L3 as a Router - Questions and advice - Page 2

jayu · ‎09-01-2022

We currently have an old AdTran L3 device pulling from a Fortigate firewall and feeding old switches. To replace these old things we got two new Cisco C9300L units, one L3 one L2. I'm trying to configure the L3 to be as closely matching to the old AdTran L3 as I can but things aren't working out as well as expected.

Questions:

1. What are the bare-minimum things needed to make this configuration work

2. What security 'extras' should I consider adding since there's not going to be an actual 'router' in the mix

3. What possible issues might I end up with going forward

Concerns so far:

1. My current config of the L3 and L2 C9300L's have proven tricky. The L3 is currently hooked into one of the old AdTrans for connectivity and successfully pulls data from the rest of the network without issue. The L2 plugged directly into the L3, however, does not...

2. Porting VLAN's via VTP has proven to be effective as even though the L2 device can't seem to PING to/from anything, it's pulling neighbor statements from the L3 (LLDP and CDP both) as well as VTP configs. Once it's pulling from upstream, it should start receiving info from the DHCP/DNS server and be able to hand out IP assignments.

3. I'm a total noob at this, my background is mostly System Admin and Support side but I'm confident that with a little nudge in the right direction I can make this config work!

I've attached the 'cleaned' L2 and L3 configs. Please note that the L3 does not yet have any routing info because we're not ready to cut over from the old system.

jayu · ‎09-07-2022

Sorry for the crudeness of the drawings, don't really have a better tool right now...just used Packet Tracer. This is our current state, with both Adtran devices still in-play and our Future state where the Adtrans are fully replaced and out of the picture. Hope this helps! Please note the note in the Current state, where our connection to the Firewall from the L3 C9300L is admin-down until we're sure this is stable.

MHM Cisco World · ‎09-07-2022

current state and future state are you remove some SW?

jayu · ‎09-07-2022

Yes, once we're done we are removing the two Adtran devices. Basically, it's a core-network replacement but with as little disruption/downtime as possible. We want to be sure that when I flip this switch, the transition is as seamless as possible. Once I feel confident that the config is correct and will work when I activate the connection to the firewall, I will start testing. However, there are some...issues with the network as it stands and I'm worried that turning on that connection will shut down something (it happens here...) and we don't want that to happen. I know there will eventually be a point where we need to just rip off the Band-Aid but that is not today. As always, your advice is much appreciated (as is everyone else's here).

jayu · ‎09-09-2022

Not to be a pest but...maybe Monday we can go over it one more time? Just really need to know that when I flip on the connection to the firewall this new L3 switch won't take down the network. Once I have that connection stable, I can enable the IP route, disable the default-gateway statement and all that but I'm more concerned about the switch dropping out when I put an IP address on VLAN101. We can't go any further if that doesn't work.

jayu · ‎09-12-2022

I ran a Show IP Route on the L3 and got the following (cleaned):

Gateway of last resort is 192.168.4.3 to network 0.0.0.0
S* 0.0.0.0/0 [0/0] via 192.168.4.3
192.168.0.0/16 is variably subnetted, 2 subnets, 2 masks
C 192.168.4.0/24 is directly connected, Vlan172
L 192.168.4.1/32 is directly connected, Vlan172
192.168.1.0/24 is variably subnetted, 2 subnets, 2 masks
C 192.168.1.0/24 is directly connected, Vlan100
L 192.168.1.1/32 is directly connected, Vlan100
192.168.3.0/24 is variably subnetted, 2 subnets, 2 masks
C 192.168.3.0/24 is directly connected, Vlan102
L 192.168.3.254/32 is directly connected, Vlan102

VLAN101 is still admin-down because it kills connection for an as-yet unknown reason so it's missing here even though the route is statically defined. I haven't enabled IP Routing yet because I will lose non-direct access when I do. Also, because we're not quite ready to test the stability of the new system with the existing firewall. That'll be an after-hours event sometime later this or early next week I believe.

Last things to fix:
VLAN101 taking down the switch and losing web interface/remote connection when activating IP Routing. You've all been such wonderful help!

jayu · ‎09-12-2022

Just had a thought on the issue of VLAN101 dropping my connection...is it possible that it's trying to become the active management IP? So, I'm currently using VLAN 172 as the remote login network. But, when I enable VLAN101 is it actually switching to that IP for management? If so, how do I stop it from happening but still get it to have an IP address? Why isn't VLAN 100 and/or 102 doing that as well?

jayu · ‎09-12-2022

Show IP Routes output attached here, just in case anyone sees something I'm missing.

jayu · ‎09-14-2022

Alright, hopefully the last post on this thread before I mark it complete. I've updated the L3 switch by removing the gateway, checking and double-checking all my static routes ahead of time, adding in the IP Routing statement, and generally doing everything except for taking the plunge and activating the (currently admin-down) routed port...tomorrow at 5pm, I've been given clearance to test the config live. If everything goes well, I'll report in as-such and consider this issue closed! Thanks again to everyone here for your advice.

MHM Cisco World · ‎09-14-2022

from my deep heart good luck in your job friend.

jayu · ‎09-16-2022

Thanks! It went well but things are still a bit...strange.

From my machine, I can ping the devices plugged into the L3 switch but I can't ping the IP's assigned to any of the SVI's, including the one for the VLAN the devices are plugged into...so, I can't use WebUI or SSH currently on either switch unless I'm directly connected to one of the two switches. This happened when I turned off the Default Gateway to enable IP Routing.

I need to dump configs for both units this morning to see if I can spot something amiss. I also need to verify routing and run ping commands from both units to all the major sources (DNS/DHCP server(s), firewall, external ISP address, etc.) and of course plug things in and see that they get assigned to the correct VLAN, pull an IP address (if applicable) and reach the Internet.