The 3550 is the core switch and is doing all of the routing for all of our subnets and VLANs.

Oh, one more thing I did in the 2911 was attempt to put in static routes for the 10.200.1.xxx subnet, pointing both to the 3750-X stack and the 3550 as gateways, and a static route to the 10.6.6.xxx subnet.  Neither helped.

This is what "show ip route" shows when both interfaces are up:

Gateway of last resort is 10.6.6.1 to network 0.0.0.0

S*    0.0.0.0/0 [254/0] via 10.6.6.1
      10.0.0.0/8 is variably subnetted, 5 subnets, 3 masks
S        10.3.3.200/32 [254/0] via 10.6.6.1, GigabitEthernet0/1
C        10.6.6.0/23 is directly connected, GigabitEthernet0/1
L        10.6.7.214/32 is directly connected, GigabitEthernet0/1
C        10.200.1.0/24 is directly connected, GigabitEthernet0/2
L        10.200.1.250/32 is directly connected, GigabitEthernet0/2

After I take away the IP on G0/1, this is what "Show ip route" shows:

Gateway of last resort is not set

      10.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C        10.200.1.0/24 is directly connected, GigabitEthernet0/2
L        10.200.1.250/32 is directly connected, GigabitEthernet0/2

In the router config, I've put this in to try to address the issue:

ip route 10.6.6.0 255.255.254.0 10.6.6.1
ip route 10.200.1.0 255.255.255.0 10.200.1.11

but it doesn't appear to be working as intended.

If you go into config mode on the router will it take this command -

router(config)# ip vrf <name>  <-- name being whatever you want

Jon

Yes, it seemed to.  No errors.

That's good, it means we can put your management interface in it's own VRF which means we can use a default route for the gi0/1 interface that is not dependant on the main routing table.

If you already have a default route in the routing table then it does not matter, this new one is in it's own virtual routing table so they do not conflict.

So if it took that can you try add this -

router(config)# ip route vrf <name> 0.0.0.0 0.0.0.0 10.200.1.11

i'm assuming 10.200.1.11 is the SVI IP address on your 3550.

Also make sure you include the vrf part when you add the route otherwise it will be added to the global routing table and you don't want that.

If I takes that then do -

1) "sh ip route vrf <name>"  and you should see it there.

2)  then try pinging a vlan 6 IP address with this command -

"ping vrf <name> <IP address>"

if all that works then try shutting down the gi0/0 interface and see if you can still access your router.

Any problems let me know and if you want an explanation of how it works no problem but first lets just see if it works.

Jon

OK, everything seems to be working on G0/2, although I currently have G0/1 still on DHCP so I can get into it remotely.  I'll get rid of the IP there....

OK, the IP on G0/1 is gone and I still have connectivity on the VLAN 1001 address.  I can also ping it from my desktop still.

Can you explain why I had to go through this rigamaroll to make this work and it wasn't as straightforward as I thought?

Absolutely fascinating.  Thanks for the help!

One quick follow-up question.  I want to use this interface on G0/2 as the source of RADIUS authentication on the router.  I've put in an "ip radius source-interface GigabitEthernet 0/2" in, but it's not working.  Because of this VRF that you had me create, is there something else I have to do to make RADIUS work properly?

Because of this VRF that you had me create

To be fair I was simply trying to help you fix your problem. You make it sound as if I deliberately tried to make your life harder.

In terms of radius can you try this -

"ip radius source-interface gi0/2 vrf <name>"

if that doesn't work then it gets a bit more complicated.

Jon

Apologies for the tone, I was not trying to come across like that.  I should have said "suggested I create" instead.

I've put in the "ip radius source-interface" line, but it's still not authenticating.

Am I trying to do something that isn't recommended?  Should I just reset the configuration on the router and once we get the MPLS working through it, revisit this?

No problem, I've had a long day so I probably just took it the wrong way.

It's not that it isn't recommended it's just that if that didn't work the only way I know is to place the aaa configuration into the VRF but I have never used that method and i'm not sure whether you need to do something on your AAA server.

Is it TACACS authentication you want to or actually RADIUS ?

And is it only going to be used for accessing the router ?

An alternative may be to just leave in the global routing table and see if we can add routes.

I don't have an AAA sever but I can do a quick test adding routes to the global routing table.

You use 10.6.6.0/23 for your internal range.

Is 10.6.4.x - 10.6.5.x used anywhere else in your network ?

I am just trying to find a summary address I can use.

In answer to your last question, yes revert back to what you had before and i'll do some quick tests to see if I can get it working.

Oh by the way, when you remove the vrf from the interface it will remove the IP again so you will, yet again, have to type it back in.

Jon

RADIUS will just be used for accessing the router via SSH.  We have all our switches set up this way as well.  Makes it easier to remember and consistent.

10.6.4.x - 10.6.5.x is not in use anywhere that I know of.

Thanks for the help!

Okay, you can officially have a go at me now :-)

There is a much easier way to do it but in my defence a VRF is a recommended way to isolate the management interface.

Just add this to your router -

ip route 10.6.6.0 255.255.254.0 10.200.1.11

basically your router has a directly connected interface in the 10.6.6.x network so that has an AD of 0.

If you type the above route in because it is a static it has an AD of 1 so it is not put into the routing table.

Unless gi0/0 fails then it is.

If you want to make it obvious to anyone looking at the configuration that this is not meant to be in the routing table under normal use then add a number between 2 and 254 at the end of the route as above.

This is the AD and it would make it obvious to anyone else looking it was a floating static.

The alternative is to enter a summary route eg.

ip route 10.6.4.0 255.255.252.0 10.200.1.11

without an AD number at the end.

This would be entered into the routing table even if gi0/0 was up because it does not match the subnet mask used for the directly connected interface.

Either will work and traffic should still pass when only gi0/1 is up.

So yes, sorry for all the messing about.

Jon