Re: L3 as a Router - Questions and advice

jayu · ‎09-01-2022

We currently have an old AdTran L3 device pulling from a Fortigate firewall and feeding old switches. To replace these old things we got two new Cisco C9300L units, one L3 one L2. I'm trying to configure the L3 to be as closely matching to the old AdTran L3 as I can but things aren't working out as well as expected.

Questions:

1. What are the bare-minimum things needed to make this configuration work

2. What security 'extras' should I consider adding since there's not going to be an actual 'router' in the mix

3. What possible issues might I end up with going forward

Concerns so far:

1. My current config of the L3 and L2 C9300L's have proven tricky. The L3 is currently hooked into one of the old AdTrans for connectivity and successfully pulls data from the rest of the network without issue. The L2 plugged directly into the L3, however, does not...

2. Porting VLAN's via VTP has proven to be effective as even though the L2 device can't seem to PING to/from anything, it's pulling neighbor statements from the L3 (LLDP and CDP both) as well as VTP configs. Once it's pulling from upstream, it should start receiving info from the DHCP/DNS server and be able to hand out IP assignments.

3. I'm a total noob at this, my background is mostly System Admin and Support side but I'm confident that with a little nudge in the right direction I can make this config work!

I've attached the 'cleaned' L2 and L3 configs. Please note that the L3 does not yet have any routing info because we're not ready to cut over from the old system.

balaji.bandi · ‎09-01-2022

Not sure if this works, since your explanation bit confusing.

But try below :

On Layer 3 switch : (if you like act as Layer 3 and routing should work do as below )

no ip default-gateway 192.168.4.3

IP routing

IP route 0.0.0.0 0.0.0.0 192.168.4.3

On Layer2 :

If you using Manangement port as VRF, that separate VRF routing table. so that only work if you using separate Management.,

You do not mention what your network diagram looks like, or where this switch connected in the network works.

default interface GigabitEthernet0/0

interface Vlan172
ip address 192.168.4.19 255.255.255.0

On both the switches, make sure respected VLAN created, check with show VLAN

BB

=====Preenayamo Vasudevam=====

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

jayu · ‎09-01-2022

Thank you for the prompt reply, the routing config is super helpful! I can test that without taking down the existing network.

To clear up a bit on the 2nd switch:
The C9300L series has GIG0/0 as a port on the back, totally unrouted and only accessible by physical ETH port to laptop. I use this when I want to access the CLI only. VRF is only on by default and will not actively be used (I will probably disable it, to prevent issues).
Both switches are in the same rack, directly below each other and connected by Int GIG1/0/24 via trunk. As VLAN 172 is propagating via VTP, will it cause problems to assign an IP address to it here? I can run the show VLAN command and see all four VLAN's pulling across properly.

balaji.bandi · ‎09-01-2022

As VLAN 172 is propagating via VTP, will it cause problems to assign an IP address to it here?

if this is pure Layer2 and you able to manage the device using console thatok., but you do not need VRF management config. that works in different way.

If you connect this Layer 2 switch and all VLAN populated, the device Layer2 access port should work as expected.

post show spanning brief

BB

=====Preenayamo Vasudevam=====

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

jayu · ‎09-01-2022

Spanning attached (no brief version, sorry). I'll go ahead and set the VRF to None on both switches to play it safe. No reason to have that going.

jayu · ‎09-02-2022

@balaji.bandi wrote:
no ip default-gateway 192.168.4.3
IP routing
IP route 0.0.0.0 0.0.0.0 192.168.4.3

As soon as I entered the IP Routing command, I lost web console...is that normal/expected behavior?

jayu · ‎09-02-2022

Hate to post-flood but I updated the configs slightly. I had to log into the Adtran to get all the routes as it wasn't dumping them in the config export.

Looks like I'm still missing something though because when I add an IP to VLAN 101 and enable it, the whole switch becomes inactive.

MHM Cisco World · ‎09-01-2022

As I promise you check the issue of management port
the management interface is for Out-of-Band Management and it not routable via Network Port,
so it look like console port.
for management via VTY/Telnet or HTTP you need special VLAN (management VLAN) and you need to assign IP for this VLAN in all SW, L2 and L3.

jayu · ‎09-02-2022

I'll have to come up with a new subnet then to pass around all the switches for access so that I'm not crossing over VLAN 172's IP range.

Georg Pauwen · ‎09-01-2022

Hello,

as far as I recall, the AdTrans have a command line very similar to that of Cisco. There is I think a command 'show running-config' on the AdTran. If you can post the output of that command from the AdTran, we can compare both configs (that of the 9300 L3 and the AdTran L3)...

jayu · ‎09-02-2022

Cleaned up the config and posted it here. Thanks Georg!

Georg Pauwen · ‎09-06-2022

Hello,

thanks for the config, I'll have a look...

Georg Pauwen · ‎09-06-2022

Hello,

you need to make the changes marked in bold, at the very minimum. The IP helper addresses on the AdTran are different, or missing altogether, on the Cisco L3 switch. If the targets for the DHCP servers have not changed, configure the same IP helper addresses on the L3:

Building configuration...
Current configuration : 11961 bytes
!
! Last configuration change at 10:55:41 CST Fri Sep 2 2022 by Cisco_Admin
! NVRAM config last updated at 10:54:04 CST Fri Sep 2 2022
!
version 17.9
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
service call-home
platform punt-keepalive disable-kernel-core
!
hostname XX
!
vrf definition Mgmt-vrf
!
address-family ipv4
exit-address-family
!
address-family ipv6
exit-address-family
!
no aaa new-model
clock timezone CST -6 0
clock summer-time CST recurring
boot system switch all flash:packages.conf
switch 1 provision c9300l-24t-4x
!
--> ip routing
!
no ip domain lookup
ip domain name XX
ip dhcp excluded-address 192.168.4.0 192.168.4.89
!
login on-success log
!
crypto pki trustpoint SLA-TrustPoint
enrollment pkcs12
revocation-check crl
!
crypto pki trustpoint TP-self-signed-776818790
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-776818790
revocation-check none
rsakeypair TP-self-signed-776818790
!
crypto pki certificate chain SLA-TrustPoint
certificate ca 01<Cert Removed>
quit
crypto pki certificate chain TP-self-signed-776818790
certificate self-signed 01<Cert Removed>
quit
!
license boot level network-advantage addon dna-advantage
memory free low-watermark processor 133114
!
diagnostic bootup level minimal
!
spanning-tree mode rapid-pvst
spanning-tree extend system-id
!
et-analytics
!
username XX
!
redundancy
mode sso
crypto engine compliance shield disable
!
transceiver type all
monitoring
!
lldp run
!
class-map match-any system-cpp-police-ewlc-control
description EWLC Control
class-map match-any system-cpp-police-topology-control
description Topology control
class-map match-any system-cpp-police-sw-forward
description Sw forwarding, L2 LVX data packets, LOGGING, Transit Traffic
class-map match-any system-cpp-default
description EWLC Data, Inter FED Traffic
class-map match-any system-cpp-police-sys-data
description Openflow, Exception, EGR Exception, NFL Sampled Data, RPF Failed
class-map match-any system-cpp-police-punt-webauth
description Punt Webauth
class-map match-any system-cpp-police-l2lvx-control
description L2 LVX control packets
class-map match-any system-cpp-police-forus
description Forus Address resolution and Forus traffic
class-map match-any system-cpp-police-multicast-end-station
description MCAST END STATION
class-map match-any system-cpp-police-high-rate-app
description High Rate Applications
class-map match-any system-cpp-police-multicast
description MCAST Data
class-map match-any system-cpp-police-l2-control
description L2 control
class-map match-any system-cpp-police-dot1x-auth
description DOT1X Auth
class-map match-any system-cpp-police-data
description ICMP redirect, ICMP_GEN and BROADCAST
class-map match-any system-cpp-police-stackwise-virt-control
description Stackwise Virtual OOB
class-map match-any non-client-nrt-class
class-map match-any system-cpp-police-routing-control
description Routing control and Low Latency
class-map match-any system-cpp-police-protocol-snooping
description Protocol snooping
class-map match-any system-cpp-police-dhcp-snooping
description DHCP snooping
class-map match-any system-cpp-police-ios-routing
description L2 control, Topology control, Routing control, Low Latency
class-map match-any system-cpp-police-system-critical
description System Critical and Gold Pkt
class-map match-any system-cpp-police-ios-feature
description ICMPGEN,BROADCAST,ICMP,L2LVXCntrl,ProtoSnoop,PuntWebauth,MCASTData,Transit,DOT1XAuth,Swfwd,LOGGING,L2LVXData,ForusTraffic,ForusARP,McastEndStn,Openflow,Exception,EGRExcption,NflSampled,RpfFailed
!
policy-map system-cpp-policy
!
interface GigabitEthernet0/0
vrf forwarding Mgmt-vrf
no ip address
shutdown
negotiation auto
!
interface GigabitEthernet1/0/1
description Link to Firewall (not active yet)
switchport access vlan 102
shutdown
!
interface GigabitEthernet1/0/2 (Link back to old network)
switchport access vlan 172
!
interface GigabitEthernet1/0/3
switchport access vlan 172
!
interface GigabitEthernet1/0/4
switchport access vlan 172
!
interface GigabitEthernet1/0/5
switchport access vlan 172
!
interface GigabitEthernet1/0/6
switchport access vlan 172
!
interface GigabitEthernet1/0/7
switchport access vlan 172
!
interface GigabitEthernet1/0/8
switchport access vlan 172
!
interface GigabitEthernet1/0/9
switchport access vlan 172
!
interface GigabitEthernet1/0/10
switchport access vlan 172
!
interface GigabitEthernet1/0/11
switchport access vlan 172
!
interface GigabitEthernet1/0/12
switchport access vlan 172
!
interface GigabitEthernet1/0/13
switchport access vlan 101
!
interface GigabitEthernet1/0/14
switchport access vlan 101
!
interface GigabitEthernet1/0/15
switchport access vlan 101
!
interface GigabitEthernet1/0/16
switchport access vlan 101
!
interface GigabitEthernet1/0/17
switchport access vlan 101
!
interface GigabitEthernet1/0/18
switchport access vlan 101
!
interface GigabitEthernet1/0/19
switchport access vlan 101
!
interface GigabitEthernet1/0/20
switchport access vlan 101
!
interface GigabitEthernet1/0/21
switchport access vlan 101
!
interface GigabitEthernet1/0/22
switchport access vlan 101
!
interface GigabitEthernet1/0/23
switchport access vlan 101
!
interface GigabitEthernet1/0/24 (Link to L2 switch)
switchport trunk native vlan 172
switchport trunk allowed vlan 100-102,172
switchport mode trunk
!
interface TenGigabitEthernet1/1/1
!
interface TenGigabitEthernet1/1/2
!
interface TenGigabitEthernet1/1/3
!
interface TenGigabitEthernet1/1/4
!
interface AppGigabitEthernet1/0/1
!
interface Vlan1
ip address 192.168.5.1 255.255.255.0 (Hope to manage switches here)
!
interface Vlan100
ip address 192.168.1.4 255.255.255.0
ip helper-address 192.168.4.31
!
interface Vlan101
ip address 192.168.2.1 255.255.255.0
ip helper-address 192.168.4.31
shutdown
!
interface Vlan102
ip address 192.168.3.254 255.255.255.0
!
interface Vlan172
ip address 192.168.4.1 255.255.255.0
ip helper-address 192.168.4.31
!
--> no ip default-gateway 192.168.4.3
ip forward-protocol nd
ip http server
ip http authentication local
ip http secure-server
ip http secure-trustpoint TP-self-signed-776818790
ip route 0.0.0.0 0.0.0.0 192.168.3.1
ip route 192.168.4.0 255.255.255.0 Vlan172 0.0.0.0
ip route 192.168.1.0 255.255.255.0 Vlan100 0.0.0.0
ip route 192.168.2.0 255.255.255.0 Vlan101 0.0.0.0
ip route 192.168.3.0 255.255.255.0 Vlan102 0.0.0.0
ip route 192.168.5.0 255.255.255.0 Vlan1 0.0.0.0
!
snmp-server community XX RO
snmp-server location Main closet
snmp-server contact IT
snmp-server host 192.168.3.13 XX udp-port 161
snmp-server manager
!
control-plane
service-policy input system-cpp-policy
!
banner
!
line con 0
password 7 04795B16587354400D10014E473E4F283B28652D24
login
stopbits 1
line vty 0
login local
length 0
transport input ssh
line vty 1 4
login local
transport input ssh
line vty 5 97
login local
transport input ssh
!
call-home
! If contact email address in call-home is configured as sch-smart-licensing@cisco.com
! the email address configured in Cisco Smart License Portal will be used as contact email address to send SCH notifications.
contact-email-addr sch-smart-licensing@cisco.com
profile "CiscoTAC-1"
active
ntp server 192.168.4.31 prefer
!
!
end

jayu · ‎09-06-2022

I've seen that suggested elsewhere but when I remove the default gateway and add the routing command I lose access to the Web interface altogether. I don't think that's expected or normal behavior. Thinking that until I'm ready to 'cut-over' from the old network to the new I might be at a stand-still. I have my firewall hooked up but the port is admin-down until I'm sure it's not going to cause issues with the production network as it stands.

balaji.bandi · ‎09-06-2022

by changing the default to routing mode you should not lose any connection until we missing here how you connected and where you connected in the network, default gw is used when switching to layer 2, and Layer 3 will be used Ip routing.

since we are not familiar with your network and how they connected, as suggested in the first post, make some drawings and post them here to be clear about what we suggesting to you correctly.

BB

=====Preenayamo Vasudevam=====

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help