Solved: Re: Traffic drop between Cisco3850 and Huawei switch.

msompong1 · ‎04-08-2022

Hi All,

I've got the strange issue of the connection between Cisco 3850 (IOS-XE 16.3.6) and Huawei

From the picture the firewall sub interface interface VLAN502 trunk to the Cisco

Cisco switch and Huawei switch connect together with mode access VLAN502.

Laptop connect to Cisco switch with access VLAN502.

I can ping to Huawei IP address from the laptop but cannot ping Huawei IP address from the Firewall.

I've sniffed the traffic on port g1/0/5 , found the ICMP request from the firewall to Huawei IP address and found the ICMP reply from Huawei to the firewall. Once I sniff the traffic in g1/0/4 I found only the ICMP request from the firewall to Huawei IP address. What is the possible problem in this connection? Please kindly advices.

Jon Marshall · ‎04-08-2022

The Huawei is tagging the vlan by the looks of it so when it sends back to 3850 there is a tag but you have configured the port as access.

Probably easiest thing to do is configure gi1/0/5 as a trunk.

Jon

View solution in original post

Jon Marshall · ‎04-08-2022

Can you post configuration of the switch ?

Jon

msompong1 · ‎04-08-2022

Hi,

Cisco configuration.

interface GigabitEthernet1/0/4
description FW1-eth5
switchport trunk allowed vlan 501,502
switchport mode trunk
end

interface GigabitEthernet1/0/5
description xxxxxxx
switchport access vlan 502
switchport mode access
end

interface GigabitEthernet1/0/6
switchport access vlan 502
switchport mode access
end

Huawei Configuration.

interface GigabitEthernet4/0/7.502

vlan-type dot1q 502

ip address 10.1.1.1 255.255.255.0

statistic enable

Jon Marshall · ‎04-08-2022

The Huawei is tagging the vlan by the looks of it so when it sends back to 3850 there is a tag but you have configured the port as access.

Probably easiest thing to do is configure gi1/0/5 as a trunk.

Jon

msompong1 · ‎04-08-2022

Hi,

It working after set trunk and native VLAN.

Thank you so much.

interface GigabitEthernet1/0/5
description best_isp
switchport trunk native vlan 502
switchport trunk allowed vlan 502
switchport mode trunk
end

Jon Marshall · ‎04-08-2022

Glad to hear it is working but slightly confused as you have set the port to not expect tags on vlan 502 but the Huawei is tagging as far as I can see.

I meant configure a trunk but not set the native vlan to 502 but as long as it is working.

Jon

msompong1 · ‎04-08-2022

Hi,

Not so sure it strange since Huawei is not set to trunk.

And in Cisco side if no native VLAN , it cannot work.

Georg Pauwen · ‎04-08-2022

Hello,

what brand/type/model is the firewall ? What model is the Huawei switch ?

msompong1 · ‎04-08-2022

Hi,

Firewall is Checkpoint 3600.

Huawei model ME60.

Georg Pauwen · ‎04-08-2022

Hello,

can the Checkpoint ping the laptop, and vice versa ?

msompong1 · ‎04-08-2022

Hi,

Yes , it can ping checkpoint to laptop and laptop to checkpoint.

Georg Pauwen · ‎04-08-2022

Hello,

what if you make the link between the Cisco and the Checkpoint an access port in vlan 502 ?

msompong1 · ‎04-08-2022

Hi,

I would like to try this way but unfortunately the Checkpoint not have available interface to do.