Solved: unable to access switch management IP, need to ping it first on the gateway

jay.cruz2739 · ‎06-21-2016

Hi,

I just recently deployed a couple of Cisco Catalyst 3850. Those switches are purely Layer 2 only.

I have configured an interface vlan on each and every switch to serve as its management IP Address. I have used both ip default-gateway command and default route pointing to the management vlan gateway (which happens to be at the core switch).

The odd thing is, after sometime (maybe when the arp age out or mac-address timed out) i can not access the switch remotely or ping it from my workstation. I need to logged in on the core switch again and from there ping the IP Address of the access switch to gain remote access again.

Hope you can help me out on this one, I have already checked the status of the management vlan and it is active all through out.

Thanks!

Mark Malone · ‎06-21-2016

Hi I haven't actually changed a mac/ip I was coming in over in a remote terminal session, I would do it on console only just in case but if you cant and can have a planned window you could try change it remotely but first set reload in 5 , so if it does lock you out of the switch will reload and bring it back online , I would change it by console though , it may just lock you out for a minute while the table updates from dynamic to static for that mac and then resolves to arp

another thing instead of setting static remotely incase it locks you out increase the aging-timer locally for just that vlan in mac table so its not timing out to rule it out as an issue

mac address-table aging-time xxxx vlan 1

first on the layer 3 core though you could also do a static arp if that's local access to you, see if that helps

For example, to allow ARP responses from the router at 10.1.1.1 with the MAC address 00.02.9a.3b.94.d9, enter the following command:

host1/Admin(config)# arp 10.1.1.1 00.02.9a.3b.94.d9

View solution in original post

Mark Malone · ‎06-21-2016

Hi

You should only require the default-gateway if its pure layer 2 , have you tried to set a static mac and arp for the mgmt. ips to stop it timing out maybe a temp fix for the issue, it shouldn't really be happening though when it goes like that I would console into the local switch you cant access and see what the arp table and mac table are showing , does anything appear in logs to indicate problem ?

if there all new are they all running same ios-xe version could be a bug , you could upgrade one of them see if it resolve the issue for one of the switches

check stp and show int trunk make sure everything is allowed

jay.cruz2739 · ‎06-21-2016

hi mark,

management vlans are allowed on trunk (they are on native vlan). I have also verified that the stp are in forwarding state. unfortunately i cant have console access anymore since those switches are in remote location. regarding the static mac if ever i have configured them, will i get disconnected?

Thanks!

paul driver · ‎06-21-2016

Hello

I have used both ip default-gateway command and default route pointing to the management vlan gateway

On these layer 2 switches disable ip routing and as Mark stated use default-gateway instead

Also do you have:
- All the your defined vlans propagated on all switches
- vtp pruning enabled or are you manually pruning?
- Is the core switch the STP root.

res

Paul

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

jay.cruz2739 · ‎06-21-2016

Hi Paul,

i originally set-up ip default-gateway command before but it does not solve the issue i am experiencing. Thats why i decided to add a default route and see if it will resolve the issue but unfortunately was not.

all vlans are propagated and i am not doing any pruning at all on the trunk interfaces.

I also did check the vlans active on the trunk and the management IP is included.

Yes the core switch is the STP root for everything.

Thanks!

jay.cruz2739 · ‎06-22-2016

Hi Evryone,

This seems to be working now.

The work-around that i use is to set the arp timeout to be the same as the mac aging time.

Thanks!

Mark Malone · ‎06-22-2016

Ah very good and thanks for letting us know

Mark Malone · ‎06-21-2016

Hi I haven't actually changed a mac/ip I was coming in over in a remote terminal session, I would do it on console only just in case but if you cant and can have a planned window you could try change it remotely but first set reload in 5 , so if it does lock you out of the switch will reload and bring it back online , I would change it by console though , it may just lock you out for a minute while the table updates from dynamic to static for that mac and then resolves to arp

another thing instead of setting static remotely incase it locks you out increase the aging-timer locally for just that vlan in mac table so its not timing out to rule it out as an issue

mac address-table aging-time xxxx vlan 1

first on the layer 3 core though you could also do a static arp if that's local access to you, see if that helps

For example, to allow ARP responses from the router at 10.1.1.1 with the MAC address 00.02.9a.3b.94.d9, enter the following command:

host1/Admin(config)# arp 10.1.1.1 00.02.9a.3b.94.d9