Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1191
Views
45
Helpful
13
Replies

Nexus-9300: Where hides configs for 172.16.4.1 ?

Go to solution
jmaxwellUSAF
VIP
VIP

‎02-18-2023 10:22 AM - last edited on ‎02-21-2023 09:17 PM by Community Manager

GIVEN: (obfuscated)


NEXUS-9300# sh ip int br vrf all

IP Interface Status for VRF "default"(1)
Vlan30 172.16.1.5 protocol-up/link-up/admin-up
Vlan172 172.17.2.2 protocol-up/link-up/admin-up
Vlan200 172.16.3.8 protocol-up/link-up/admin-up
Vlan300 172.16.3.9 protocol-up/link-up/admin-up
Vlan800 172.16.4.2 protocol-up/link-up/admin-up
Vlan801 172.16.5.2 protocol-up/link-up/admin-up

IP Interface Status for VRF "mgmt"(2)
mgmt0 172.16.5.3 protocol-up/link-up/admin-up

IP Interface Status for VRF "DMZ1"(3)
Vlan24 172.16.29.2 protocol-up/link-up/admin-up

I can SSH into 172.16.4.1
I cannot SSH into 172.16.4.2

 

1. ? Why am I able to SSH into NEXUS-9300 using 172.16.4.1 if only instance of 172.16.4.1 in config is...

 


NEXUS-9300# sh run all | inc 172.16.4.1
!! output omitted !!
ip route 172.199.0.0/16 172.16.4.17
   set ip next-hop 172.16.4.17
      ip 172.16.4.1

 

2. How can next hop be "ip 172.16.4.1" if it does not exist in the config anywhere besides above entry?

3. What was the SSH config snippet that allowed SSH to 172.16.4.1 ?

Thank you.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Christopher Hart
Cisco Employee
Cisco Employee

‎02-18-2023 11:29 AM - last edited on ‎02-21-2023 09:21 PM by Community Manager

Hello!

If I had to take a very wild guess, 172.16.4.1 is the HSRP/VRRP virtual IP address for VLAN 800. VLAN 800 is most likely configured to be a member of an HSRP/VRRP group, and the switch is most likely acting as the Active/Master for the HSRP/VRRP virtual IP address. For this reason, the switch will "own" the HSRP/VRRP virtual IP address, and so any packets destined to 172.16.4.1 will be treated as control plane packets. This means the switch will responds to ICMP pings destined to the HSRP/VRRP virtual IP address, most likely respond to SNMP GET packets destined to the HSRP/VRRP virtual IP address, and (as you've experienced) you will be able to SSH into the switch using the HSRP/VRRP virtual IP address.

The

 show running-config all

output you provided shows ip 172.16.4.1 configuration. Since the output is filtered with the include pipe, there is an illusion that the ip 172.16.4.1 configuration is a part of the ip route 172.199.0.0/16 172.16.4.17 static route configuration and/or the

set ip next-hop 172.16.4.17

configuration for a PBR (Policy-Based Routing) route-map, but in reality, this configuration is present under the VLAN 800 SVI's configuration.

To prove this out, can you provide the output of the

show running-config interface Vlan800

command from the switch?

Thank you!

-Christopher

View solution in original post

13 Replies 13

Go to solution
MHM Cisco World
VIP
VIP

‎02-18-2023 10:43 AM - last edited on ‎02-21-2023 09:17 PM by Community Manager 

show ip route vrf all <<- check  172.16.4.1 



please share output if you can 

Go to solution
jmaxwellUSAF
VIP
VIP
In response to MHM Cisco World

‎02-19-2023 07:52 AM - last edited on ‎02-21-2023 09:18 PM by Community Manager 

#show ip route vrf all 

 

...yielded zero results for the string 172.16.4.1"

** ABOVE IS WRONG-- I used obfuscated address in my search string.

Thank you.

0 Helpful

Go to solution
Christopher Hart
Cisco Employee
Cisco Employee

‎02-18-2023 11:29 AM - last edited on ‎02-21-2023 09:21 PM by Community Manager

Hello!

If I had to take a very wild guess, 172.16.4.1 is the HSRP/VRRP virtual IP address for VLAN 800. VLAN 800 is most likely configured to be a member of an HSRP/VRRP group, and the switch is most likely acting as the Active/Master for the HSRP/VRRP virtual IP address. For this reason, the switch will "own" the HSRP/VRRP virtual IP address, and so any packets destined to 172.16.4.1 will be treated as control plane packets. This means the switch will responds to ICMP pings destined to the HSRP/VRRP virtual IP address, most likely respond to SNMP GET packets destined to the HSRP/VRRP virtual IP address, and (as you've experienced) you will be able to SSH into the switch using the HSRP/VRRP virtual IP address.

The

 show running-config all

output you provided shows ip 172.16.4.1 configuration. Since the output is filtered with the include pipe, there is an illusion that the ip 172.16.4.1 configuration is a part of the ip route 172.199.0.0/16 172.16.4.17 static route configuration and/or the

set ip next-hop 172.16.4.17

configuration for a PBR (Policy-Based Routing) route-map, but in reality, this configuration is present under the VLAN 800 SVI's configuration.

To prove this out, can you provide the output of the

show running-config interface Vlan800

command from the switch?

Thank you!

-Christopher

Go to solution
jmaxwellUSAF
VIP
VIP
In response to Christopher Hart

‎02-19-2023 08:09 AM - last edited on ‎02-21-2023 09:22 PM by Community Manager 

NEXUS-9300# show run interface vlan 800
interface Vlan800
description branch core VLAN
no ip redirects
ip address 172.16.4.2/24
hsrp 0
preempt
priority 110 forwarding-threshold lower 1 upper 110
ip 172.16.4.1
-----

NEXUS-9300# show hsrp brief
Interface      Grp    Prio    P      State      Active addr      Standby addr       Group addr
Vlan800        0      110    P      Active          local            172.16.4.3          172.16.4.1         (conf)

=====

You solved it, Chris!

Thank you all for your effort!

0 Helpful

Go to solution
balaji.bandi
Hall of Fame
Hall of Fame
In response to jmaxwellUSAF

‎02-19-2023 08:11 AM

So that is correct its HSRP IP address configured to .2 is an active role, so you are able to SSH to .1 to device.2 make sense

Note: you need to provide enough information always to post, so we do not play guessing games in technologies and make it easier for people to suggest you correct.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Go to solution
jmaxwellUSAF
VIP
VIP
In response to balaji.bandi

‎02-19-2023 08:23 AM

Thank you for your feedback, Balaji.

I don't understand this network, I am new here, and only moderately qualified, and I am literally the only OSI layer 1-4 tech in enterprise. 

You want a job in Massachusetts? lol.

0 Helpful

Go to solution
MHM Cisco World
VIP
VIP
In response to jmaxwellUSAF

‎02-19-2023 08:14 AM - last edited on ‎02-21-2023 09:23 PM by Community Manager

but as I know it must appear in

show ip route vrf all, 

I need to check my note again 

Go to solution
jmaxwellUSAF
VIP
VIP
In response to MHM Cisco World

‎02-19-2023 08:19 AM - last edited on ‎02-21-2023 09:23 PM by Community Manager 

CORRECTION: #show ip route vrf all 

 

...yielded zero results for the string 172.16.4.1" IS NOT CORRECT. This string yielded many hits. I mistakenly forgot to use the real string. Instead I used the obfuscated string "172.16.4.1" in my search. My apologies MHM!

0 Helpful

Go to solution
balaji.bandi
Hall of Fame
Hall of Fame
In response to jmaxwellUSAF

‎02-19-2023 08:23 AM - last edited on ‎02-21-2023 09:24 PM by Community Manager

I am sure you should able to see

 

show IP arp and show IP cef

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Go to solution
jmaxwellUSAF
VIP
VIP
In response to balaji.bandi

‎02-19-2023 08:31 AM - last edited on ‎02-21-2023 09:25 PM by Community Manager 

CORRECTION: #show ip route vrf all 

 

...yielded zero results for the string 172.16.4.1" IS NOT CORRECT. This string yielded many hits. I mistakenly forgot to use the real string. Instead I used the obfuscated string "172.16.4.1" in my search. My apologies MHM!

 

-----

NEXUS-9300# sh ip cef
^
% Invalid command at '^' marker.
NEXUS-9300# sh cef
^
% Invalid command at '^' marker.

NEXUS-9300#sh ip arp
172.16.4.1 - 0000.0c07.ac00 Vlan800

... 0c07.ac00 is HSRP virtual MAC address.
0 Helpful

Go to solution
balaji.bandi
Hall of Fame
Hall of Fame
In response to jmaxwellUSAF

‎02-19-2023 08:42 AM - last edited on ‎02-21-2023 09:26 PM by Community Manager 

ip cef

- mostly used in IOS (apologies not work in nexus)

You want a job in Massachusetts? lol.   <-- been in Boston and lot of known people studied in MIT (I like the campus personally)

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Go to solution
balaji.bandi
Hall of Fame
Hall of Fame

‎02-19-2023 01:53 AM - last edited on ‎02-21-2023 09:27 PM by Community Manager

can you post

show run interface vlan 800 and show hsrp brief

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Go to solution
MHM Cisco World
VIP
VIP

‎02-24-2023 01:53 PM

sorry for late reply 
this show ip route <<- show the VIP of HSRP group 

Screenshot (308).pngScreenshot (309).png

Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card