We have a pair of 6800 switches in our core (VSS) and lots of edge switches hanging off them. We have a management vlan on each edge switch which works fine on two other sites (6509E in the core), but the site with 6800s doesn't always work.
Some edge switches, the SVI will be UP/UP but you can't ping out from the console, or SSH into it (data and voice vlans work fine though). However, if you add another SVI it will then work.
Edge switches are typically 3750's but it happened today on a stack of 9200Ls as well. Edge switches are linked on etherchannels to the core.
The management vlan is trunked out on all uplinks, and CDP neighbours works fine.
Has anyone seen this behaviour before?
So, the management is in-band, by using a separate vlan across all switches trunked to the 6800 core? Can you provide a sample config from an edge switch, the trunk, and also the SVI on the core switches?
I've attached some sanitised config from the edge and core.
In the edge switch there is the second SVI (VL40) I added, but normally we do not need that. We have a handful of switch stacks with this problem, other stacks on the same site work fine. The core switch had lots of vlans with SVI's, and these are the default gateways for the edge switches.
e.g. Core: vlan 40 = 10.172.40.1
edge: default GW = 10.172.40.1
6800 ver is: s6t64-ipservicesk9-mz.SPA.155-1.SY1
The config for the management vlan/subnet looks fine. Question, why do you have helper addresses on the management vlan?
ip helper-address 10.172.x.x ip helper-address 10.172.x.x
The helper is to our DHCP servers, and/or to our PXE boot server.
To add a bit more info. If I shut down vlan 40 on the edge switch, then I lose the connection.
When you say "If I shut down vlan 40 on the edge switch, then I lose the connection" Can you explain what you mean?
Obviously, if you are connected to an edge switch using the management IP and if you delete VLAN 40, then you would lose your connection as that is the only vlan/ip configured on that edge switch.
Vlan 40 should only be used for management and not data or voice traffic. Vlan 40 SVI should not need any helper-address as it is not a voice or data vlan.
The issue is that you have vlan 2 (subnet 10.172.51.192/26) configured on the access switch as the management vlan but the gateway from that same switch is pointing for vlan 40 gateway which is 10.172.40.1
So, in order to fix this issue, you need to change the gateway on the edge switches to the ip address of the management subnet which is 10.172.51.193.
Once you make this change on the edge switches, the problem should be fixed. After that, just deleted vlan 40 IP address and SVI from all the
no ip default-gateway 10.172.40.1
ip default-gateway 10.172.51.193
You would need to make this change from a console port.
Thanks, I'll make this change tomorrow, but on our other two sites (with 6509e) we have the same set up, and it works fine. Maybe it's working by luck!
Check your control plane policing, and remove the specified acls from your vty lines as they don't exist.
show policy-map control-plane
show control-plane host open-ports