cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2676
Views
20
Helpful
16
Replies

WS-C3560X-24T-S management interface configuration

rooki3
Level 1
Level 1

Hello everyone,

 

I have a question regarding management interface config of the switch below:

Switch Ports Model              SW Version            SW Image                 

------ ----- -----              ----------            ----------               

*    1 30    WS-C3560X-24       15.0(2)SE             C3560E-IPBASEK9-M     

 

License applied:

#sh license

Index 1 Feature: ipservices     

Period left: Life time

License Type: Permanent

License State: Active, In Use

License Priority: Medium

License Count: Non-Counted

 

I am trying to configure the management interface (fa0/0). Below is the ip config
it is a unique IP and plugs to a physically isolated network (OOB Network). On the other end is a L3 Meraki switch.

 

interface FastEthernet0

ip address 192.168.222.68 255.255.255.240

no ip route-cache

end

 

The interface is up but not able to ping from the L3 Meraki switch to this port. 

 

Can I configure this with the current image and license I have on the switch.
Or do I need to use vrf (I have used this on other cisco switches). 

Am I missing anything on the switch.

NOTE: ip routing is not enabled on the above switch

 

Kindly let me know if you require further details.

 

16 Replies 16

balaji.bandi
Hall of Fame
Hall of Fame

what is the Meraki L3 switch IP, from this switch are you able to ping Meraki IP address?

 

can you post from this switch - 

show ip arp

show interface fa0

 

 

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Hi Balaji,

Thank you for the response. 

 

I would like to correct myself

The Meraki L3 switch is at 192.168.222.65, I am able to ping the Meraki L3 interface 
from the Catalyst switch C3560-x and vice versa

How ever ssh is not working on the port, meaning I can get into OOB network (192.168.222.64/28) but unable to ssh into the port.

The inbound management (Management VLAN) is set up for ssh and working fine. ssh is set up and using ssh v2, no ROUTING is enabled on this catalyst switch. Would this be required ?

 

As requested:

#sh ip arp

Protocol  Address          Age (min)  Hardware Addr   Type   Interface

Internet  192.168.222.65         18   e055.3d31.34e0  ARPA   FastEthernet0

Internet  192.168.222.68          -   a493.4ca4.1439  ARPA   FastEthernet0

 

#sh int fa0

interface FastEthernet0

ip address 192.168.222.68 255.255.255.240

no ip route-cache

end

 

post the configuration of 3560, where you SSH from Meraki or outside the subnet, then you need to add default gateway to the switch.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Here is the ssh config on the switch

aaa authentication login VTY_AUTHEN local group RADIUS_SERVERS

aaa authorization exec VTY_AUTHOR local group RADIUS_SERVERS if-authenticated

 

line vty 0 4

authorization exec VTY_AUTHOR

login authentication VTY_AUTHEN

transport input ssh

line vty 5 15

 

There is a default gateway on the switch which is for production network, basically it is the gateway of the production management network

ip default-gateway 172.x.x.1

I am ssh'ing from outside the subnet having access to the 192.168.222.64/28

 

Based on my reading it said the management interface is a Layer 3 port and may not understand default gateway, please correct me if I am wrong.

If the switch is only layer-2 and there is no IP in 172.x.x.1 range on the switch then you don't need the default gateway. You can simply remove it. 

no ip default-gateway 172.x.x.1

Now, you need a default gateway towards the OOB switch.

ip default-gateway 192.168.222.x 

x is whatever the IP address of the OOB switch.

With this command, you now should be able to get to the switch from an outside subnet.

Also, interface fa0/0 is a dedicated interface (layer-3) only used for out-of-band management.

HTH

 

The Switch is a layer 3 switch, but currently used as Layer 2 with 'no ip route'

however there is a traditional management interface setup on switch, an svi interface with an ip 172.x.x.x (management ip of the switch for inbound mgmt) and then a trunk to the core switch with management VLAN as native VLAN on the trunk.

 

Core switch--Trunk (native vlan mgmt)-->C560x---Mmgt port (192.168.222.68)--->L3Meraki switch

 

So 172.x.x.x network is used for inbound mgmt of the switch and planning to reach 192.168.222.68 as OOB.

 

Also an important note in case if you missed in my previous comments, the link is up between management port and Meraki switch. I can successfully ping from both ends. But the ssh is timing out, how ever the ssh is successful on 172.x.x.x (in bound mgmt ip for the switch)

 

Ping also successful from outside the OOB subnet as there is proper routing in place  to reach OOB network.

however there is a traditional management interface setup on switch, an svi interface with an ip 172.x.x.x (management ip of the switch for inbound mgmt) and then a trunk to the core switch with management VLAN as native VLAN on the trunk.

Ok, so, if you already have an inband management using 172.x.x.x segment, why do you need to have an out-of-band management on the same switch? You really need one or the other. The problem with having 2 management subnets is that you can only have one default gateway and not 2. The other issue with the older switches like 3560x is that the out-of-band management port is not located in a VRF and so, you can only have one default route or default gateway. Most newer switch models have a VRF for the out-of-band management port and so you can have a default gateway on the global routing table and one in the management VRF.

HTH

Thank you for prompt response.


The purpose of another management is for OOB and a way to get in to network, if the production fails. As you said I will try it by changing the default gateway to '192.168.222.65'. Can I try this method

- enable ip routing

- ip route 0.0.0.0 0.0.0.0 172.x.x.1

- default gateway 192.168.222.65

This way I have a route to 172.x.x.1 and switch traffic defaults to 192.168.222.65

 

I see so you mean to say I won't be able to use this switch even with vrf because it is not enabled on the management port unlike the newer switches.
I do have the vrf set up that you mentioned on other switches. I was thinking that I am not seeing this on the mentioned model because it may not have the proper image to support that, so just to confirm the vrf method will not be possible on this switch model irrespective of switch image?

The purpose of another management is for OOB and a way to get in to network, if the production fails. As you said I will try it by changing the default gateway to '192.168.222.65'. Can I try this method

- enable ip routing

- ip route 0.0.0.0 0.0.0.0 172.x.x.1

- default gateway 192.168.222.65

No, they are both using the global routing table. You will see a loop. On a layer-2 switch, all you need is a default-gateway command

 

model because it may not have the proper image to support that, so just to confirm the vrf method will not be possible on this switch model irrespective of switch image?

That is correct. The 3650x series switches do not support VRF for the management interface.

HTH

Thank you for all the help and guidance with this.

 

So I believe I will have to settle with one type of management in that case. 

One question I have is if we set to default gateway to 192.168.222.x then the switch will still know where to send the packets for 172.16.x.x (production network), there is a an outgoing trunk from this switch to the core switch with allowed vlans on production which are all 172.16.x.x subnets. 

One question I have is if we set to default gateway to 192.168.222.x then the switch will still know where to send the packets for 172.16.x.x (production network), there is a an outgoing trunk from this switch to the core switch with allowed vlans on production which are all 172.16.x.x subnets. 

Correct. When a switch is deployed as layer-2 (which is in your case), all you need is a management address and a default gateway so you can reach it from other subnets. Regarding the production subnet (172.16.x.x), the only thing you need on that switch is the layer-2 VLAN associated with this subnet which is most likely configured on the trunk ports and as well as the access ports facing the end devices. You DO NOT need any layer-3 IP for 172.16.x.x subnet on this switch if you want to use 192.168.222.x as your management address. You just use one or the other.

HTH

IP default-gateway 172.x.x.1  ( 192.168.222.X)  - this should change to your subnet maybe the point towards Meraki should work as expected.

 

Hope Meraki IP able to reach other parts of the network?

 

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Meraki is able to reach the ethernet management port of the switch (192.168.222.68) both ways.
But we may need 172.x.x.1 as default for the inbound mgmt vlan to work right as 172.x.x.8 is an ip of an svi on this switch.

add default gateway towards 192.168.222.65 

 

ip default-gateway 192.168.222.65  (towards Meraki, so this is only exit point)

 

try from another network IP address and let us know.

 

make sure from switch you able to ping 172.X.X.X IP too.

 

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco