Ping runs on switch directly but not from a device connected to switch

rumak18 · ‎05-06-2024

Hello Cisco community,

i've got a weird problem. I have a server "A" connected to Gig2/0/18 as an access port (VLAN28) to my Catalyst C9300 switch. I can ping the device from the switch. The switch has an SVI configured for this vlan 28.

I also have my pc connected through another access (VLAN 20) port OR through an other Port-Channel configured on this Catalyst C9300 switch with another Cisco SG350 Switch. But both connections do not allow me to ping this server "A".

It's really strange and i just have no idea what the cause could be.

Here is the config for the Server "A":

interface GigabitEthernet2/0/16
description Server A
switchport access vlan 28
switchport mode access
no cdp enable
spanning-tree portfast
spanning-tree bpduguard enable
spanning-tree guard root

Here is the config for the access port i'm connecting to:

interface GigabitEthernet1/0/14
description Admin-Port-AccessPort
switchport access vlan 20
switchport mode access
no logging event link-status
no snmp trap link-status
spanning-tree portfast
spanning-tree bpduguard enable
spanning-tree guard root
service-policy output 2P6Q3T

And here is the config for the Etherchannel with the other switch:

interface Port-channel2
description Port-Channel-2
switchport trunk native vlan 20
switchport trunk allowed vlan 9,20-23
switchport mode trunk

I don't think that i really need vlan 28 configured on the trunk etherchannel right?

balaji.bandi · ‎05-06-2024

Where is VLAN 28 and VLAN 20 SVI - both on Cat 9300 ?

ip routing required for them to route between the VLAN

You have too many VLAN - what is VLAN 18 ? - what IP address of that gateway ?

you only need VLAN in the port-channel if you like to extended Layer 2 to other switch (if not there no required all the VLAN to be pass, if you using Layer 3 for routing ?)

I don't think that i really need vlan8 configured on the trunk etherchannel right?

i do not see any VLAN 8 config here?

best is show run from both the switch along with show cdp neigh, show ip route, show ip interface brief will help to assists better.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

rumak18 · ‎05-06-2024

Where is VLAN 28 and VLAN 20 SVI - both on Cat 9300 ?

-> Yes
ip routing required for them to route between the VLAN
-> Yes, it is.
You have too many VLAN - what is VLAN 18 ? - what IP address of that gateway ?
-> It's just another vlan. And yes, each vlan has an ip address.
i do not see any VLAN 8 config here?
-> Sorry, i meant VLAN 28. I've corrected it in the original post.

And sorry, i cannot post my config on the internet. I don't want to make this mistake.

RAdamWilliams · ‎05-06-2024

Is your default gateway on your server set to VLAN 28s IP?

rumak18 · ‎05-07-2024

@RAdamWilliams Yes, the GW is set to VLAN 28s IP.

@ammahend "ip routing" is activated in running conf and routing table shows both PC subnets.

Additionaly i have another device connected on another in VLAN 28 and this device is pingable from another device than the switch. So, in my opinion the routing itself should work. Also as i mentioned the server A on gig2/0/16 is pingable from the switch itself. It's strange and really time consuming for this tiny isolated problem... i will take another look tomorrow at it.

ammahend · ‎05-06-2024

make sure you have "ip routing" enabled on Catalyst C9300 and its routing table shows both PC subnets.

-hope this helps-

rumak18 · ‎05-07-2024

Sure, "ip routing" is enabled on C9300. Routing table shows both networks. I also see the MAC address of the server in "show ip arp".

Could the access list block anything?

SWITCH#show access-lists
Extended IP access list IP-Adm-V4-Int-ACL-global
Extended IP access list implicit_deny
10 deny ip any any
Extended IP access list implicit_permit
10 permit ip any any
Extended IP access list meraki-fqdn-dns
Extended IP access list preauth_v4
10 permit udp any any eq domain
20 permit tcp any any eq domain
30 permit udp any eq bootps any
40 permit udp any any eq bootpc
50 permit udp any eq bootpc any
60 deny ip any any
IPv6 access list implicit_deny_v6
deny ipv6 any any sequence 10
IPv6 access list implicit_permit_v6
permit ipv6 any any sequence 10
IPv6 access list preauth_v6
permit udp any any eq domain sequence 10
permit tcp any any eq domain sequence 20
permit icmp any any nd-ns sequence 30
permit icmp any any nd-na sequence 40
permit icmp any any router-solicitation sequence 50
permit icmp any any router-advertisement sequence 60
permit icmp any any redirect sequence 70
permit udp any eq 547 any eq 546 sequence 80
permit udp any eq 546 any eq 547 sequence 90
deny ipv6 any any sequence 100

SWITCH#show ip access-lists
Extended IP access list IP-Adm-V4-Int-ACL-global
Extended IP access list implicit_deny
10 deny ip any any
Extended IP access list implicit_permit
10 permit ip any any
Extended IP access list meraki-fqdn-dns
Extended IP access list preauth_v4
10 permit udp any any eq domain
20 permit tcp any any eq domain
30 permit udp any eq bootps any
40 permit udp any any eq bootpc
50 permit udp any eq bootpc any
60 deny ip any any

MHM Cisco World · ‎05-07-2024

do
show mac address-table
do you see server MAC and Host direct connect MAC in table
in which VLAN it learn in right VLAN VLAN28/20?

share
show ip int brief
show vlan brief

MHM

rumak18 · ‎05-07-2024

SWITCH#show ip int brief
Interface IP-Address OK? Method Status Protocol
Vlan1 unassigned YES NVRAM administratively down down
Vlan9 192.168.15.2 YES NVRAM up up
Vlan20 10.2.20.254 YES NVRAM up up
Vlan70 10.1.170.250 YES NVRAM up up
Vlan100 10.2.100.254 YES NVRAM up up

SWITCH#sh vlan brief

VLAN Name Status Ports
---- -------------------------------- --------- -------------------------------
1 default active Gi1/0/2, Gi1/0/3, Gi1/0/4
Gi1/0/5, Gi1/0/6, Gi1/0/7
Gi1/0/8, Gi1/0/11, Gi1/0/17
Gi1/0/20, Gi1/0/21, Gi1/0/23
Gi1/0/24, Ap1/0/1, Gi2/0/2
Gi2/0/3, Gi2/0/4, Gi2/0/5
Gi2/0/6, Gi2/0/7, Gi2/0/8
Gi2/0/11, Gi2/0/12, Gi2/0/13
Gi2/0/14, Gi2/0/17, Gi2/0/20
Gi2/0/21, Gi2/0/22, Gi2/0/23
Ap2/0/1
9 Clients A active
20 Clients B active Gi1/0/12, Gi1/0/14, Gi2/0/24
21 WLAN 1 active
22 WLAN 2 active
23 WLAN 3 active
28 Server active Gi1/0/16, Gi1/0/18, Gi2/0/16
Gi2/0/18
70 Internet active
VLAN Name Status Ports
---- -------------------------------- --------- -------------------------------

100 VOICE active Gi1/0/12
1002 fddi-default act/unsup
1003 token-ring-default act/unsup
1004 fddinet-default act/unsup

The rest comes tomorrow, but it should be ok.

MHM Cisco World · ‎05-07-2024

As I guess' vlan28 SVI is not show so there is not inter-vlan

MHM

Richard Burts · ‎05-07-2024

This post has output of show ip interface brief but I do not see vlan 28 in that output.

You have a post asking about whether access lists might impact access. It might. We have no way to know which access list is applied to what interface. Please post the configuration of the vlan interfaces for vlans 20 and 28.

HTH

Rick

rumak18 · ‎05-08-2024

Hi guys,

just to complete the question

do you see server MAC and Host direct connect MAC in table

->Yes, i see both devices with its MAC and both are in the correct VLAN.

But...i have to give up on this post. I've messed up. With the objective of preventing posting my real configuration i've mixed up the SVI and VLANs here. It makes so sense to investigate here as it would be to confused to break apart what the real configuration.

Thank you guys for your help. I will open a new, clean entry for my problem with the real config.

Here it is:

https://community.cisco.com/t5/routing/connected-device-to-switch-not-pingable-from-outside-the-switch/m-p/5093777#M398806

MHM Cisco World · ‎05-08-2024

Dont worry

It happened to all of us

Clear your mind abd recheck your config

You are welcome any time

MHM