02-12-2016 12:45 PM - edited 03-10-2019 01:06 PM
First off, I apologize. I'm not a networking guy. My knowledge level is novice at best.
I'm doing the firmware testing for an industrial motor drive.I have a small private network in my lab with a Catalyst 2950 switch (I know, it's old).
During normal operation, communications between the drive and the PLC use (mostly) UDP port 2222 (CIP Motion) and port 319 (IEEE-1588 PTP). This works fine with the default switch configuration. Everything is on VLAN1, all IPs are on the same subnet, nothing fancy at all.
The problem is that the switch appears to be blocking UDP port 8995, which our programming utility uses to push new firmware to the drive. During programming, a PC connects to the drive using that port. I have the interface that the drive is connected to spanned and I can the traffic from the PC, but no response from the drive. If I change to a basic hub or an unmanaged switch, the programming works fine, so it's definitely the 2950.
So, I created an ACL to allow all UDP. However, when I apply that ACL to the interface, ALL of the UDP ports stop working. 8995, 2222, and 319.
I was using Cisco Network Assistant (6.2) at first, then figured maybe there's a problem with that, so I tried with the CLI. I got the same result.
As I said, I'm no expert. So hopefully the answer is easy for someone here.
Thank you,
Jim
Switch#show running-config
Building configuration...
Current configuration : 1564 bytes
!
version 12.1
no service pad
service timestamps debug uptime
service timestamps log datetime
no service password-encryption
service sequence-numbers
!
hostname Switch
!
enable secret 5 $1$9LaI$04W3dstn817LM.GIXcUoL.
!
username *** privilege 15 secret 5 $1$NvSc$7aRHc1ItYiKb9f.Tvxn3t/
ip subnet-zero
!
!
spanning-tree mode pvst
no spanning-tree optimize bpdu transmission
spanning-tree extend system-id
!
!
!
!
interface FastEthernet0/1
ip access-group 100 in
!
interface FastEthernet0/2
!
interface FastEthernet0/3
!
interface FastEthernet0/4
!
interface FastEthernet0/5
!
interface FastEthernet0/6
!
interface FastEthernet0/7
!
interface FastEthernet0/8
!
interface FastEthernet0/9
!
interface FastEthernet0/10
!
interface FastEthernet0/11
!
interface FastEthernet0/12
!
interface FastEthernet0/13
!
interface FastEthernet0/14
!
interface FastEthernet0/15
!
interface FastEthernet0/16
!
interface FastEthernet0/17
!
interface FastEthernet0/18
!
interface FastEthernet0/19
!
interface FastEthernet0/20
!
interface FastEthernet0/21
!
interface FastEthernet0/22
!
interface FastEthernet0/23
!
interface FastEthernet0/24
ip access-group 100 in
!
interface GigabitEthernet0/1
ip access-group 100 in
!
interface GigabitEthernet0/2
!
interface Vlan1
ip address 192.168.124.50 255.255.255.0
no ip route-cache
!
ip http server
access-list 100 permit udp any any
!
line con 0
exec-timeout 0 0
line vty 0 4
password Cisco
login
line vty 5 15
password Cisco
login
!
!
!
monitor session 1 source interface Fa0/1
monitor session 1 destination interface Gi0/1
end
Switch#
Solved! Go to Solution.
02-13-2016 12:28 AM
Hi James,
The ACL you have created allows all UDP traffic alright, but because there are no other permit lines in it, all other traffic is blocked - TCP, ICMP, raw IP, etc. Cisco ACLs always use the logic of "what is not permitted will be denied". I suppose that it is the other traffic that is denied that causes the resulting UDP communication to fail as well (if, say, there should be a control channel established through another TCP connection that couldn't be set up).
However, I am also surprised at the notion that the switch should be blocking the UDP communication on a specific port. Your 2950 has absolutely no reason to do that. There might be something else in play here. As you are dealing with an embedded software that's doing networking, there is a possibility that some of the lower layer operations are not correct, and the 2950 being a solid switch drops frames that in some way exhibit peculiar properties.
Can you please provide the following details?
A Wireshark record of the programming session would be very helpful in providing these details. In fact, two independent recordings should be done: One that SPANs the port where the PC is connected, and another that SPANs the port where the drive is connected.
Before that, though, I suggest you do the following:
This config will do the trick (please keep the whitespaces around hyphens and commas in the interface range command exactly as shown, ideally do a copy&paste):
interface range fa0/1 - 24 , gi0/1 - 2
no ip access-group 100 in
switchport mode access
spanning-tree portfast
exit
no access-list 100
If these modifications do not help to make the programming work, would it be possible for you to record the SPANned traffic in Wireshark as suggested and post it here for further analysis?
Best regards,
Peter
02-13-2016 12:28 AM
Hi James,
The ACL you have created allows all UDP traffic alright, but because there are no other permit lines in it, all other traffic is blocked - TCP, ICMP, raw IP, etc. Cisco ACLs always use the logic of "what is not permitted will be denied". I suppose that it is the other traffic that is denied that causes the resulting UDP communication to fail as well (if, say, there should be a control channel established through another TCP connection that couldn't be set up).
However, I am also surprised at the notion that the switch should be blocking the UDP communication on a specific port. Your 2950 has absolutely no reason to do that. There might be something else in play here. As you are dealing with an embedded software that's doing networking, there is a possibility that some of the lower layer operations are not correct, and the 2950 being a solid switch drops frames that in some way exhibit peculiar properties.
Can you please provide the following details?
A Wireshark record of the programming session would be very helpful in providing these details. In fact, two independent recordings should be done: One that SPANs the port where the PC is connected, and another that SPANs the port where the drive is connected.
Before that, though, I suggest you do the following:
This config will do the trick (please keep the whitespaces around hyphens and commas in the interface range command exactly as shown, ideally do a copy&paste):
interface range fa0/1 - 24 , gi0/1 - 2
no ip access-group 100 in
switchport mode access
spanning-tree portfast
exit
no access-list 100
If these modifications do not help to make the programming work, would it be possible for you to record the SPANned traffic in Wireshark as suggested and post it here for further analysis?
Best regards,
Peter
02-16-2016 06:04 AM
Great news. Your suggested config changes worked. Everything is now working correctly.
I do believe the issue had something to do with the STP, because saw several spanning tree messages when the programming was failing.
Thank you very much for your advice. Now I have to document this somewhere for the future so I'll remember how to set it up again.
I have another related question, though. I need to be able to block one particular PTP port (319) to test the products response. How would I configure an ACL that I could apply to one port as needed to block only UDP 319 and allow everything else?
Thank you again for your help. It is much appreciated.
Jim
02-18-2016 07:13 AM
I think it would be like this:
Extended IP access list 100
10 deny udp any any eq 319
20 permit ip any any
That would deny at first, and everything else will be matched in the second statement, which is a permit statement with any as a source and destination.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide