cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3733
Views
5
Helpful
8
Replies

fallback route in Mgmt-vrf to global does not work

hurricane_tnt
Level 1
Level 1

Hello floks,

In my setup, i use Mgmt-vrf for system management. When the management interface gets dieconnected, the global vrf should be used. The config is as below.

 

Switch-3850#sh run vrf
vrf definition Mgmt-vrf
!
address-family ipv4
route-replicate from vrf global unicast connected
exit-address-family
!
address-family ipv6
exit-address-family
!
!
interface GigabitEthernet0/0
vrf forwarding Mgmt-vrf
ip address 172.16.3.32 255.255.255.0
negotiation auto
!
ip route vrf Mgmt-vrf 0.0.0.0 0.0.0.0 172.16.3.1
ip route vrf Mgmt-vrf 0.0.0.0 0.0.0.0 172.16.6.1 global 222

When Gig0/0 is disconnected the Mgmt-vrf routing table is as follows

Switch-3850#sh ip route vrf Mgmt-vrf

Routing Table: Mgmt-vrf
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
       a - application route
       + - replicated route, % - next hop override, p - overrides from PfR

Gateway of last resort is 172.16.6.1 to network 0.0.0.0

S*    0.0.0.0/0 [222/0] via 172.16.6.1
      172.16.0.0/16 is variably subnetted, 2 subnets, 2 masks
C   +    172.16.6.0/24 is directly connected, Vlan6
L        172.16.6.65/32 is directly connected, Vlan6

But pings fail as follows

Switch-38500#ping vrf Mgmt-vrf 1.1.1.1
% VRF Mgmt-vrf does not have a usable source address

switch version

Switch Ports Model              SW Version        SW Image              Mode
------ ----- -----              ----------        ----------            ----
*    1 56    WS-C3850-48P       16.3.3            CAT3K_CAA-UNIVERSALK9 INSTALL

how can this be done. why does the switch not use Vlan6 IP of 172.16.6.65 to send the packet?!

 

Best Regards

8 Replies 8

Deepak Kumar
VIP Alumni
VIP Alumni

Hi,

Error message is here:

Switch-38500#ping vrf Mgmt-vrf 1.1.1.1
% VRF Mgmt-vrf does not have a usable source address

Now your vrf Mgnt is not having any Layer3 IP address which can select in the source of the packet. Create a loopback interface and assigned it in the  Mgmt-vrf. Now your next hope (172.16.6.1) must know how to reach this loopback IP address. and Your switch global VRF will also now that where to send a packet for this IP address.

Regards,
Deepak Kumar,
Don't forget to vote and accept the solution if this comment will help you!

As per the routing table there is an interface active in the Mgmt-vrf. I had this working with IOS 15.x.

I cannot implement ur workaround as the loopback interface must be somehow made reachable at the remote side.

Please share the running configuration and global routing output.
Regards,
Deepak Kumar,
Don't forget to vote and accept the solution if this comment will help you!

Thankyou for your help.

 

I did some further debugging and the results are very strange.

Syslog does work

Tacacs does not work

I double checked the above by removing the static route pointing to global. Then Syslog did not work. Put the route back pointing to global and Syslog worked. My problem is with Tacacs :-(.

complete config

!
version 16.3
no service pad
service timestamps debug datetime msec localtime show-timezone year
service timestamps log datetime msec localtime show-timezone year
service password-encryption
service compress-config
no platform punt-keepalive disable-kernel-core
!
hostname Switch-3850 ! vrf definition Mgmt-vrf ! address-family ipv4 exit-address-family ! address-family ipv6 exit-address-family ! logging discriminator NO_DEBUG severity drops 7 logging count logging userinfo logging console notifications ! aaa new-model ! aaa group server tacacs+ TACACS server name TACSRV1 server name TACSRV2 ip vrf forwarding Mgmt-vrf ! aaa authentication login local_auth local aaa authentication login CON_AUTH local aaa authentication login VTY_AUTH group TACACS local aaa authorization exec VTY_AUTZ group TACACS local if-authenticated aaa session-id common ! clock timezone CET 1 0 clock summer-time CEST recurring last Sun Mar 2:00 last Sun Oct 3:00 facility-alarm critical exceed-action shutdown software auto-upgrade enable ! switch 1 provision ws-c3850-48p ! ip routing ! ip name-server 172.16.1.54 172.16.1.53 ip domain lookup ip domain name domain.local ! login on-failure log login on-success log ! qos queue-softmax-multiplier 1200 vtp mode off udld enable ! diagnostic bootup level minimal spanning-tree mode rapid-pvst spanning-tree logging spanning-tree portfast bpduguard default spanning-tree extend system-id spanning-tree pathcost method long ! redundancy mode sso ! vlan 6 name INBAND-MGMT ! lldp run ! interface GigabitEthernet0/0 vrf forwarding Mgmt-vrf ip address 172.16.3.32 255.255.255.0 negotiation auto ! interface GigabitEthernet1/0/48 description UPLINK switchport mode trunk spanning-tree guard loop ip dhcp snooping trust ! interface Vlan1 no ip address shutdown ! interface Vlan6 ip address 172.16.6.65 255.255.255.0 no ip redirects no ip proxy-arp ! ip route 0.0.0.0 0.0.0.0 172.16.6.1 ip route vrf Mgmt-vrf 0.0.0.0 0.0.0.0 172.16.3.1 ip route vrf Mgmt-vrf 0.0.0.0 0.0.0.0 172.16.6.1 global 222 ip ssh version 2 ! logging trap debugging logging origin-id hostname logging host 172.16.20.31 vrf Mgmt-vrf discriminator NO_DEBUG logging host 172.16.20.201 vrf Mgmt-vrf ! access-list 111 permit tcp any any eq tacacs access-list 111 permit tcp any eq tacacs any ! tacacs server TACSRV1 address ipv4 172.16.20.40 key 7 blabla tacacs server TACSRV2 address ipv4 172.16.20.41 key 7 blubblub ! no vstack ! line con 0 privilege level 15 logging synchronous login authentication CON_AUTH transport preferred none stopbits 1 line aux 0 stopbits 1 line vty 0 4 exec-timeout 0 0 privilege level 15 authorization exec VTY_AUTZ logging synchronous login authentication VTY_AUTH notify transport preferred none transport input telnet ssh line vty 5 15 exec-timeout 20 0 privilege level 15 authorization exec VTY_AUTZ logging synchronous login authentication VTY_AUTH notify transport preferred none transport input telnet ssh ! ntp server 172.16.1.53 ! end

interestingly ...

Switch-3850#sh tcp b | in 172.16.20.4
FFA1AEB110 0.0.0.0.39658 172.16.20.40.49 SYNSENT

packet tried to sent out from 0.0.0.0!!!

 

Hi,

Look here in the configuration:

interface GigabitEthernet0/0
 vrf forwarding Mgmt-vrf
 ip address 172.16.3.32 255.255.255.0
 negotiation auto
!
interface Vlan6
 ip address 172.16.6.65 255.255.255.0
 no ip redirects
 no ip proxy-arp

 Only one interface gig 0/0 is in the Mgnt-vrf and VLAN 6 SVI is in the global VRF.  If you will check your Mgnt-vrf routing table it is showing "replicate route" for VLAN6. 

I need to check for any change with the "route-replicate" command in this particular version of IOS or is it a bug. 

Why VLAN6 is showing in the Mgnt-vrf VRF routing table? Let me check it with the release note of the particular version.  

Regards,
Deepak Kumar,
Don't forget to vote and accept the solution if this comment will help you!


Spoiler
@Deepak Kumar wrote:

Why VLAN6 is showing in the Mgnt-vrf VRF routing table? Let me check it with the release note of the particular version.  

 


sorry or that ... before i posted running-config, I removed the replicate command from Mgmt-vrf and the route also disappeared from the routing table.

 

I checked the same config with 16.3.8 where syslog and tacacs does not work.

Hi,
Thanks for the update. Then it seems a bug.

Regards,
Deepak Kumar,
Don't forget to vote and accept the solution if this comment will help you!


@hurricane_tnt wrote:

Hello floks,

In my setup, i use Mgmt-vrf for system management. When the management interface gets dieconnected, the global vrf should be used. how can this be done. why does the switch not use Vlan6 IP of 172.16.6.65 to send the packet?!


No I it shouldn’t the vrf table doesn’t have any valid active interface so how can it be used so you won’t be able to ping anything sourced from the vrf table.

sh ip interface brief vrf xx

 


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: