This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- Extreme Networks
- Community List
- Switching & Routing
- ExtremeSwitching (EXOS/Switch Engine)
- IP Blocking problem
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
IP Blocking problem
IP Blocking problem
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
01-07-2014 09:58 PM
Create Date: Jan 29 2013 2:11PM
Hy
I'm having a strange problem where i don't know further.
We have 5 Summit Switches (X460-24p/t & X460-48p/t) in a ring topology (with EAPS). Everything is working fine but now we saw that loading a certain website won't work.
The Setup is like this:
... SW3 <--> SW4 <--> SW5 <--> SW6 <--> Firewall <--> Internet
The website is working on SW5 and SW6 without problems. But SW4 and everything below won't load this certain page. With wireshark I saw, that the SYN Package is travelling to the website. The SYN ACK page is coming back and leaving SW5. But on SW4 i can't see the package arriving. It seems that the SW4 is dropping the package due to a ip restriction.
There are no ACL's configured on the SW4. ip-security source-ip-lockdown isn't configured either. So at the moment I have no idea what the matter is. Does anyone has a idea which would be helpful?
Thanks in advance
TIDigi (from TIDigi)
Hy
I'm having a strange problem where i don't know further.
We have 5 Summit Switches (X460-24p/t & X460-48p/t) in a ring topology (with EAPS). Everything is working fine but now we saw that loading a certain website won't work.
The Setup is like this:
... SW3 <--> SW4 <--> SW5 <--> SW6 <--> Firewall <--> Internet
The website is working on SW5 and SW6 without problems. But SW4 and everything below won't load this certain page. With wireshark I saw, that the SYN Package is travelling to the website. The SYN ACK page is coming back and leaving SW5. But on SW4 i can't see the package arriving. It seems that the SW4 is dropping the package due to a ip restriction.
There are no ACL's configured on the SW4. ip-security source-ip-lockdown isn't configured either. So at the moment I have no idea what the matter is. Does anyone has a idea which would be helpful?
Thanks in advance
TIDigi (from TIDigi)
7 REPLIES 7
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
01-07-2014 09:58 PM
Create Date: Feb 26 2013 3:22PM
Does nobody has a idea what could cause this problem?
Still have the same problem that one website is getting blocked. The "Syn Ack" response seems to be dropped by the SW4 for some reason. It could be that the source IP (website) will be dropped by SW4 - but without a ACL i can't imagine what could cause this.
Thank you in advance
TiDigi (from TIDigi)
Does nobody has a idea what could cause this problem?
Still have the same problem that one website is getting blocked. The "Syn Ack" response seems to be dropped by the SW4 for some reason. It could be that the source IP (website) will be dropped by SW4 - but without a ACL i can't imagine what could cause this.
Thank you in advance
TiDigi (from TIDigi)
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
01-07-2014 09:58 PM
Create Date: Jan 30 2013 8:52AM
Hey prusso
Thanks for your answer. There is no VLAN problem cause everything is working exept of this one special website. If i contact your website for example everything is working. So there is no problem with any vlan - also eaps is working normally. The only problem is the blocking of the special website. The SYN ACK packages won't go from SW5 to SW4...
SW4 #show edp ports 1:54
Port Neighbor Neighbor-ID Remote Age Num
Port Vlans
=============================================================================
1:54 SW5 00:00:02:04:96:51:c0:70 1:53 30 10
=============================================================================
The master of the ring is SW6
SW6 # show eaps
EAPS Enabled: Yes
EAPS Fast-Convergence: Off
EAPS Display Config Warnings: On
EAPS Multicast Add Ring Ports: Off
EAPS Multicast Send IGMP Query: On
EAPS Multicast Temporary Flooding: Off
EAPS Multicast Temporary Flooding Duration: 15 sec
Number of EAPS instances: 2
# EAPS domain configuration :
--------------------------------------------------------------------------------
Domain State Mo En Pri Sec Control-Vlan VID Count Prio
--------------------------------------------------------------------------------
hp_ring Complete M Y 1:53 1:54 hp_ring (4090) 1 H
np_ring Complete M Y 1:54 1:53 np_ring (4091) 7 N
--------------------------------------------------------------------------------
There are no problems with any of the 10 VLAN's or the EAPS itself. The only one problem we see is that one website can't be loaded. It doesn't matters from which VLAN we try to reach the page. It's working from the SW5 and SW6 but not from SW4 because the SYN ACK package is dropped on the SW4.
It seems that the SW4 switch drops packages from the IP 81.18.23.6 (which is the ip from the website we try to reach).
What could be the cause of this behaviour? We don't have access-lists for this VLAN...
TIDigi (from TIDigi)
Hey prusso
Thanks for your answer. There is no VLAN problem cause everything is working exept of this one special website. If i contact your website for example everything is working. So there is no problem with any vlan - also eaps is working normally. The only problem is the blocking of the special website. The SYN ACK packages won't go from SW5 to SW4...
SW4 #show edp ports 1:54
Port Neighbor Neighbor-ID Remote Age Num
Port Vlans
=============================================================================
1:54 SW5 00:00:02:04:96:51:c0:70 1:53 30 10
=============================================================================
The master of the ring is SW6
SW6 # show eaps
EAPS Enabled: Yes
EAPS Fast-Convergence: Off
EAPS Display Config Warnings: On
EAPS Multicast Add Ring Ports: Off
EAPS Multicast Send IGMP Query: On
EAPS Multicast Temporary Flooding: Off
EAPS Multicast Temporary Flooding Duration: 15 sec
Number of EAPS instances: 2
# EAPS domain configuration :
--------------------------------------------------------------------------------
Domain State Mo En Pri Sec Control-Vlan VID Count Prio
--------------------------------------------------------------------------------
hp_ring Complete M Y 1:53 1:54 hp_ring (4090) 1 H
np_ring Complete M Y 1:54 1:53 np_ring (4091) 7 N
--------------------------------------------------------------------------------
There are no problems with any of the 10 VLAN's or the EAPS itself. The only one problem we see is that one website can't be loaded. It doesn't matters from which VLAN we try to reach the page. It's working from the SW5 and SW6 but not from SW4 because the SYN ACK package is dropped on the SW4.
It seems that the SW4 switch drops packages from the IP 81.18.23.6 (which is the ip from the website we try to reach).
What could be the cause of this behaviour? We don't have access-lists for this VLAN...
TIDigi (from TIDigi)
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
01-07-2014 09:58 PM
Create Date: Jan 29 2013 8:33PM
Hey TIDIgi
by default we do not restrict any traffic on the switch everything is bridged with a VLAN of default and protocol of any. One thing that may be an issue is if you created another VLAN and changed the protocol to something other than any. If you change it to IP for example then we limit it to only IP traffic.
Can you do the command show edp on the port from sw4 to sw5?? I want to see if we see one another ok. Also who is the master of the ring? Can you do a show EAPS on the master and post that? Also can you do a show config o the 6 switches and upload it?
As I mentioned by default we do not block anything. EAPS will only block protected VLAN on the secondary port of the Master.
P (from Paul_Russo)
Hey TIDIgi
by default we do not restrict any traffic on the switch everything is bridged with a VLAN of default and protocol of any. One thing that may be an issue is if you created another VLAN and changed the protocol to something other than any. If you change it to IP for example then we limit it to only IP traffic.
Can you do the command show edp on the port from sw4 to sw5?? I want to see if we see one another ok. Also who is the master of the ring? Can you do a show EAPS on the master and post that? Also can you do a show config o the 6 switches and upload it?
As I mentioned by default we do not block anything. EAPS will only block protected VLAN on the secondary port of the Master.
P (from Paul_Russo)
