Re: Connect management port to same switch

Tosj Reiling · ‎11-15-2018

Hi all!

I have multiple 2960's and connected their dedicated management port to a switch (2960X) for easier access.

Each management port on the 2960's have a IP in the 10.32.3.0/24 network.

I'm able to connect to all the management ports via SSH from a operations client (other VLAN).

Currently I have the issue that I can't connect to the management port of the switch where all the management ports are connected to.

The management port of the switch (10.32.3.16) is connected to the switch itself.

However I can't SSH into this management port.

I've a included a small mock-up of the network infrastructure below

fbabashahi · ‎11-15-2018

do you have access-list ?

Tosj Reiling · ‎11-15-2018

I did not set access-lists yet, I need to create one?

fbabashahi · ‎11-15-2018

no i don't think so i asked because i think maybe the access-list prevent to connect to switch. in your diagram i see you connect that switch to pfsense are you sure about the pfsense config ?

Tosj Reiling · ‎11-15-2018

The PFSense config is correct when I connect a client to the "Switch" I can ping it from the Operations client through the PFSsense.
Eg.: Operations Client (10.32.22.101) can ping to Switch Client (10.32.3.101), the Operation client can also ping the management IP of the all the management ports. Except the management port of the "Switch"-switch itself.

fbabashahi · ‎11-15-2018

If it is ok please put core switch and the switch here , i hope can help in that way

Tosj Reiling · ‎11-15-2018

You mean the running configs?

fbabashahi · ‎11-15-2018

yes

Tosj Reiling · ‎11-15-2018

Running config from the Core:

version 16.6
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
no platform punt-keepalive disable-kernel-core
!
hostname SERVER
!
!
vrf definition Mgmt-vrf
 !
 address-family ipv4
 exit-address-family
 !
 address-family ipv6
 exit-address-family
!
no aaa new-model
switch 1 provision ws-c3850-24p
switch 2 provision ws-c3850-24p
!
ip routing
!
ip domain name *.corp
!
cpp system-default
!
diagnostic bootup level minimal
spanning-tree mode rapid-pvst
spanning-tree extend system-id
!
username admin privilege 15 password 7 ******************
!
redundancy
 mode sso
!
interface Port-channel1
 description PFSense Master LACP
 switchport mode trunk
!
interface Port-channel2
 description DHCP-Server LACP
 switchport mode access
!
interface Port-channel3
 description PFSense Slave LAPC
 switchport mode trunk
!
interface GigabitEthernet0/0
 vrf forwarding Mgmt-vrf
 ip address 10.32.3.11 255.255.255.0
 speed 1000
 negotiation auto
!
interface GigabitEthernet1/0/1
 switchport access vlan 22
 switchport mode access
!
interface GigabitEthernet1/0/2
 switchport mode trunk
!
interface GigabitEthernet1/0/9
 switchport mode access
 channel-group 2 mode active
!
interface GigabitEthernet1/0/23
 switchport access vlan 21
 switchport mode access
!
interface GigabitEthernet1/1/1
 switchport mode trunk
 channel-group 1 mode active
!
interface GigabitEthernet1/1/2
 switchport mode trunk
 channel-group 3 mode active
!
interface GigabitEthernet1/1/3
!
interface GigabitEthernet2/0/1
 switchport access vlan 21
 switchport mode access
!
interface GigabitEthernet2/0/2
 switchport mode trunk
!
interface GigabitEthernet2/0/9
 switchport mode access
 channel-group 2 mode active
!
interface GigabitEthernet2/1/1
 switchport mode trunk
 channel-group 1 mode active
!
interface GigabitEthernet2/1/2
 switchport mode trunk
 channel-group 3 mode active
!
interface Vlan1
 description SERVER
 no ip address
!
interface Vlan21
 description MANAGEMENT
 no ip address
!
interface Vlan22
 description OPERATIONS
 no ip address
!
interface Vlan68
 description Alarm VLAN
 no ip address
!
interface Vlan900
 description VoIP VLAN
 no ip address
!
ip default-gateway 10.32.1.1
ip forward-protocol nd
ip http server
ip http authentication local
no ip http secure-server
ip http secure-client-auth
ip route vrf Mgmt-vrf 0.0.0.0 0.0.0.0 10.32.3.1
ip ssh version 2
!
control-plane
 service-policy input system-cpp-policy
!
line con 0
 privilege level 15
 stopbits 1
line aux 0
 stopbits 1
line vty 0 4
 privilege level 15
 login local
 transport input ssh
line vty 5 15
 privilege level 15
 login local
 transport input ssh
!
!
wsma agent exec
!
wsma agent config
!
wsma agent filesys
!
wsma agent notify
!
!
end

Running config from the Switch:

version 15.2
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname SWITCH
!
boot-start-marker
boot-end-marker
!
enable secret 5 ***********************
enable password **********************
!
username admin privilege 15 password 0 ***********************
username web privilege 15 password 0 *************************
aaa new-model
!
aaa session-id common
switch 1 provision ws-c2960x-24ts-l
ip routing
!
ip domain-name *.corp
!
spanning-tree mode pvst
spanning-tree extend system-id
!
vlan internal allocation policy ascending
!
interface FastEthernet0
 ip address 10.32.3.16 255.255.255.0
 no ip route-cache
!
interface GigabitEthernet1/0/1
!
interface GigabitEthernet1/0/2
!
interface GigabitEthernet1/0/3
!
interface GigabitEthernet1/0/4
!
interface GigabitEthernet1/0/5
!
interface GigabitEthernet1/0/6
!
interface GigabitEthernet1/0/7
!
interface GigabitEthernet1/0/8
!
interface GigabitEthernet1/0/9
!
interface GigabitEthernet1/0/10
!
interface GigabitEthernet1/0/11
!
interface GigabitEthernet1/0/12
!
interface GigabitEthernet1/0/13
!
interface GigabitEthernet1/0/14
!
interface GigabitEthernet1/0/15
!
interface GigabitEthernet1/0/16
!
interface GigabitEthernet1/0/17
!
interface GigabitEthernet1/0/18
!
interface GigabitEthernet1/0/19
!
interface GigabitEthernet1/0/20
!
interface GigabitEthernet1/0/21
!
interface GigabitEthernet1/0/22
!
interface GigabitEthernet1/0/23
!
interface GigabitEthernet1/0/24
!
interface GigabitEthernet1/0/25
!
interface GigabitEthernet1/0/26
!
interface GigabitEthernet1/0/27
!
interface GigabitEthernet1/0/28
!
interface Vlan1
 no ip address
!
ip default-gateway 10.32.3.1
ip http server
ip http secure-server
!
ip route 0.0.0.0 0.0.0.0 10.32.3.1
!
no vstack
!
line con 0
line vty 0 4
 privilege level 15
 transport input telnet ssh
line vty 5 15
 privilege level 15
 transport input telnet ssh
!
ntp server pool.ntp.org
!
pnp profile pnp_cco_profile
 transport https host devicehelper.cisco.com port 443
end

fbabashahi · ‎11-15-2018

Hi again , does your int gig0/0 on core connect to fastethernet 0 , doesn't it? if the answer is yes , i think the problem is because of vrf , you put vrf on one side

if the answer is no , please tell me from which port you need to reach to the destination

interface GigabitEthernet0/0
vrf forwarding Mgmt-vrf
ip address 10.32.3.11 255.255.255.0
speed 1000
negotiation auto
!

interface FastEthernet0
ip address 10.32.3.16 255.255.255.0

Tosj Reiling · ‎11-16-2018

Port Gi0/0 (10.32.3.11) from the core connects to port a port on the "Switch" eg. Gi1/0/3

Port Fa0 (10.32.3.16) from the "Switch" connects to a port on the "Switch" eg. Gi1/0/7

The "Switch" has an direct uplink to the PFSense on port Gi1/0/24

fbabashahi · ‎11-16-2018

Hi , do you config vrf on both side ? another thing in your line vty config where is login local?

a.alekseev · ‎11-16-2018

create static arp entries in GRT and vrf... for 10.32.3.11 and 10.32.3.16

Tosj Reiling · ‎11-19-2018

I've added the following arp entries:
arp 10.32.3.11 7001.b501.c400 arpa
arp 10.32.3.16 0072.7809.0d00 arpa

But it doesn't seem to work?

a.alekseev · ‎11-19-2018

L01_01(config)#arp ?
A.B.C.D IP address of ARP entry
vrf Configure static ARP for a VPN Routing/Forwarding instance