Re: Connected device to switch not pingable from outside the switch

rumak18 · ‎05-08-2024

Hello Cisco community,

i've got a weird problem. I have a server "A" connected to Gig2/0/16 as an access port (VLAN28) to my Catalyst C9300 switch (Two stacked switches). I can ping the device from within the switch. The switch has an SVI configured for this vlan 28.

I then connected my PC through another access (VLAN 20) port OR through an other Port-Channel configured on this Catalyst C9300 switch with another Cisco SG350 Switch. But both connections do not allow me to ping this server "A".

SWITCH-CAT#show run int gig2/0/16
Building configuration...

Current configuration : 221 bytes
!
interface GigabitEthernet2/0/16
description SERVER-A
switchport access vlan 28
switchport mode access
no cdp enable
spanning-tree portfast
spanning-tree bpduguard enable
spanning-tree guard root
end

SWITCH-CAT#sh run int gig1/0/14
Building configuration...

Current configuration : 293 bytes
!
interface GigabitEthernet1/0/14
description Admin-AccessPort
switchport access vlan 20
switchport mode access
no logging event link-status
no snmp trap link-status
spanning-tree portfast
spanning-tree bpduguard enable
spanning-tree guard root
service-policy output 2P6Q3T
end

SWITCH-CAT#show vlan

VLAN Name Status Ports
---- -------------------------------- --------- -------------------------------
1 default active Gi1/0/2, Gi1/0/3, Gi1/0/4
Gi1/0/5, Gi1/0/6, Gi1/0/7
Gi1/0/8, Gi1/0/11, Gi1/0/17
Gi1/0/20, Gi1/0/21, Gi1/0/23
Gi1/0/24, Ap1/0/1, Gi2/0/2
Gi2/0/3, Gi2/0/4, Gi2/0/5
Gi2/0/6, Gi2/0/7, Gi2/0/8
Gi2/0/11, Gi2/0/12, Gi2/0/13
Gi2/0/14, Gi2/0/17, Gi2/0/20
Gi2/0/21, Gi2/0/22, Gi2/0/23
Ap2/0/1
8 Server active
9 Clients A active
18 Test active
20 Clients B active Gig1/0/12, Gi1/0/14, Gi2/0/24
21 WLAN 1 active
22 WLAN 2 active
23 WLAN 3 acitve
28 MGMT active Gi1/0/16, Gi1/0/18, Gi2/0/16
Gi2/0/18

VLAN Name Status Ports
---- -------------------------------- --------- -------------------------------
70 Internet active
100 VOICE active Gi1/0/12
1002 fddi-default act/unsup
1003 token-ring-default act/unsup
1004 fddinet-default act/unsup
1005 trnet-default act/unsup

SWITCH-CAT#show ip interf brie
Interface IP-Address OK? Method Status Protocol
Vlan1 unassigned YES NVRAM administratively down down
Vlan8 192.168.114.254 YES NVRAM up up
Vlan9 192.168.115.2 YES NVRAM up up
Vlan20 10.2.0.254 YES NVRAM up up
Vlan28 10.2.8.254 YES NVRAM up up
Vlan70 10.1.70.250 YES NVRAM up up
Vlan100 10.2.100.254 YES NVRAM up up

SWITCH-CAT#sh mac address-table
Mac Address Table
-------------------------------------------

Vlan Mac Address Type Ports

20 e86a.644b.9acf DYNAMIC Gi1/0/14

28 08f1.eaeb.8d48 DYNAMIC Gi2/0/16

SWITCH-CAT#show ip route
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2, m - OMP
n - NAT, Ni - NAT inside, No - NAT outside, Nd - NAT DIA
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
H - NHRP, G - NHRP registered, g - NHRP registration summary
o - ODR, P - periodic downloaded static route, l - LISP
a - application route
+ - replicated route, % - next hop override, p - overrides from PfR
& - replicated local route overrides by connected

