02-20-2019 09:16 AM
I have a 4506 switch that I am having difficulties connecting to. My end-user traffic is passing through just fine. If I'm on another switch in my environment I can SSH into this switch. I can ping the management IP from any other switch in my environment. However, I cannot ping the switch from a PC nor can I SSH into the switch from a PC. Any help would be appreciated.
Here is my sanitized running config
Building configuration...
Current configuration : 35899 bytes
!
! Last configuration change at 03:45:16 CST Wed Feb 20 2019 by <deleted for privacy>
!
version 15.2
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
service compress-config
!
hostname <deleted for privacy>
!
boot-start-marker
boot system flash bootflash:cat4500e-entservicesk9-mz.152-1.E1.bin
boot-end-marker
!
vrf definition mgmtVrf
!
address-family ipv4
exit-address-family
!
address-family ipv6
exit-address-family
!
enable secret 5 <deleted for privacy>
!
username <deleted for privacy> password 7 <deleted for privacy>
aaa new-model
!
aaa session-id common
clock timezone CST -6 0
clock summer-time CDT recurring
!
ip domain-name <deleted for privacy>
ip name-server <deleted for privacy>
ip name-server <deleted for privacy>
ip device tracking
ip dhcp excluded-address <deleted for privacy>
ip dhcp excluded-address <deleted for privacy>
!
ip dhcp pool <deleted for privacy>PCs
network <deleted for privacy>
default-router <deleted for privacy>
dns-server <deleted for privacy>
domain-name <deleted for privacy>
!
vtp domain null
vtp mode off
!
crypto pki trustpoint TP-self-signed-<deleted for privacy>
!
crypto pki certificate chain TP-self-signed-<deleted for privacy>
!
power redundancy-mode redundant
!
spanning-tree mode pvst
spanning-tree extend system-id
!
vlan internal allocation policy ascending
!
vlan 30
name MoreVoice
!
vlan 36
!
vlan 38
name Phones
!
vlan 43
name data43
!
vlan 54
!
vlan 60
name Network Devices
!
vlan 510
name Data1
!
vlan 511
name Data
!
ip ssh time-out 60
ip ssh authentication-retries 5
ip ssh version 2
!
interface FastEthernet1
vrf forwarding mgmtVrf
no ip address
shutdown
speed auto
duplex auto
!
interface TenGigabitEthernet1/1 ###This is the trunk port connecting back to my core switch
switchport mode trunk
!
<content removed for brevity>
!
interface Vlan1
no ip address
shutdown
!
interface Vlan36
no ip address
!
interface Vlan43
ip address <deleted for privacy>
shutdown
!
interface Vlan60
ip address <deleted for privacy> ###This is my management vlan
!
interface Vlan510
no ip address
!
interface Vlan511
no ip address
!
ip default-gateway <deleted for privacy>
ip http server
ip http secure-server
ip forward-protocol nd
!
snmp-server community <deleted for privacy>
!
line con 0
logging synchronous
stopbits 1
line vty 0 4
logging synchronous
transport input telnet ssh
line vty 5 15
logging synchronous
transport input telnet ssh
!
ntp server 192.5.41.209
ntp server 198.30.92.2
end
02-20-2019 09:25 AM - edited 02-20-2019 09:25 AM
i cant see a default-gateway on your devices, there is?
02-20-2019 09:27 AM
Right here at the end of the config
ip default-gateway <deleted for privacy>
ip http server
ip http secure-server
ip forward-protocol nd
!
snmp-server community <deleted for privacy>
!
line con 0
logging synchronous
stopbits 1
line vty 0 4
logging synchronous
transport input telnet ssh
line vty 5 15
logging synchronous
transport input telnet ssh
!
ntp server 192.5.41.209
ntp server 198.30.92.2
end
02-20-2019 09:32 AM
02-20-2019 09:38 AM
Yes, my PC is on this network. In fact, I can use my PC to SSH into the core switch, and then from there SSH into the switch in question. However, if I try to SSH directly to the switch in question I cannot access it. Also, while using my PC to SSH into the core switch, I can ping the switch in question, but I cannot ping the switch in question directly from my PC.
