ā05-09-2013 02:28 PM - edited ā03-07-2019 01:16 PM
I have some switches on VLAN 1 SVI's on 2960's switches. These were deployed a few months back and now I have to make them manageable with a management network.
I was always under the assumption that 2960's (layer 2) could only have 1 SVI. I now have two on each switch vlan 1 and vlan 50. I created vlan 50 SVI with management IP address. I then change the default gateway from a vlan 1 gateway to a management network gateway which is a 3560 with IP routing enabled that has a SVI of vlan 50 with a .1 address. I then enter interface vlan 1 and remove the IP. I lose connection at this point, but go to the 3560 and am able to ping the new vlan 50 ip address on the 2960, but cant telnet to it. I get this error:
3560-Routing#telnet 10.170.50.11
Trying 10.170.50.11 ...
% Destination unreachable; gateway or host down
Ideas? Does anyone have a good way to complete this task remotely without losing connection? I always set reload timers in case.
ā05-09-2013 02:55 PM
Your approach, in general, sounds good to me. I am also under the impression that a layer 2 switch should have only one active SVI at a time. So I am a bit puzzled why this did not work. And even more puzzled why you can telnet to the switch but can not telnet to it.
So my first question is to verify that telnet to the switch worked up to the time that you made this change. (is it possible that SSH would work and telnet is not enabled on the switch?)
My second question is whether there were any access restrictions on the remote switch (access-class etc) that restrict management access by address?
HTH
Rick
ā05-09-2013 02:55 PM
Can you post the 2960 config?
ā05-09-2013 03:07 PM
User Access Verification
Password:
idf-1-switch-2>en
Password:
idf-1-switch-2#show run
Building configuration...
Current configuration : 6024 bytes
!
version 12.2
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname idf-1-switch-2
!
boot-start-marker
boot-end-marker
!
enable secret 5 $1$WOay$60HZte0nWLrLYHrwAw48i.
enable password letmeout
!
!
!
no aaa new-model
switch 1 provision ws-c2960s-24ps-l
!
!
!
!
crypto pki trustpoint TP-self-signed-3231428480
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-3231428480
revocation-check none
rsakeypair TP-self-signed-3231428480
!
!
crypto pki certificate chain TP-self-signed-3231428480
certificate self-signed 01
30820247 308201B0 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 33323331 34323834 3830301E 170D3933 30333031 30303032
33355A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D33 32333134
32383438 3030819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100A3DE 6CFD4F33 65BED452 C61ADDC2 2DBB3C35 444450C7 678E523F 606368F6
17214F84 58C79F3A 21EBD8D6 D4E7C95E EA808BC2 5BEE6522 2140B49A 55224483
9B03E741 7D0C358F A2102DBA D49134F1 86129758 5387E1F2 953E1BE7 87265A71
625D9779 9C5D6A7B DB6038D7 7C213286 600725B0 6E80D674 9793A1CA C601C03B
58AF0203 010001A3 6F306D30 0F060355 1D130101 FF040530 030101FF 301A0603
551D1104 13301182 0F696466 2D312D73 77697463 682D322E 301F0603 551D2304
18301680 141CC584 9FA345F4 3ED293A9 0CE254A4 7658EC32 A0301D06 03551D0E
04160414 1CC5849F A345F43E D293A90C E254A476 58EC32A0 300D0609 2A864886
F70D0101 04050003 8181002F 43B0D81F 7CCD8CEE F492E75B F1DC99B5 E7AE1A30
E1D0AB0F D56B1EE6 F5F9C0BE 30DCE2E0 A7C64E6F 3E8C6457 AB1D58AA 5A7F7EDD
ACD2AFDB AABA57F1 2BB7BADF 43109B46 16C559B6 6B461807 62F6C0CD 8AD5E1D8
5E674683 83E3F581 F25DF8F5 0A86DB4B 7FA4CA9F 45995A33 3473AC6E ED2928B2
FAF01CC1 EE683B13 F58CE8
quit
spanning-tree mode pvst
spanning-tree extend system-id
!
!
!
!
vlan internal allocation policy ascending
!
lldp run
!
!
interface FastEthernet0
no ip address
shutdown
!
interface GigabitEthernet1/0/1
switchport mode access
switchport voice vlan 30
spanning-tree portfast
spanning-tree bpduguard enable
!
interface GigabitEthernet1/0/2
switchport mode access
switchport voice vlan 30
spanning-tree portfast
spanning-tree bpduguard enable
!
interface GigabitEthernet1/0/3
switchport mode access
switchport voice vlan 30
spanning-tree portfast
spanning-tree bpduguard enable
!
interface GigabitEthernet1/0/4
switchport mode access
switchport voice vlan 30
spanning-tree portfast
spanning-tree bpduguard enable
!
interface GigabitEthernet1/0/5
switchport mode access
switchport voice vlan 30
spanning-tree portfast
spanning-tree bpduguard enable
!
interface GigabitEthernet1/0/6
switchport mode access
switchport voice vlan 30
spanning-tree portfast
spanning-tree bpduguard enable
!
interface GigabitEthernet1/0/7
switchport mode access
switchport voice vlan 30
spanning-tree portfast
spanning-tree bpduguard enable
!
interface GigabitEthernet1/0/8
switchport mode access
switchport voice vlan 30
spanning-tree portfast
spanning-tree bpduguard enable
!
interface GigabitEthernet1/0/9
switchport mode access
switchport voice vlan 30
spanning-tree portfast
spanning-tree bpduguard enable
!
interface GigabitEthernet1/0/10
switchport mode access
switchport voice vlan 30
spanning-tree portfast
spanning-tree bpduguard enable
!
interface GigabitEthernet1/0/11
switchport mode access
switchport voice vlan 30
spanning-tree portfast
spanning-tree bpduguard enable
!
interface GigabitEthernet1/0/12
switchport mode access
switchport voice vlan 30
spanning-tree portfast
spanning-tree bpduguard enable
!
interface GigabitEthernet1/0/13
switchport mode access
switchport voice vlan 30
spanning-tree portfast
spanning-tree bpduguard enable
!
interface GigabitEthernet1/0/14
switchport mode access
switchport voice vlan 30
spanning-tree portfast
spanning-tree bpduguard enable
!
interface GigabitEthernet1/0/15
switchport mode access
switchport voice vlan 30
spanning-tree portfast
spanning-tree bpduguard enable
!
interface GigabitEthernet1/0/16
switchport mode access
switchport voice vlan 30
spanning-tree portfast
spanning-tree bpduguard enable
!
interface GigabitEthernet1/0/17
switchport mode access
switchport voice vlan 30
spanning-tree portfast
spanning-tree bpduguard enable
!
interface GigabitEthernet1/0/18
switchport mode access
switchport voice vlan 30
spanning-tree portfast
spanning-tree bpduguard enable
!
interface GigabitEthernet1/0/19
switchport mode access
switchport voice vlan 30
spanning-tree portfast
spanning-tree bpduguard enable
!
interface GigabitEthernet1/0/20
switchport mode access
switchport voice vlan 30
spanning-tree portfast
spanning-tree bpduguard enable
!
interface GigabitEthernet1/0/21
switchport mode access
switchport voice vlan 30
spanning-tree portfast
spanning-tree bpduguard enable
!
interface GigabitEthernet1/0/22
switchport mode access
switchport voice vlan 30
spanning-tree portfast
spanning-tree bpduguard enable
!
interface GigabitEthernet1/0/23
switchport mode trunk
switchport nonegotiate
!
interface GigabitEthernet1/0/24
switchport mode trunk
switchport nonegotiate
!
interface GigabitEthernet1/0/25
switchport mode trunk
switchport nonegotiate
!
interface GigabitEthernet1/0/26
switchport mode trunk
switchport nonegotiate
!
interface GigabitEthernet1/0/27
switchport mode trunk
switchport nonegotiate
!
interface GigabitEthernet1/0/28
switchport mode trunk
switchport nonegotiate
!
interface Vlan1
ip address 10.70.30.51 255.255.255.0
!
interface Vlan50
ip address 10.175.50.11 255.255.255.0
!
ip default-gateway 10.70.30.45
ip http server
ip http secure-server
!
line con 0
exec-timeout 0 0
line vty 0 4
password ********
login
line vty 5 15
password ********
login
!
end
idf-1-switch-2#
At this point I am telneted into 10.70.30.51. So I change the default gateway to 10.175.50.1, then enter interface vlan 1 and enter no ip address.
I lose connection, head over to the 3560 (10.175.50.1) and ping 10.175.50.11, then I attempt the telnet session and get that error that I posted.
ā05-09-2013 03:20 PM
The first thing that I notice is that you are creating interface vlan 50 but vlan 50 is not created on the switch and there are no ports assigned to vlan 50.
I wonder if it is possible that 10.70.50.11 exists somewhere else in the network? If you look on the 3560 and do sho arp and look for the mac address associated with 10.70.50.11 I wonder if that mac address is on your problem switch?
HTH
Rick
ā05-09-2013 05:29 PM
Running config is not going to show what vlans are created. VLAN 50 is created and exists in the show vlan brief. There are no ports assigned to this vlan because it is for management. The show int trunk command shows this vlan is carrying over the links.
I didn't try to clear the arp....good thought. I will try that tomorrow.
ā05-09-2013 06:54 PM
A few questions,
before you do any changes are you using telnet from the 3560 (10.175.50.1) or from a different device?
after you configured vlan 50 what is the interface status ( sh int vlan50) ?
do you have an " IP telnet source-interface " configured on the 3560 that might be trying to do the connection from a different vlan?
apart from that on the line vty 0 4
add the : "transport input telnet ssh" command
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide