Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
997
Views
2
Helpful
14
Replies

Can't access core switch with http

Go to solution
mcgiga
Level 1
Level 1

‎10-03-2024 08:54 AM

Hi,

the core switch has several VLANs. Let's say the subnet of the management VLAN where all switches are located is 192.168.100.0/24. All VLANs on the core are separated in VRFs.

Core switch is accessable by ssh and http from within the management VLAN. When I try to access the core with http via VPN I don't get a response. Switch is reachable by ping. All other switches in the management VLAN are accessable via VPN. Only the core switch which is the gateway of the management VLAN not.

For SSH there is VRF-ALSO needed to access the core switch from within the management VLAN. Is there some similar for http? Or maybe the reason is something different?

Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
MHM Cisco World
VIP
VIP
In response to mcgiga

‎10-03-2024 10:01 AM

If the PC you use for gui have same subnet of vlan123 ?

If not SW use defualt gateway which global?

MHM

View solution in original post

0 Helpful

Go to solution
mcgiga
Level 1
Level 1
In response to MHM Cisco World

‎10-03-2024 10:06 AM

When I add ip route 0.0.0.0 0.0.0.0 192.168.50.1 to the global routing table, it's working.

But why? For ssh it's not needed.

View solution in original post

14 Replies 14

Go to solution
MHM Cisco World
VIP
VIP

‎10-03-2024 08:59 AM

Try check if http is vrf aware in your platform' which I dont think so'

Hence you can only access http via global not vrf 

MHM

0 Helpful

Go to solution
mcgiga
Level 1
Level 1
In response to MHM Cisco World

‎10-03-2024 09:23 AM

ip http ? shows nothing vrf related.

But why can I ping the gateway on it's ip address but not access it with http? Is there some difference for http?


>Hence you can only access http via global not vrf 
So there is a different way to get access via global?

0 Helpful

Go to solution
MHM Cisco World
VIP
VIP
In response to mcgiga

‎10-03-2024 09:43 AM

ip http client source-interface Vlan123 <<- this vlan123 is in vrf or in global

This vlan decide in which rib ypu can access http 

If vlan123 in global then you can access via global 

If vlan123 in vrf then you can access via vrf 

MHM

0 Helpful

Go to solution
mcgiga
Level 1
Level 1
In response to MHM Cisco World

‎10-03-2024 09:58 AM

vlan 123 is in vrf VLAN_123. Routes are working. Traffic can reach the vlan and the vlan can reach the firewall.

Go to solution
MHM Cisco World
VIP
VIP
In response to mcgiga

‎10-03-2024 10:01 AM

If the PC you use for gui have same subnet of vlan123 ?

If not SW use defualt gateway which global?

MHM

0 Helpful

Go to solution
mcgiga
Level 1
Level 1
In response to MHM Cisco World

‎10-03-2024 10:03 AM

VPN client is located in it's own vpn-subnet, i. e. 192.168.150.0/240.

0 Helpful

Go to solution
MHM Cisco World
VIP
VIP
In response to mcgiga

‎10-03-2024 10:08 AM

The gateway of SW in global  and http not support vrf aware 

I think that why http not work

MHM

0 Helpful

Go to solution
mcgiga
Level 1
Level 1
In response to MHM Cisco World

‎10-03-2024 10:06 AM

When I add ip route 0.0.0.0 0.0.0.0 192.168.50.1 to the global routing table, it's working.

But why? For ssh it's not needed.

Go to solution
Flavio Miranda
VIP
VIP

‎10-03-2024 09:23 AM

@mcgiga 

 Can you share the core config here? Or can you check if there is an Access List applied that could be preventing the core to be accessed from management vlan on HTTP?

0 Helpful

Go to solution
mcgiga
Level 1
Level 1
In response to Flavio Miranda

‎10-03-2024 09:25 AM

There is no access list, only for ssh access yet.

ip http server
ip http authentication local
ip http secure-server
ip http client source-interface Vlan123

0 Helpful

Go to solution
Flavio Miranda
VIP
VIP
In response to mcgiga

‎10-03-2024 09:45 AM

and this config is suppose to be like this?   "ip http client source-interface Vlan123"

You are telling the core to send the http traffic to vlan 123.  Does vlan 123 is the management vlan ?

0 Helpful

Go to solution
mcgiga
Level 1
Level 1
In response to Flavio Miranda

‎10-03-2024 09:48 AM - edited ‎10-03-2024 09:56 AM

vlan 123 is the management vlan.

ip http client source-interface Vlan123 was needed so the switches in that vlan can access cisco smart licensing via the firewall. Without that switches could not get to the backend of cisco smart licensing.

no ip http client source-interface Vlan123 doesn't change anything.

sw#sh ip route vrf VLAN_123

Routing Table: VLAN_123

Gateway of last resort is 192.168.50.1 to network 0.0.0.0

S* 0.0.0.0/0 [1/0] via 192.168.50.1
192.168.130.0/24 is variably subnetted, 2 subnets, 2 masks

So when all traffic is send from VLAN 123 it should be routed via 0.0.0.0 to the transit network where the vpn client is reachable.
I am able to send a ping from the core switch to the vpn client. I can access the switch with ssh from vpn.

There must be something missing or wrong for http.

0 Helpful

Go to solution
mcgiga
Level 1
Level 1

‎10-03-2024 09:32 AM

Small update. SSH access to the core switch via VPN is working too. Only http is not working.

0 Helpful

Go to solution
Flavio Miranda
VIP
VIP
In response to mcgiga

‎10-03-2024 10:20 AM

dont you have a firewall blocking somewhere? Cause does not make sense

if you run a capture packet on the core do you see any traffic?

0 Helpful
Customers Also Viewed These Support Documents