Gateway of last resort is 10.1.70.254 to network 0.0.0.0

S* 0.0.0.0/0 [1/0] via 10.1.70.254
10.0.0.0/8 is variably subnetted, 8 subnets, 3 masks
C 10.1.70.248/29 is directly connected, Vlan70
L 10.1.70.250/32 is directly connected, Vlan70
C 10.2.0.0/24 is directly connected, Vlan20
L 10.2.0.254/32 is directly connected, Vlan20
C 10.2.8.0/24 is directly connected, Vlan28
L 10.2.8.254/32 is directly connected, Vlan28
C 10.2.100.0/24 is directly connected, Vlan100
L 10.2.100.254/32 is directly connected, Vlan100
192.168.114.0/24 is variably subnetted, 2 subnets, 2 masks
C 192.168.114.0/24 is directly connected, Vlan8
L 192.168.114.254/32 is directly connected, Vlan8
192.168.115.0/24 is variably subnetted, 2 subnets, 2 masks
C 192.168.115.0/24 is directly connected, Vlan9
L 192.168.115.2/32 is directly connected, Vlan9

MHM Cisco World · ‎05-08-2024

The SG350 is l2 or l3 SW?

MHM

rumak18 · ‎05-08-2024

The SG350 is only L2. But i've mentioned it to just show that no matter who or what is connected to my Catalyst switch, (Access Port or Trunk) you cannot ping the server A on gig2/0/16, unless you are on switch-A via cli.

MHM Cisco World · ‎05-08-2024

It matter

Host(vlan20)-SG(l2)-c9300(l3)-server(vlan28)

The PO interconnect both SW must allow vlan 20' check the

Show interface trunk

Also you need to sure that the PC connect to port with vlan 20 not other vlan

Show mac dont show mac of host learn via PO interconnect both SW so there is issue in l2 now' since we solve l3 issue by add vlan svi 28.

MHM

rumak18 · ‎05-08-2024

@MHM Cisco World

The Po is allowing VLAN 20 and the trunk is connected successfully on both switches.

SWITCH-CAT#sh interfaces trunk

Port Mode Encapsulation Status Native vlan
Gi1/0/19 on 802.1q trunking 8
Gi1/0/22 on 802.1q trunking 1
Gi2/0/19 on 802.1q trunking 8
Po1 on 802.1q trunking 20
Po2 on 802.1q trunking 20
Po10 on 802.1q trunking 8

Port Vlans allowed on trunk
Gi1/0/19 8-9,20-21,23
Gi1/0/22 1,8-9,18,20-24,28,60-61,70,77,100
Gi2/0/19 8-9,20-21,23
Po1 8-9,20-23,100
Po2 9,20-23,100
Po10 8-9,20-23

Port Vlans allowed and active in management domain
Gi1/0/19 8-9,20-21,23
Gi1/0/22 1,8-9,20-23,28,70,100
Gi2/0/19 8-9,20-21,23
Po1 8-9,20-23,100
Po2 9,20-23,100

Port Vlans allowed and active in management domain
Po10 8-9,20-23

Port Vlans in spanning tree forwarding state and not pruned
Gi1/0/19 8-9,20-21,23
Gi1/0/22 1,8-9,20-23,28,70,100
Gi2/0/19 8-9,20-21,23
Po1 8-9,20-23,100
Po2 9,20-23,100
Po10 8-9,20-23

Also you need to sure that the PC connect to port with vlan 20 not other vlan

-> Sure, that's why the PC is connecting to gi1/0/14

MHM Cisco World · ‎05-08-2024

This Port g1/0/14 is when PC connect to C9300 not when connect to SG350?

am I correct

you need to sure that PC connect to port with VLAN 20

MHM

Georg Pauwen · ‎05-08-2024

Hello,

post the running configuration (sh run) of the 9300 switch, as well as the output of 'ipconfig /all' of the server.

rumak18 · ‎05-08-2024

Server-A IP Config

Georg Pauwen · ‎05-08-2024

Hello,

what are you running the server on, Windows ?

rumak18 · ‎05-08-2024

SWITCH-CAT#sh run
Building configuration...

Current configuration : 19329 bytes
!
! Last configuration change at 13:01:54 MESZ Wed May 8 2024 by admin
!
version 17.9
service timestamps debug datetime msec
service timestamps log datetime localtime
service call-home
platform punt-keepalive disable-kernel-core
!
hostname SWITCH-CAT
!
!
vrf definition Mgmt-vrf
!
address-family ipv4
exit-address-family
!
address-family ipv6
exit-address-family
!
logging persistent url flash:/dir_logging size 52428800 filesize 5242880
no aaa new-model
clock timezone MESZ 2 0
boot system switch all flash:packages.conf
switch 1 provision c9300-24p
switch 2 provision c9300-24p
!
!
!
!
ip routing
!
ip name-server 192.168.19.20 192.168.114.14
ip domain name mydomain.int
ip dhcp excluded-address 192.168.115.1 192.168.115.80
ip dhcp excluded-address 192.168.115.200 192.168.115.254
ip dhcp excluded-address 10.2.0.1 10.2.0.99
ip dhcp excluded-address 10.2.0.200 10.2.0.254
ip dhcp excluded-address 10.2.100.1 10.2.100.99
ip dhcp excluded-address 10.2.100.200 10.2.100.254
!
ip dhcp pool mydomain-A-Clients
network 192.168.115.0 255.255.255.0
dns-server 192.168.114.14 192.168.19.20
default-router 192.168.115.2
domain-name mydomain.int
lease 0 10
!
ip dhcp pool mydomain-B-Clients
network 10.2.0.0 255.255.255.0
dns-server 192.168.114.14 192.168.19.20
default-router 10.2.0.254
lease 0 10
!
ip dhcp pool Admin-1
host 10.2.0.210 255.255.255.0
client-identifier 01d7.1b18.cc81.df
client-name Michael-Laptop-RJ45
dns-server 192.168.114.14 192.168.19.20
default-router 10.2.0.254
!
ip dhcp pool VOICE_VLAN
network 10.2.100.0 255.255.255.0
default-router 10.2.100.254
dns-server 10.1.0.250 192.168.114.14
lease 89
!
ip dhcp pool Admin2
host 10.2.0.211 255.255.255.0
hardware-address 01bc.76a4.8a8a.EF
dns-server 192.168.114.14 192.168.19.20
default-router 10.2.0.254
!
!
!
login on-success log
vtp version 1
!
!
!
!
!
password encryption aes
!
crypto pki trustpoint SLA-TrustPoint
enrollment terminal
revocation-check crl
!
crypto pki trustpoint TP-self-signed-4201528031
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-4201528031
revocation-check none
rsakeypair TP-self-signed-4201528031
!
!
crypto pki certificate chain SLA-TrustPoint
certificate ca 01
30820321 30820209 A0030201 02020101 300D0609 2A864886 F70D0101 0B050030
...
D697DF7F 28
quit
crypto pki certificate chain TP-self-signed-4201528031
certificate self-signed 01
30820330 30820218 A0030201 02020101 300D0609 2A864886 F70D0101 05050030
...
quit
!
license boot level network-essentials addon dna-essentials
license smart transport callhome
license smart privacy hostname
memory free low-watermark processor 131696
!
diagnostic bootup level minimal
!
spanning-tree mode rapid-pvst
spanning-tree extend system-id
spanning-tree vlan 1,8-9,20-23,28,70,100 priority 8192
!
!
...
!
redundancy
mode sso
crypto engine compliance shield disable
!
!
!
!
!
transceiver type all
monitoring
!
!
class-map match-any system-cpp-police-ewlc-control
description EWLC Control
class-map match-any system-cpp-police-topology-control
description Topology control
class-map match-any system-cpp-police-sw-forward
description Sw forwarding, L2 LVX data packets, LOGGING, Transit Traffic
class-map match-any system-cpp-default
description EWLC Data, Inter FED Traffic
class-map match-any system-cpp-police-sys-data
description Openflow, Exception, EGR Exception, NFL Sampled Data, RPF Failed
class-map match-any system-cpp-police-punt-webauth
description Punt Webauth
class-map match-any system-cpp-police-l2lvx-control
description L2 LVX control packets
class-map match-any system-cpp-police-forus
description Forus Address resolution and Forus traffic
class-map match-any system-cpp-police-multicast-end-station
description MCAST END STATION
class-map match-any system-cpp-police-high-rate-app
description High Rate Applications
class-map match-any system-cpp-police-multicast
description MCAST Data
class-map match-any MYDOMAIN-CM-RT-VIDEO
description MYDOMAIN-packets_dscp32
match dscp cs4
class-map match-any MYDOMAIN-CM-VOICE-PRIO
description MYDOMAIN-packets_CS3(24)_and_DSCP(46)_Bit
match dscp cs3
match dscp ef
class-map match-any system-cpp-police-l2-control
description L2 control
class-map match-any system-cpp-police-dot1x-auth
description DOT1X Auth
class-map match-any system-cpp-police-data
description ICMP redirect, ICMP_GEN and BROADCAST
class-map match-any system-cpp-police-stackwise-virt-control
description Stackwise Virtual OOB
class-map match-any non-client-nrt-class
class-map match-any system-cpp-police-routing-control
description Routing control and Low Latency
class-map match-any system-cpp-police-protocol-snooping
description Protocol snooping
class-map match-any system-cpp-police-dhcp-snooping
description DHCP snooping
class-map match-any system-cpp-police-ios-routing
description L2 control, Topology control, Routing control, Low Latency
class-map match-any system-cpp-police-system-critical
description System Critical and Gold Pkt
class-map match-any system-cpp-police-ios-feature
description ICMPGEN,BROADCAST,ICMP,L2LVXCntrl,ProtoSnoop,PuntWebauth,MCASTData,Transit,DOT1XAuth,Swfwd,LOGGING,L2LVXData,ForusTraffic,ForusARP,McastEndStn,Openflow,Exception,EGRExcption,NflSampled,RpfFailed
!
policy-map 2P6Q3T
description MYDOMAIN-PM-Template1
class MYDOMAIN-CM-VOICE-PRIO
priority level 1
queue-buffers ratio 5
class MYDOMAIN-CM-RT-VIDEO
priority level 2
queue-buffers ratio 10
class class-default
bandwidth remaining percent 70
queue-buffers ratio 85
policy-map system-cpp-policy

