Solved: Multilayer Switch issue on int vlan 100 (Management Vlan)

rosanx · ‎12-27-2024

I have this Configuration on my MultiLayerSwitch (Topology in figure):

!
version 16.3.2
no service timestamps log datetime msec
no service timestamps debug datetime msec
service password-encryption
!
hostname MLS
!
!
enable secret 5 $1$mERr$hx5rVt7rPNoS4wqbXKX7m0
!
!
!
!
!
!
ip cef
ip routing
!
no ipv6 cef
!
!
!
username cisco secret 5 $1$mERr$hx5rVt7rPNoS4wqbXKX7m0
!
!
!
!
!
!
!
!
!
!
ip domain-name rosanna.com
!
!
spanning-tree mode pvst
!
!
!
!
!
!
interface GigabitEthernet1/0/1
 no switchport
 ip address 10.0.0.3 255.255.255.248
 duplex auto
 speed auto
!
interface GigabitEthernet1/0/2
 switchport access vlan 3
 switchport mode access
!
interface GigabitEthernet1/0/3
 switchport access vlan 4
 switchport mode access
!
interface GigabitEthernet1/0/4
 switchport access vlan 5
 switchport mode access
!
interface GigabitEthernet1/0/5
!
interface GigabitEthernet1/0/6
!
interface GigabitEthernet1/0/7
!
interface GigabitEthernet1/0/8
!
interface GigabitEthernet1/0/9
!
interface GigabitEthernet1/0/10
!
interface GigabitEthernet1/0/11
!
interface GigabitEthernet1/0/12
!
interface GigabitEthernet1/0/13
!
interface GigabitEthernet1/0/14
!
interface GigabitEthernet1/0/15
!
interface GigabitEthernet1/0/16
!
interface GigabitEthernet1/0/17
!
interface GigabitEthernet1/0/18
!
interface GigabitEthernet1/0/19
!
interface GigabitEthernet1/0/20
!
interface GigabitEthernet1/0/21
!
interface GigabitEthernet1/0/22
!
interface GigabitEthernet1/0/23
!
interface GigabitEthernet1/0/24
!
interface GigabitEthernet1/1/1
!
interface GigabitEthernet1/1/2
!
interface GigabitEthernet1/1/3
!
interface GigabitEthernet1/1/4
!
interface Vlan1
 no ip address
 shutdown
!
interface Vlan3
 mac-address 0060.2f39.d601
 ip address 192.168.3.1 255.255.255.0
!
interface Vlan4
 mac-address 0060.2f39.d602
 ip address 192.168.4.1 255.255.255.128
!
interface Vlan5
 mac-address 0060.2f39.d603
 ip address 192.168.4.129 255.255.255.128
!
interface Vlan100
 mac-address 0060.2f39.d604
 ip address 192.168.100.1 255.255.255.0
!
router ospf 10
 log-adjacency-changes
 passive-interface GigabitEthernet1/0/2
 passive-interface GigabitEthernet1/0/3
 passive-interface GigabitEthernet1/0/4
 passive-interface Vlan100
 network 192.168.3.0 0.0.0.255 area 0
 network 192.168.4.0 0.0.0.127 area 0
 network 192.168.4.128 0.0.0.127 area 0
 network 10.0.0.0 0.0.0.7 area 0
 network 192.168.100.1 0.0.0.0 area 0
!
ip classless
!
ip flow-export version 9
!
!
!
!
!
!
!
line con 0
!
line aux 0
!
line vty 0 4
 password 7 0822455D0A16
 login
 transport input ssh
line vty 5 15
 password 7 0822455D0A16
 login
 transport input ssh
!
!
!
!
end

Please, explain me WHY my Management VLAN (VLAN 100) doesn't work for ssh connection from hosts.

I'm a little confused right now.

Flavio Miranda · ‎12-27-2024

When you create an interface vlan on the switch but you dont use it, the vlan will stay down. As long as you have the vlan assign to a trunk or to an access port, it will come up. Your vlan 100 is down.

Vlan1 unassigned YES unset administratively down down

Vlan3 192.168.3.1 YES manual up up

Vlan4 192.168.4.1 YES manual up up

Vlan5 192.168.4.129 YES manual up up

Vlan100 192.168.100.1 YES manual up down

MLS#

As soon as you associate one interface to the vlan 100, it will come up

GigabitEthernet1/1/4 unassigned YES NVRAM down down

Vlan1 unassigned YES unset administratively down down

Vlan3 192.168.3.1 YES manual up up

Vlan4 192.168.4.1 YES manual up down

Vlan5 192.168.4.129 YES manual up up

Vlan100 192.168.100.1 YES manual up up

MLS#

%LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan100, changed state to up

and you are able to ping it.

If you dont want to have a PC on vlan 100. you can use loopback interface instead. Loopback will always stay up dont matter what.

View solution in original post

MHM Cisco World · ‎12-27-2024

Did you generate rsa key

MHM

rosanx · ‎12-27-2024

yes, I did it.

Flavio Miranda · ‎12-27-2024

@rosanx

From where you are trying to access exactly?

You have passive interface on vlan 100.

Can you ping vlan 100 from host ?

rosanx · ‎12-27-2024

ok. I'm trying to access from host in Inter-vlan routing on MLS SVIs. PC0 is not pinging MLS int vlan 100.

I removed the passive-interface on int vlan 100.

vlan 100 is still not in my routing table of MLS. What am I not considering?

Flavio Miranda · ‎12-27-2024

Didi you creste vlan 100?

Vlan 100

On mls

rosanx · ‎12-27-2024

yes. I created vlan 100. My vlan dat:

MLS#show vlan b

VLAN Name                             Status    Ports
---- -------------------------------- --------- -------------------------------
1    default                          active    Gig1/0/5, Gig1/0/6, Gig1/0/7, Gig1/0/8
                                                Gig1/0/9, Gig1/0/10, Gig1/0/11, Gig1/0/12
                                                Gig1/0/13, Gig1/0/14, Gig1/0/15, Gig1/0/16
                                                Gig1/0/17, Gig1/0/18, Gig1/0/19, Gig1/0/20
                                                Gig1/0/21, Gig1/0/22, Gig1/0/23, Gig1/0/24
                                                Gig1/1/1, Gig1/1/2, Gig1/1/3, Gig1/1/4
3    VLAN0003                         active    Gig1/0/2
4    VLAN0004                         active    Gig1/0/3
5    Data                             active    Gig1/0/4
100  Gestione                         active    
1000 Nativa                           active    
1002 fddi-default                     active    
1003 token-ring-default               active    
1004 fddinet-default                  active    
1005 trnet-default                    active

this is also my routing table

     10.0.0.0/29 is subnetted, 1 subnets
C       10.0.0.0 is directly connected, GigabitEthernet1/0/1
O    192.168.0.0/24 [110/2] via 10.0.0.1, 01:16:37, GigabitEthernet1/0/1
O    192.168.1.0/24 [110/2] via 10.0.0.1, 01:16:37, GigabitEthernet1/0/1
O    192.168.2.0/24 [110/2] via 10.0.0.1, 01:16:37, GigabitEthernet1/0/1
C    192.168.3.0/24 is directly connected, Vlan3
     192.168.4.0/25 is subnetted, 2 subnets
C       192.168.4.0 is directly connected, Vlan4
C       192.168.4.128 is directly connected, Vlan5

Flavio Miranda · ‎12-27-2024

OK.

Can you please zip your PacketTracer file and attach here? I can take a look

rosanx · ‎12-27-2024

Of course! thank you.

Flavio Miranda · ‎12-27-2024

When you create an interface vlan on the switch but you dont use it, the vlan will stay down. As long as you have the vlan assign to a trunk or to an access port, it will come up. Your vlan 100 is down.

Vlan1 unassigned YES unset administratively down down

Vlan3 192.168.3.1 YES manual up up

Vlan4 192.168.4.1 YES manual up up

Vlan5 192.168.4.129 YES manual up up

Vlan100 192.168.100.1 YES manual up down

MLS#

As soon as you associate one interface to the vlan 100, it will come up

GigabitEthernet1/1/4 unassigned YES NVRAM down down

Vlan1 unassigned YES unset administratively down down

Vlan3 192.168.3.1 YES manual up up

Vlan4 192.168.4.1 YES manual up down

Vlan5 192.168.4.129 YES manual up up

Vlan100 192.168.100.1 YES manual up up

MLS#

%LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan100, changed state to up

and you are able to ping it.

If you dont want to have a PC on vlan 100. you can use loopback interface instead. Loopback will always stay up dont matter what.

rosanx · ‎12-28-2024

ok, thank you!

Devaa · ‎12-27-2024

Hi @rosanx

Fix reachability and make sure you're able to ping 192.168.100.1. Once you fix reachability, still you won't be able to SSH.

You can telnet, but you have disabled telnet by using transport input ssh under vty config.

For SSH to work, you need username and password. For that, you should point the VTY to use local user database or to some AAA.

Use the below commands to point the VTY to use local user database

line vty 0 4
 login local

Devaa · ‎12-28-2024

@rosanx once you fix reachability, make sure you enable local user in vty for ssh to work.

line vty 0 4
 login local

paul driver · ‎12-28-2024

Helllo
it look like your only ospf adjacency from that l3 sw it to rtr1 via gig1/0/1
So you just need to allow that link to establish and passive the rest of the l3 svi interfaces
Try the following:
crypto key zerosize rsa

crypto key generate rsa label OSPF general-keys modules 2048
ip ssh enable
ip ssh version 2

Router ospf 10
passive interface default
no passive interface gig1/0/1

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

rosanx · ‎12-30-2024

Thank you all!