Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
7106
Views
5
Helpful
3
Replies

UDP ports blocked on Catalyst 2950

Go to solution
james.smart1
Level 1
Level 1

‎02-12-2016 12:45 PM - edited ‎03-10-2019 01:06 PM

First off, I apologize. I'm not a networking guy. My knowledge level is novice at best.

I'm doing the firmware testing for an industrial motor drive.I have a small private network in my lab with a Catalyst 2950 switch (I know, it's old).

During normal operation, communications between the drive and the PLC use (mostly) UDP port 2222 (CIP Motion) and port 319 (IEEE-1588 PTP). This works fine with the default switch configuration. Everything is on VLAN1, all IPs are on the same subnet, nothing fancy at all.

The problem is that the switch appears to be blocking UDP port 8995, which our programming utility uses to push new firmware to the drive. During programming, a PC connects to the drive using that port. I have the interface that the drive is connected to spanned and I can the traffic from the PC, but no response from the drive. If I change to a basic hub or an unmanaged switch, the programming works fine, so it's definitely the 2950.

So, I created an ACL to allow all UDP. However, when I apply that ACL to the interface, ALL of the UDP ports stop working. 8995, 2222, and 319.

I was using Cisco Network Assistant (6.2) at first, then figured maybe there's a problem with that, so I tried with the CLI. I got the same result.

As I said, I'm no expert. So hopefully the answer is easy for someone here.

Thank you,

Jim

Switch#show running-config
Building configuration...

Current configuration : 1564 bytes
!
version 12.1
no service pad
service timestamps debug uptime
service timestamps log datetime
no service password-encryption
service sequence-numbers
!
hostname Switch
!
enable secret 5 $1$9LaI$04W3dstn817LM.GIXcUoL.
!
username *** privilege 15 secret 5 $1$NvSc$7aRHc1ItYiKb9f.Tvxn3t/
ip subnet-zero
!
!
spanning-tree mode pvst
no spanning-tree optimize bpdu transmission
spanning-tree extend system-id
!
!
!
!
interface FastEthernet0/1
 ip access-group 100 in
!
interface FastEthernet0/2
!
interface FastEthernet0/3
!
interface FastEthernet0/4
!
interface FastEthernet0/5
!
interface FastEthernet0/6
!
interface FastEthernet0/7
!
interface FastEthernet0/8
!
interface FastEthernet0/9
!
interface FastEthernet0/10
!
interface FastEthernet0/11
!
interface FastEthernet0/12
!
interface FastEthernet0/13
!
interface FastEthernet0/14
!
interface FastEthernet0/15
!
interface FastEthernet0/16
!
interface FastEthernet0/17
!
interface FastEthernet0/18
!
interface FastEthernet0/19
!
interface FastEthernet0/20
!
interface FastEthernet0/21
!
interface FastEthernet0/22
!
interface FastEthernet0/23
!
interface FastEthernet0/24
 ip access-group 100 in
!
interface GigabitEthernet0/1
 ip access-group 100 in
!
interface GigabitEthernet0/2
!
interface Vlan1
 ip address 192.168.124.50 255.255.255.0
 no ip route-cache
!
ip http server
access-list 100 permit udp any any
!
line con 0
 exec-timeout 0 0
line vty 0 4
 password Cisco
 login
line vty 5 15
 password Cisco
 login
!
!
!
monitor session 1 source interface Fa0/1
monitor session 1 destination interface Gi0/1
end

Switch#

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Peter Paluch
Cisco Employee
Cisco Employee

‎02-13-2016 12:28 AM

Hi James,

The ACL you have created allows all UDP traffic alright, but because there are no other permit lines in it, all other traffic is blocked - TCP, ICMP, raw IP, etc. Cisco ACLs always use the logic of "what is not permitted will be denied". I suppose that it is the other traffic that is denied that causes the resulting UDP communication to fail as well (if, say, there should be a control channel established through another TCP connection that couldn't be set up).

However, I am also surprised at the notion that the switch should be blocking the UDP communication on a specific port. Your 2950 has absolutely no reason to do that. There might be something else in play here. As you are dealing with an embedded software that's doing networking, there is a possibility that some of the lower layer operations are not correct, and the 2950 being a solid switch drops frames that in some way exhibit peculiar properties.

Can you please provide the following details?

  • What exact source and destination IP address is used for this communication?
  • What exact source and destination MAC address is used for this communication?
  • Is it possible that the frames sent by the PC during the programming are shorter than 64 bytes in total (60 bytes shown in Wireshark as the frame checksum is not displayed)?
  • Is it possible that during the programming, the port on the drive changes link speed? That would cause the switch port to become temporarily blocked by Spanning Tree Protocol (STP) for up to 30 seconds.

A Wireshark record of the programming session would be very helpful in providing these details. In fact, two independent recordings should be done: One that SPANs the port where the PC is connected, and another that SPANs the port where the drive is connected.

Before that, though, I suggest you do the following:

  1. Remove the ACL you have configured
  2. Set up all ports as static access ports - this will save some time during their link-up during which these ports try to find out if they're connected to another Cisco switch
  3. Set up all ports as PortFast ports - this will tell STP that these ports are guaranteed to be connected to end hosts that will not cause a switching loop, and so can be unblocked immediately, shaving off 30 seconds of being blocked. This will also prevent blockings the port for 30 seconds if it flaps momentarily or changes speed, which is what could be happening during reflashing of the drive.

This config will do the trick (please keep the whitespaces around hyphens and commas in the interface range command exactly as shown, ideally do a copy&paste):

interface range fa0/1 - 24 , gi0/1 - 2
 no ip access-group 100 in
 switchport mode access
 spanning-tree portfast
 exit
no access-list 100

If these modifications do not help to make the programming work, would it be possible for you to record the SPANned traffic in Wireshark as suggested and post it here for further analysis?

Best regards,
Peter

View solution in original post

3 Replies 3

Go to solution
Peter Paluch
Cisco Employee
Cisco Employee

‎02-13-2016 12:28 AM

Hi James,

The ACL you have created allows all UDP traffic alright, but because there are no other permit lines in it, all other traffic is blocked - TCP, ICMP, raw IP, etc. Cisco ACLs always use the logic of "what is not permitted will be denied". I suppose that it is the other traffic that is denied that causes the resulting UDP communication to fail as well (if, say, there should be a control channel established through another TCP connection that couldn't be set up).

However, I am also surprised at the notion that the switch should be blocking the UDP communication on a specific port. Your 2950 has absolutely no reason to do that. There might be something else in play here. As you are dealing with an embedded software that's doing networking, there is a possibility that some of the lower layer operations are not correct, and the 2950 being a solid switch drops frames that in some way exhibit peculiar properties.

Can you please provide the following details?

  • What exact source and destination IP address is used for this communication?
  • What exact source and destination MAC address is used for this communication?
  • Is it possible that the frames sent by the PC during the programming are shorter than 64 bytes in total (60 bytes shown in Wireshark as the frame checksum is not displayed)?
  • Is it possible that during the programming, the port on the drive changes link speed? That would cause the switch port to become temporarily blocked by Spanning Tree Protocol (STP) for up to 30 seconds.

A Wireshark record of the programming session would be very helpful in providing these details. In fact, two independent recordings should be done: One that SPANs the port where the PC is connected, and another that SPANs the port where the drive is connected.

Before that, though, I suggest you do the following:

  1. Remove the ACL you have configured
  2. Set up all ports as static access ports - this will save some time during their link-up during which these ports try to find out if they're connected to another Cisco switch
  3. Set up all ports as PortFast ports - this will tell STP that these ports are guaranteed to be connected to end hosts that will not cause a switching loop, and so can be unblocked immediately, shaving off 30 seconds of being blocked. This will also prevent blockings the port for 30 seconds if it flaps momentarily or changes speed, which is what could be happening during reflashing of the drive.

This config will do the trick (please keep the whitespaces around hyphens and commas in the interface range command exactly as shown, ideally do a copy&paste):

interface range fa0/1 - 24 , gi0/1 - 2
 no ip access-group 100 in
 switchport mode access
 spanning-tree portfast
 exit
no access-list 100

If these modifications do not help to make the programming work, would it be possible for you to record the SPANned traffic in Wireshark as suggested and post it here for further analysis?

Best regards,
Peter

Go to solution
james.smart1
Level 1
Level 1
In response to Peter Paluch

‎02-16-2016 06:04 AM

Great news. Your suggested config changes worked. Everything is now working correctly.

I do believe the issue had something to do with the STP, because saw several spanning tree messages when the programming was failing.

Thank you very much for your advice. Now I have to document this somewhere for the future so I'll remember how to set it up again.

I have another related question, though. I need to be able to block one particular PTP port (319) to test the products response. How would I configure an ACL that I could apply to one port as needed to block only UDP 319 and allow everything else?

Thank you again for your help. It is much appreciated.

Jim

0 Helpful

Go to solution
David Samuel Penaloza Seijas
Spotlight
Spotlight
In response to james.smart1

‎02-18-2016 07:13 AM

I think it would be like this:

Extended IP access list 100

10 deny udp any any eq 319

20 permit ip any any

That would deny at first, and everything else will be matched in the second statement, which is a permit statement with any as a source and destination.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card