interface Port-channel1
description Port-Channel-1
switchport trunk native vlan 20
switchport trunk allowed vlan 8,9,20-23,100
switchport mode trunk
!
interface Port-channel2
description Port-Channel-2
switchport trunk native vlan 20
switchport trunk allowed vlan 9,20-23,100
switchport mode trunk
!
interface Port-channel10
description Port-Channel-10
switchport trunk native vlan 8
switchport trunk allowed vlan 8,9,20-23
switchport mode trunk
interface GigabitEthernet1/0/9
description LACP_DOWNLINK-mydomainSG35001-Gi*/0/7
switchport trunk native vlan 20
switchport trunk allowed vlan 9,20-23,100
switchport mode trunk
no cdp enable
channel-group 2 mode active
service-policy output 2P6Q3T
!
interface GigabitEthernet1/0/10
description LACP_DOWNLINK-mydomainSG35001-Gi*/0/7
switchport trunk native vlan 20
switchport trunk allowed vlan 9,20-23,100
switchport mode trunk
no cdp enable
channel-group 2 mode active
service-policy output 2P6Q3T
!

interface GigabitEthernet1/0/14
description Admin-AccessPort
switchport access vlan 20
switchport mode access
ip arp inspection trust
no logging event link-status
no snmp trap link-status
spanning-tree portfast
spanning-tree bpduguard enable
spanning-tree guard root
service-policy output 2P6Q3T

interface GigabitEthernet2/0/22
description Internet
switchport trunk allowed vlan 1,8,9,20-24,28,60,61,70,77,100
switchport mode trunk
no snmp trap link-status
spanning-tree portfast trunk
spanning-tree bpdufilter enable
service-policy output 2P6Q3T
...

interface GigabitEthernet2/0/1
description LACP_DOWNLINK-SW-24-mydomainS-P2v2
switchport trunk native vlan 20
switchport trunk allowed vlan 8,9,20-23,100
switchport mode trunk
no cdp enable
channel-group 1 mode active
service-policy output 2P6Q3T

interface GigabitEthernet2/0/16
description SERVER-A
switchport access vlan 28
switchport mode access
no cdp enable
spanning-tree portfast
spanning-tree bpduguard enable
spanning-tree guard root
!
interface GigabitEthernet2/0/17
!
interface GigabitEthernet2/0/18
description SERVER-B
switchport access vlan 28
switchport mode access
no cdp enable
spanning-tree portfast
spanning-tree bpduguard enable
spanning-tree guard root
!
interface GigabitEthernet2/0/19
description Server-B-VM-SET-2v2
switchport trunk native vlan 8
switchport trunk allowed vlan 8,9,20,21,23
switchport mode trunk
no cdp enable
service-policy output 2P6Q3T
!
....

!
interface GigabitEthernet2/0/23
description Test-Windows11
switchport trunk native vlan 9
switchport trunk allowed vlan 9,20-23,100
switchport mode trunk
no snmp trap link-status
spanning-tree portfast
spanning-tree bpduguard enable
spanning-tree guard root
service-policy output 2P6Q3T
!
....
!
interface Vlan1
no ip address
shutdown
!
interface Vlan8
ip address 192.168.114.254 255.255.255.0
!
interface Vlan9
description mydomain-A-Clients
ip address 192.168.115.2 255.255.255.0
!
interface Vlan20
ip address 10.2.0.254 255.255.255.0
!
interface Vlan28
ip address 10.2.8.254 255.255.255.0
!
interface Vlan70
ip address 10.1.70.250 255.255.255.248
!
interface Vlan100
ip address 10.2.100.254 255.255.255.0
!
ip forward-protocol nd
no ip http server
ip http authentication local
no ip http secure-server
ip http client source-interface Vlan20
ip route 0.0.0.0 0.0.0.0 10.1.70.254
ip ssh server algorithm authentication password
!
!
!
!
control-plane
service-policy input system-cpp-policy

!
line con 0
exec-timeout 20 0
privilege level 7
login local
stopbits 1
line vty 0 4
exec-timeout 60 0
logging synchronous
login local
transport input ssh
line vty 5 15
exec-timeout 60 0
logging synchronous
login local
transport input ssh
line vty 16 31
login
transport input ssh
!
!
monitor session 1 source interface Gi1/0/12
monitor session 1 destination interface Gi1/0/13
call-home
contact-email-addr mymail@mydomain.com
no http secure server-identity-check
profile "CiscoTAC-1"
active
destination transport-method http
ntp server 10.1.0.250
!
!
!
!
!
!
end

rumak18 · ‎05-08-2024

@Georg Pauwen It's an ILO HP Interface. There is no vlan configured for this interface PLUS this interface worked just a week ago with an older cisco switch.

Richard Burts · ‎05-08-2024

Thanks for posting the config. I have looked through it and do not see any obvious issues. Given the description of the problem my guess about the issue is that something is not configured correctly on your ILO HP, probably its default gateway. I am not sure what the equivalent of ipconfig all would be on that device but could you provide that output? Or would you attempt traceroute to some remote destination and post the results? I am guessing that it will not get past the gateway.

HTH

Rick

rumak18 · ‎05-10-2024

Hi, here is the IP Config once again. There is not much more to config. VLAN tagging is "off".

There is no traceroute on the host itself. Only ping. And the host can ping the switch (It's gateway):

tracert from my PC:

Georg Pauwen · ‎05-08-2024

Hello,

try and reset the iLO:

https://support.hpe.com/hpesc/public/docDisplay?docId=a00055673en_us&docLocale=en_US&page=GUID-D7147C7F-2016-0901-06D0-000000001B29.html