C3650 mgmt interface won't do NTP....

abatson · ‎05-28-2015

I've got a healthy C3650 switch, whose management interface is the 'gi0/0' interface on the front of the machine. The switch will send syslog on this interface just fine, and it's listening on SSH on this interface too. DNS works too, because I can resolve hostnames. However, "show ntp assoc" just sits at the "**INIT**" stage, and never progresses. I know that gi0/0 is seperated from the main routing engine of the switch (by design, I know). What am I missing? I've configured tons of switches to do NTP before, but this is my first switch where the mgmt interface is seperated from the main routing engine.. Other devices on my network are successfully using "0.pool.ntp.org", so I know its not an availability issue.... My gi0/0 is connected to a firewall that allows Internet Access (where other devices route their traffic that work just fine) Config below...

=~=~=~=~=~=~=~=~=~=~=~= PuTTY log 2015.05.28 17:31:32 =~=~=~=~=~=~=~=~=~=~=~=

External-Switch#
External-Switch#show run
Building configuration...

Current configuration : 5020 bytes
!
! Last configuration change at 21:28:09 UTC Thu May 28 2015 by xxxxxxxxxxxx
!
version 15.0
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
service compress-config
!
hostname External-Switch
!
boot-start-marker
boot-end-marker
!
!
vrf definition Mgmt-vrf
!
address-family ipv4
exit-address-family
!
address-family ipv6
exit-address-family
!
enable password xxxxxxxxxxxxxxxxx
!
username xxxxxx password 0 xxxxxxxxx
username xxxxxx password 0 xxxxxx
username xxxxxxx password 0 xxxxxxxxx
aaa new-model
!
!
!
!
aaa session-id common
switch 1 provision ws-c3650-24ps
!
ip domain-name nowhere.com
ip name-server <IP of our DNS Server>
!
!
!
crypto pki trustpoint TP-self-signed-1007421793
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-1007421793
revocation-check none
rsakeypair TP-self-signed-1007421793
!
!
crypto pki certificate chain TP-self-signed-1007421793
certificate self-signed 01
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Cert went here......
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
quit
!
!
!
!
!
diagnostic bootup level minimal
spanning-tree mode pvst
spanning-tree extend system-id
!
redundancy
mode sso
!
!
ip ssh version 2
!
class-map match-any non-client-nrt-class
match non-client-nrt
!
!
!
!
!
interface GigabitEthernet0/0
vrf forwarding Mgmt-vrf
ip address 192.168.77.250 255.255.255.0
negotiation auto
!
interface GigabitEthernet1/0/1
description Ethernet From ISP
switchport access vlan 999
switchport mode access
speed 100
duplex full
spanning-tree portfast
!
interface GigabitEthernet1/0/2
!
interface GigabitEthernet1/0/3
!
interface GigabitEthernet1/0/4
!
interface GigabitEthernet1/0/5
!
interface GigabitEthernet1/0/6
!
interface GigabitEthernet1/0/7
description mirror port for 1/0/1
switchport access vlan 999
switchport mode access
speed 1000
duplex full
spanning-tree portfast
!
interface GigabitEthernet1/0/8
!
interface GigabitEthernet1/0/9

xxxxxxxlots of empty interfaces....
!
interface GigabitEthernet1/1/4
!
interface Vlan1
no ip address
shutdown
!
ip default-gateway 192.168.77.1
no ip http server
ip http authentication local
ip http secure-server
ip route vrf Mgmt-vrf 0.0.0.0 0.0.0.0 192.168.77.1
!
!
logging facility local0
logging host 192.168.77.246
no cdp run
no cdp tlv location
no cdp tlv app
!
!
!
!
!
line con 0
stopbits 1
line aux 0
stopbits 1
line vty 0 4
transport input ssh
line vty 5
transport input ssh
line vty 6 15
!
!
monitor session 7 source interface Gi1/0/1
monitor session 7 destination interface Gi1/0/7
ntp server 0.pool.ntp.org source GigabitEthernet0/0
wsma agent exec
profile httplistener
profile httpslistener
wsma agent config
profile httplistener
profile httpslistener
wsma agent filesys
profile httplistener
profile httpslistener
wsma agent notify
profile httplistener
profile httpslistener
!
wsma profile listener httplistener
transport http
!
wsma profile listener httpslistener
transport https
ap group default-group
end

External-Switch#
External-Switch#
External-Switch#

Reza Sharifi · ‎05-28-2015

Your config looks correct.

Question, why do you have

ip default-gateway 192.168.77.1

command in addition to the default route in the mgmt vrf?

you only need

ip route vrf Mgmt-vrf 0.0.0.0 0.0.0.0 192.168.77.1

since the switch is layer-2

HTH

abatson · ‎05-30-2015

I saw both methods of supplying default gateway info, and I was starting to grasp at straws to get this to work.

abatson · ‎06-01-2015

DNS won't work unless I have "ip default-gateway" defined. I've tried NTP with and without that config item, and still no dice on NTP. Oddly enough it shows I can't get a MAC for my default gatway:

Protocol Address Age (min) Hardware Addr Type Interface

Internet 192.168.77.1 0 Incomplete ARPA

abatson · ‎06-01-2015

this gi0/0 for management is magic! I just verified that I'm seeing syslog from this switch, but I have no MAC addresses in the ARP table. My syslog server is on the same layer-3 network as my mgmt interface, but yet I can't ping it (but syslog makes it just fine). SSH is also listening on this port just fine & can SSH just fine.

Are we sure there's not some addn'l ACL that I have to adjust, to allow NTP traffic to exit this interface?

I liked the idea of the mgmt interface being seperated from all the other traffic on the switch, but I guess if I need to, i'll have to create a "vlan 77" *interface* on the switch, and manage it that way....

johncheung09 · ‎01-15-2018

Hi abatson,

NTP server configure should be as below if via management port:

Switch(config)# ntp server vrf Mgmt-vrf <IP Address>

If using FQDN, DNS server define as:

Switch(config)# ip name-server vrf Mgmt-vrf <DNS server IP Address>

then:

Switch(config)# ntp server vrf Mgmt-vrf <FQDN>

Regards,

John Cheung