3
Building configuration...
Current configuration : 203 bytes
!
interface GigabitEthernet1/0/3
description "Uplink to PA-port1"
switchport trunk allowed vlan 1000,4000,4003,4008,4010
switchport mode trunk
channel-protocol lacp
channel-group 2 mode active
end
GSUISW01#sh run interface gigabitEthernet 2/0/3
Building configuration...
Current configuration : 203 bytes
!
interface GigabitEthernet2/0/3
description "Uplink to PA-port2"
switchport trunk allowed vlan 1000,4000,4003,4008,4010
switchport mode trunk
channel-protocol lacp
channel-group 2 mode active
end
07-29-2021 10:54 PM
Hello,
it looks like the load on interface GigabitEthernet1/0/3 is a lot higher than that of the other interface.
The default load distribution is based on the source-MAC address of the incoming packet. You might want to change that to e.g.
destination-MAC address, and monitor if the load is distributed more evenly.
C9300(config)# port-channel load-balance dst-mac
07-29-2021 10:59 PM
Hi Georg,
Thanks for your comments.
There is one more thing that I would like to highlight is that on my bandwidth monitoring tool port 2/0/3 is not sending any traffic outbound to the firewall. It is receiving the packets though. Whereas port 1/0/3 is both outbound and inbound.
Not sure why.
Regards,
07-29-2021 11:43 PM
Hello,
does your monitoring tool allow you to see the exact traffic patterns, that is, between which hosts the traffic is flowing ?
The 'port-channel load-balance' command has a lot of options, you could also try:
dst-mixed-ip-port
Either way, it would be very useful to find out where the (only) inbound traffic on GigabitEthernet2/0/3 is going to...
07-30-2021 01:36 AM
Hi,
Yes, exactly. If this is a link between a firewall and some kind of router it would not make sense to load-balance on destination or source MAC as it would be the same for all packets.
The load-balancing algorithm needs to be moved higher up in the OSI model.
According to the destination the best option would be to use: src-dst-mixed-ip-port
Take a look at this article: https://www.cisco.com/c/en/us/support/docs/lan-switching/etherchannel/12023-4.html
07-30-2021 01:59 AM
HI Rasmus,
This is the link between switch C9300 and the firewall.
07-30-2021 08:37 AM
Hi,
Yes, but it seems like the traffic is coming from the same layer 3 network device, since it is all hitting the same LAG interface.
So my suggestion to move the load balancing algorithm up the OSI model still stands
08-01-2021 07:47 AM
Hi Rasmus,
the switch is only doing L2 and no routing. Can I still use src-dst-mixed-ip-port??
thanks
08-01-2021 10:57 PM
Hi,
Yes, I would think so. The switch is only making a bit matching of the headers. Try it out and see if it makes a better polarization.
And let us know how it goes.
08-11-2021 05:23 PM
HI Rasmus,
I have set the load-balancing to src-dst-mixed-ip-port and it has resolved the issue.
Thanks a lot for your help.
08-12-2021 02:34 PM
Hi,
Great news, Glad you got it to work.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide