cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1012
Views
45
Helpful
13
Replies

Nexus-9300: Where hides configs for 172.16.4.1 ?

GIVEN: (obfuscated)


NEXUS-9300# sh ip int br vrf all

IP Interface Status for VRF "default"(1)
Vlan30 172.16.1.5 protocol-up/link-up/admin-up
Vlan172 172.17.2.2 protocol-up/link-up/admin-up
Vlan200 172.16.3.8 protocol-up/link-up/admin-up
Vlan300 172.16.3.9 protocol-up/link-up/admin-up
Vlan800 172.16.4.2 protocol-up/link-up/admin-up
Vlan801 172.16.5.2 protocol-up/link-up/admin-up

IP Interface Status for VRF "mgmt"(2)
mgmt0 172.16.5.3 protocol-up/link-up/admin-up

IP Interface Status for VRF "DMZ1"(3)
Vlan24 172.16.29.2 protocol-up/link-up/admin-up

I can SSH into 172.16.4.1
I cannot SSH into 172.16.4.2

 

1. ? Why am I able to SSH into NEXUS-9300 using 172.16.4.1 if only instance of 172.16.4.1 in config is...

 


NEXUS-9300# sh run all | inc 172.16.4.1
!! output omitted !!
ip route 172.199.0.0/16 172.16.4.17
   set ip next-hop 172.16.4.17
      ip 172.16.4.1

 

2. How can next hop be "ip 172.16.4.1" if it does not exist in the config anywhere besides above entry?

3. What was the SSH config snippet that allowed SSH to 172.16.4.1 ?

Thank you.

1 Accepted Solution

Accepted Solutions

Christopher Hart
Cisco Employee
Cisco Employee

Hello!

If I had to take a very wild guess, 172.16.4.1 is the HSRP/VRRP virtual IP address for VLAN 800. VLAN 800 is most likely configured to be a member of an HSRP/VRRP group, and the switch is most likely acting as the Active/Master for the HSRP/VRRP virtual IP address. For this reason, the switch will "own" the HSRP/VRRP virtual IP address, and so any packets destined to 172.16.4.1 will be treated as control plane packets. This means the switch will responds to ICMP pings destined to the HSRP/VRRP virtual IP address, most likely respond to SNMP GET packets destined to the HSRP/VRRP virtual IP address, and (as you've experienced) you will be able to SSH into the switch using the HSRP/VRRP virtual IP address.

The

 show running-config all 

output you provided shows ip 172.16.4.1 configuration. Since the output is filtered with the include pipe, there is an illusion that the ip 172.16.4.1 configuration is a part of the ip route 172.199.0.0/16 172.16.4.17 static route configuration and/or the

set ip next-hop 172.16.4.17

configuration for a PBR (Policy-Based Routing) route-map, but in reality, this configuration is present under the VLAN 800 SVI's configuration.

To prove this out, can you provide the output of the

show running-config interface Vlan800

command from the switch?

Thank you!

-Christopher

View solution in original post

13 Replies 13

show ip route vrf all <<- check  172.16.4.1 



please share output if you can 

#show ip route vrf all 

 

...yielded zero results for the string 172.16.4.1"

** ABOVE IS WRONG-- I used obfuscated address in my search string.

Thank you.

Christopher Hart
Cisco Employee
Cisco Employee

Hello!

If I had to take a very wild guess, 172.16.4.1 is the HSRP/VRRP virtual IP address for VLAN 800. VLAN 800 is most likely configured to be a member of an HSRP/VRRP group, and the switch is most likely acting as the Active/Master for the HSRP/VRRP virtual IP address. For this reason, the switch will "own" the HSRP/VRRP virtual IP address, and so any packets destined to 172.16.4.1 will be treated as control plane packets. This means the switch will responds to ICMP pings destined to the HSRP/VRRP virtual IP address, most likely respond to SNMP GET packets destined to the HSRP/VRRP virtual IP address, and (as you've experienced) you will be able to SSH into the switch using the HSRP/VRRP virtual IP address.

The

 show running-config all 

output you provided shows ip 172.16.4.1 configuration. Since the output is filtered with the include pipe, there is an illusion that the ip 172.16.4.1 configuration is a part of the ip route 172.199.0.0/16 172.16.4.17 static route configuration and/or the

set ip next-hop 172.16.4.17

configuration for a PBR (Policy-Based Routing) route-map, but in reality, this configuration is present under the VLAN 800 SVI's configuration.

To prove this out, can you provide the output of the

show running-config interface Vlan800

command from the switch?

Thank you!

-Christopher

NEXUS-9300# show run interface vlan 800
interface Vlan800
description branch core VLAN
no ip redirects
ip address 172.16.4.2/24
hsrp 0
preempt
priority 110 forwarding-threshold lower 1 upper 110
ip 172.16.4.1
-----

NEXUS-9300# show hsrp brief
Interface      Grp    Prio    P      State      Active addr      Standby addr       Group addr
Vlan800        0      110    P      Active          local            172.16.4.3          172.16.4.1         (conf)

=====

You solved it, Chris!

Thank you all for your effort!

So that is correct its HSRP IP address configured to .2 is an active role, so you are able to SSH to .1 to device.2 make sense

Note: you need to provide enough information always to post, so we do not play guessing games in technologies and make it easier for people to suggest you correct.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Thank you for your feedback, Balaji.

I don't understand this network, I am new here, and only moderately qualified, and I am literally the only OSI layer 1-4 tech in enterprise. 

You want a job in Massachusetts? lol.

but as I know it must appear in

show ip route vrf all, 

I need to check my note again 

CORRECTION: #show ip route vrf all 

 

...yielded zero results for the string 172.16.4.1" IS NOT CORRECT. This string yielded many hits. I mistakenly forgot to use the real string. Instead I used the obfuscated string "172.16.4.1" in my search. My apologies MHM!

I am sure you should able to see

 

show IP arp and show IP cef

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

CORRECTION: #show ip route vrf all 

 

...yielded zero results for the string 172.16.4.1" IS NOT CORRECT. This string yielded many hits. I mistakenly forgot to use the real string. Instead I used the obfuscated string "172.16.4.1" in my search. My apologies MHM!

 

-----

NEXUS-9300# sh ip cef
^
% Invalid command at '^' marker.
NEXUS-9300# sh cef
^
% Invalid command at '^' marker.

NEXUS-9300#sh ip arp
172.16.4.1 - 0000.0c07.ac00 Vlan800

... 0c07.ac00 is HSRP virtual MAC address.