02-20-2019 09:44 AM
02-20-2019 10:07 AM
I doubt this is the case, since I have other switches connected to this core switch that I can SSH into from my PC without any problem. But here is the output anyway:
Standard IP access list 2
10 permit any
Extended IP access list 101
10 permit udp any any eq bootps (1102712 matches)
Extended IP access list 199
10 deny ip host 10.254.230.47 any
20 deny ip any host 10.254.230.47
30 permit ip any any
Extended IP access list AutoQos-4.0-ACL-Bulk-Data
10 permit tcp any any eq ftp
20 permit tcp any any eq ftp-data
30 permit tcp any any eq 22
40 permit tcp any any eq smtp
50 permit tcp any any eq 465
60 permit tcp any any eq 143
70 permit tcp any any eq 993
80 permit tcp any any eq pop3
90 permit tcp any any eq 995
100 permit tcp any any eq 1914
Extended IP access list AutoQos-4.0-ACL-Default
10 permit ip any any
Extended IP access list AutoQos-4.0-ACL-Multimedia-Conf
10 permit udp any any range 16384 32767
Extended IP access list AutoQos-4.0-ACL-Scavenger
10 permit tcp any any eq 1214
20 permit udp any any eq 1214
30 permit tcp any any range 2300 2400
40 permit udp any any range 2300 2400
50 permit tcp any any eq 3689
60 permit udp any any eq 3689
70 permit tcp any any range 6881 6999
80 permit tcp any any eq 11999
90 permit tcp any any range 28800 29100
Extended IP access list AutoQos-4.0-ACL-Signaling
10 permit tcp any any range 2000 2002
20 permit tcp any any range 5060 5061
30 permit udp any any range 5060 5061
Extended IP access list AutoQos-4.0-ACL-Transactional-Data
10 permit tcp any any eq 443
20 permit tcp any any eq 1521
30 permit udp any any eq 1521
40 permit tcp any any eq 1526
50 permit udp any any eq 1526
60 permit tcp any any eq 1575
70 permit udp any any eq 1575
80 permit tcp any any eq 1630
90 permit udp any any eq 1630
Extended IP access list CISCO-CWA-URL-REDIRECT-ACL
100 deny udp any any eq domain
101 deny tcp any any eq domain
102 deny udp any eq bootps any
103 deny udp any any eq bootpc
104 deny udp any eq bootpc any
105 permit tcp any any eq www
Extended IP access list preauth_ipv4_acl (per-user)
10 permit udp any any eq domain
20 permit tcp any any eq domain
30 permit udp any eq bootps any
40 permit udp any any eq bootpc
50 permit udp any eq bootpc any
60 deny ip any any
Extended IP access list system-cpp-all-routers-on-subnet
10 permit ip any host 224.0.0.2
Extended IP access list system-cpp-all-systems-on-subnet
10 permit ip any host 224.0.0.1
Extended IP access list system-cpp-dhcp-cs
10 permit udp any eq bootpc any eq bootps
Extended IP access list system-cpp-dhcp-sc
10 permit udp any eq bootps any eq bootpc
Extended IP access list system-cpp-dhcp-ss
10 permit udp any eq bootps any eq bootps
Extended IP access list system-cpp-energywise-disc
10 permit udp any eq any eq 0
Extended IP access list system-cpp-hsrpv2
10 permit udp any host 224.0.0.102
Extended IP access list system-cpp-igmp
10 permit igmp any 224.0.0.0 31.255.255.255
Extended IP access list system-cpp-ip-mcast-linklocal
10 permit ip any 224.0.0.0 0.0.0.255
Extended IP access list system-cpp-ospf
10 permit ospf any any
Extended IP access list system-cpp-pim
10 permit pim any 224.0.0.0 0.0.0.255
Extended IP access list system-cpp-ripv2
10 permit ip any host 224.0.0.9
02-20-2019 10:03 AM
Hi @cloksin ,
It seems that you have not indicated the way in which the user was authenticated in the VTY lines.
For example, for a local authentication:
line vty 0 4
logging synchronous
transport input telnet ssh
login local
line vty 5 15
logging synchronous
transport input telnet ssh
login local
Regards
02-20-2019 10:05 AM - edited 02-20-2019 10:10 AM
aaa new-model
!
aaa session-id common
These two lines take care of the authentication. If you were to have login or login local on the vty lines, and then add the two aaa lines, the login and login local lines would disappear from your running config.
Also, if this was the case, I wouldn't be able to SSH into the switch from another switch, which I can.
02-20-2019 10:27 AM
Hi @cloksin ,
Ok, just to discard, enter this command in the vty lines and try:
login authentication default
Regards
02-20-2019 10:48 AM
It's not an authentication issue, that wouldn't affect whether or not I would be able to ping the switch from my PC.
02-20-2019 10:35 AM
02-20-2019 10:55 AM
Tried this, I am NOT able to ping the default gateway
02-20-2019 11:01 AM
02-20-2019 11:18 AM
The default gateway is definitely correct. I've pinged it from several other devices, including the device I'm using to connect to the switch that isn't working properly.
All vlans are allowed on the trunk. The switch in question is using port Te1/1, the core switch is using port Te7/1. Result of show int trunk on the switch in question:
Port Mode Encapsulation Status Native vlan
Te1/1 on 802.1q trunking 1
Port Vlans allowed on trunk
Te1/1 1-4094
Port Vlans allowed and active in management domain
Te1/1 1,30,36,38,43,54,60,510-511
Port Vlans in spanning tree forwarding state and not pruned
Te1/1 1,30,36,38,43,54,60,510-511
Result of show int trunk on the core switch:
Port Mode Encapsulation Status Native vlan
Te7/1 on 802.1q trunking 1
Port Vlans allowed on trunk
Te7/1 1-4094
Port Vlans allowed and active in management domain
Te7/1 1,10-11,30,36,38-49,51,54-55,57-58,60,69,100-102,104,108,112,116,120,124,130-131,199,203,500-501,510-511,520,720,850,901,911-912,921,2222,3001
Port Vlans in spanning tree forwarding state and not pruned
Te7/1 1,10-11,30,36,38-49,51,54-55,57-58,60,69,100-102,104,108,112,116,120,124,130-131,199,203,500-501,510-511,520,720,850,901,911-912,921,2222,3001
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide