02-28-2017 08:24 AM - edited 03-08-2019 09:32 AM
I'm trying to identify why a switch could only be access by SSHing into it from it's default-gateway switch (Core switch) or when accessing it via VPN, when off site.
There's no access-list, I removed the sl_def_acl, or any potentially blocking ACLs. This switch is setup for ip routing, thought none of our other switches do.
Any thoughts, before I put up a similar conf.?
02-28-2017 08:36 AM
If it is set up for routing then it will need a default route pointing to the core switch (not sure what is happening with VPN).
Jon
02-28-2017 08:38 AM
yes, it has a default route to the core. What i noticed is that it's using a different default gateway, than the other switches. It's the same core, but it's pointing to a separate int vlan on the core.
02-28-2017 08:41 AM
How are the two switches connected ie. if both are routing is the connection a trunk or a L3 link.
Also can you just confirm that it is a default route because you say it is and then talk about a default gateway but a L3 switch doesn't use a default gateway at all.
Jon
02-28-2017 08:55 AM
That's what I was thinking too. New Job, looking over the previous person's setup... it's been fun. I changed the ip addressing a little to "sensitize" it. But this is the piece of the non-sshing switch. It has ip routing and a ip default-gateway, the other switches in the various IDF cabinets, do not have that. Which is what I initially identified, now I've been told that other engineers have removed ip routing from switches in the past at this company and it caused issues (waiting for further explanations on that). But Jon, I think we're in agreement, that a default-gateway is fine, but it's either L2 or L3, not both, which is what I think I'm seeing here.
ip routing
!
ip default-gateway 192.168.99.9
no ip classless
no ip http server
ip http secure-server
!
!
ip route 0.0.0.0 0.0.0.0 192.168.99.9
02-28-2017 09:20 AM
That looks fine because it will simply use the default route and ignore the default gateway setting.
So presumably you have an SVI with an IP in the 192.168.99.x range on this switch ?
If so can you from the core switch try and extended ping to that IP using another SVI's IP as the source IP ie. not 192.168.99.9 and let me know the results.
Still would help to know how the switches are interconnected etc. ie. a few more details.
I have to pop out for a couple of hours but I'll check back on this when I get back.
Jon
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide