Showing results for 
Search instead for 
Did you mean: 

3560 switch can only be accessed by default-gateway switch and vpn

Level 1
Level 1

I'm trying to identify why a switch could only be access by SSHing into it from it's default-gateway switch (Core switch) or when accessing it via VPN, when off site.

There's no access-list, I removed the sl_def_acl, or any potentially blocking ACLs. This switch is setup for ip routing, thought none of our other switches do.

Any thoughts, before I put up a similar conf.?

5 Replies 5

Jon Marshall
Hall of Fame
Hall of Fame

If it is set up for routing then it will need a default route pointing to the core switch (not sure what is happening with VPN).


yes, it has a default route to the core. What i noticed is that it's using a different default gateway, than the other switches. It's the same core, but it's pointing to a separate int vlan on the core.

How are the two switches connected ie. if both are routing is the connection a trunk or a L3 link.

Also can you just confirm that it is a default route because you say it is and then talk about a default gateway but a L3 switch doesn't use a default gateway at all.


That's what I was thinking too. New Job, looking over the previous person's setup... it's been fun. I changed the ip addressing a little to "sensitize" it. But this is the piece of the non-sshing switch. It has ip routing and a ip default-gateway, the other switches in the various IDF cabinets, do not have that. Which is what I initially identified, now I've been told that other engineers have removed ip routing from switches in the past at this company and it caused issues (waiting for further explanations on that). But Jon, I think we're in agreement, that a default-gateway is fine, but it's either L2 or L3, not both, which is what I think I'm seeing here. 

ip routing

ip default-gateway
no ip classless
no ip http server
ip http secure-server
ip route

That looks fine because it will simply use the default route and ignore the default gateway setting.

So presumably you have an SVI with an IP in the 192.168.99.x range on this switch ?

If so can you from the core switch try and extended ping to that IP using another SVI's IP as the source IP ie. not and let me know the results.

Still would help to know how the switches are interconnected etc. ie. a few more details.

I have to pop out for a couple of hours but I'll check back on this when I get back.


Review Cisco Networking for a $25 gift card