10-19-2019 01:32 AM
Hello floks,
In my setup, i use Mgmt-vrf for system management. When the management interface gets dieconnected, the global vrf should be used. The config is as below.
Switch-3850#sh run vrf vrf definition Mgmt-vrf
!
address-family ipv4
route-replicate from vrf global unicast connected
exit-address-family
!
address-family ipv6
exit-address-family
!
!
interface GigabitEthernet0/0
vrf forwarding Mgmt-vrf
ip address 172.16.3.32 255.255.255.0
negotiation auto
!
ip route vrf Mgmt-vrf 0.0.0.0 0.0.0.0 172.16.3.1
ip route vrf Mgmt-vrf 0.0.0.0 0.0.0.0 172.16.6.1 global 222
When Gig0/0 is disconnected the Mgmt-vrf routing table is as follows
Switch-3850#sh ip route vrf Mgmt-vrf Routing Table: Mgmt-vrf Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2 i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2 ia - IS-IS inter area, * - candidate default, U - per-user static route o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP a - application route + - replicated route, % - next hop override, p - overrides from PfR Gateway of last resort is 172.16.6.1 to network 0.0.0.0 S* 0.0.0.0/0 [222/0] via 172.16.6.1 172.16.0.0/16 is variably subnetted, 2 subnets, 2 masks C + 172.16.6.0/24 is directly connected, Vlan6 L 172.16.6.65/32 is directly connected, Vlan6
But pings fail as follows
Switch-38500#ping vrf Mgmt-vrf 1.1.1.1 % VRF Mgmt-vrf does not have a usable source address
switch version
Switch Ports Model SW Version SW Image Mode ------ ----- ----- ---------- ---------- ---- * 1 56 WS-C3850-48P 16.3.3 CAT3K_CAA-UNIVERSALK9 INSTALL
how can this be done. why does the switch not use Vlan6 IP of 172.16.6.65 to send the packet?!
Best Regards
10-19-2019 03:17 AM
Hi,
Error message is here:
Switch-38500#ping vrf Mgmt-vrf 1.1.1.1 % VRF Mgmt-vrf does not have a usable source address
Now your vrf Mgnt is not having any Layer3 IP address which can select in the source of the packet. Create a loopback interface and assigned it in the Mgmt-vrf. Now your next hope (172.16.6.1) must know how to reach this loopback IP address. and Your switch global VRF will also now that where to send a packet for this IP address.
10-19-2019 07:16 AM
10-19-2019 10:03 AM
10-19-2019 10:52 AM
Thankyou for your help.
I did some further debugging and the results are very strange.
Syslog does work
Tacacs does not work
I double checked the above by removing the static route pointing to global. Then Syslog did not work. Put the route back pointing to global and Syslog worked. My problem is with Tacacs :-(.
complete config
! version 16.3 no service pad service timestamps debug datetime msec localtime show-timezone year service timestamps log datetime msec localtime show-timezone year service password-encryption service compress-config no platform punt-keepalive disable-kernel-core !
hostname Switch-3850 ! vrf definition Mgmt-vrf ! address-family ipv4 exit-address-family ! address-family ipv6 exit-address-family ! logging discriminator NO_DEBUG severity drops 7 logging count logging userinfo logging console notifications ! aaa new-model ! aaa group server tacacs+ TACACS server name TACSRV1 server name TACSRV2 ip vrf forwarding Mgmt-vrf ! aaa authentication login local_auth local aaa authentication login CON_AUTH local aaa authentication login VTY_AUTH group TACACS local aaa authorization exec VTY_AUTZ group TACACS local if-authenticated aaa session-id common ! clock timezone CET 1 0 clock summer-time CEST recurring last Sun Mar 2:00 last Sun Oct 3:00 facility-alarm critical exceed-action shutdown software auto-upgrade enable ! switch 1 provision ws-c3850-48p ! ip routing ! ip name-server 172.16.1.54 172.16.1.53 ip domain lookup ip domain name domain.local ! login on-failure log login on-success log ! qos queue-softmax-multiplier 1200 vtp mode off udld enable ! diagnostic bootup level minimal spanning-tree mode rapid-pvst spanning-tree logging spanning-tree portfast bpduguard default spanning-tree extend system-id spanning-tree pathcost method long ! redundancy mode sso ! vlan 6 name INBAND-MGMT ! lldp run ! interface GigabitEthernet0/0 vrf forwarding Mgmt-vrf ip address 172.16.3.32 255.255.255.0 negotiation auto ! interface GigabitEthernet1/0/48 description UPLINK switchport mode trunk spanning-tree guard loop ip dhcp snooping trust ! interface Vlan1 no ip address shutdown ! interface Vlan6 ip address 172.16.6.65 255.255.255.0 no ip redirects no ip proxy-arp ! ip route 0.0.0.0 0.0.0.0 172.16.6.1 ip route vrf Mgmt-vrf 0.0.0.0 0.0.0.0 172.16.3.1 ip route vrf Mgmt-vrf 0.0.0.0 0.0.0.0 172.16.6.1 global 222 ip ssh version 2 ! logging trap debugging logging origin-id hostname logging host 172.16.20.31 vrf Mgmt-vrf discriminator NO_DEBUG logging host 172.16.20.201 vrf Mgmt-vrf ! access-list 111 permit tcp any any eq tacacs access-list 111 permit tcp any eq tacacs any ! tacacs server TACSRV1 address ipv4 172.16.20.40 key 7 blabla tacacs server TACSRV2 address ipv4 172.16.20.41 key 7 blubblub ! no vstack ! line con 0 privilege level 15 logging synchronous login authentication CON_AUTH transport preferred none stopbits 1 line aux 0 stopbits 1 line vty 0 4 exec-timeout 0 0 privilege level 15 authorization exec VTY_AUTZ logging synchronous login authentication VTY_AUTH notify transport preferred none transport input telnet ssh line vty 5 15 exec-timeout 20 0 privilege level 15 authorization exec VTY_AUTZ logging synchronous login authentication VTY_AUTH notify transport preferred none transport input telnet ssh ! ntp server 172.16.1.53 ! end
interestingly ...
Switch-3850#sh tcp b | in 172.16.20.4 FFA1AEB110 0.0.0.0.39658 172.16.20.40.49 SYNSENT
packet tried to sent out from 0.0.0.0!!!
10-19-2019 11:50 AM
Hi,
Look here in the configuration:
interface GigabitEthernet0/0 vrf forwarding Mgmt-vrf ip address 172.16.3.32 255.255.255.0 negotiation auto ! interface Vlan6 ip address 172.16.6.65 255.255.255.0 no ip redirects no ip proxy-arp
Only one interface gig 0/0 is in the Mgnt-vrf and VLAN 6 SVI is in the global VRF. If you will check your Mgnt-vrf routing table it is showing "replicate route" for VLAN6.
I need to check for any change with the "route-replicate" command in this particular version of IOS or is it a bug.
Why VLAN6 is showing in the Mgnt-vrf VRF routing table? Let me check it with the release note of the particular version.
10-19-2019 11:15 PM
Spoiler@Deepak Kumar wrote:Why VLAN6 is showing in the Mgnt-vrf VRF routing table? Let me check it with the release note of the particular version.
sorry or that ... before i posted running-config, I removed the replicate command from Mgmt-vrf and the route also disappeared from the routing table.
I checked the same config with 16.3.8 where syslog and tacacs does not work.
10-20-2019 01:44 AM
10-20-2019 02:45 AM - edited 10-20-2019 02:51 AM
@hurricane_tnt wrote:
Hello floks,
In my setup, i use Mgmt-vrf for system management. When the management interface gets dieconnected, the global vrf should be used. how can this be done. why does the switch not use Vlan6 IP of 172.16.6.65 to send the packet?!
No I it shouldn’t the vrf table doesn’t have any valid active interface so how can it be used so you won’t be able to ping anything sourced from the vrf table.
sh ip interface brief vrf xx
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide