ExtremeSwitching (Other)

Expand all | Collapse all

Two X440 stacked random access to management

Patrick Voss

Patrick Voss09-01-2017 11:25

Magnus Isaksson

Magnus Isaksson09-01-2017 13:05

  • 1.  Two X440 stacked random access to management

    Posted 09-01-2017 11:11
    Hello

    I'm quite new to Extreme and have yet some limited knowledge about XOS.

    But the story is that i have replaced our core router (X440-24t) with two "new" X440-24t in stack.
    Firmware version 16.2.2.4 as Extreme recommends for the X440.
    I have copied most of the configuration from the old one.

    Management port connected with cable to switch port 1:1 with untagged VLAN401

    I did run the stack config-guide-thingie and it went wonderful, and at the lab where i set them up it worked perfectly.
    I have it set them to act as router for 3 ip ranges.
    But when i moved the switches to the server room i began to get random access to the mgmt interface. Tho all traffic to and from configured VLANs are working perfect.

    After a lot of troubleshooting i noticed that i can access the mgmt-cli via our external IP's that i have configured in the switch, now, i thought this was not possible after reading a lot on vr-mgmt access.
    I have also random access for outgoing traffic from vr-mgmt to any, basically, for ex. ping google it works sometime but most of the time it does not.

    But when i access SSH thru our external IP i get no errors or disconnect from cli as i get when connected thru the internal IP i have setup on the mgmt vlan.
    I can access the mgmt-cli thru any of the VLAN105X ip addresses.

    Now, what have i done wrong?

    Config:
    configure vlan default delete ports all
    configure vr VR-Default delete ports 1:1-24,2:1-24
    configure vr VR-Default add ports 1:1-24,2:1-24
    configure vlan default delete ports 1:1-24,2:1-24
    enable jumbo-frame ports all
    configure vman ethertype 0x8100 secondary[/code]configure iproute add default 172.16.254.1 vr VR-Mgmt
    configure iproute add default xx.xxx.88.93
    configure vlan Mgmt ipaddress 172.16.254.254 255.255.255.0 configure vlan WAN ipaddress xx.xxx.88.94 255.255.255.252 enable ipforwarding vlan WAN configure vlan VLAN1052 ipaddress xx.xxx.60.193 255.255.255.224 enable ipforwarding vlan VLAN1052 configure vlan VLAN1053 ipaddress xxx.xxx.115.129 255.255.255.240 enable ipforwarding vlan VLAN1053 configure vlan VLAN1054 ipaddress xxx.xxx.115.145 255.255.255.240 enable ipforwarding vlan VLAN1054 configure vlan VLAN1055 ipaddress xxx.xxx.115.161 255.255.255.224 enable ipforwarding vlan VLAN1055[/code]
    I also noticed that when im doing an arping from an linux machine i get this

    # arping -D -I ens32 -c 6 172.16.254.254
    ARPING 172.16.254.254 from 0.0.0.0 ens32
    Unicast reply from 172.16.254.254 [00:04:96:98:04:B6] 0.904ms
    Sent 1 probes (1 broadcast(s))
    Received 1 response(s)
    # arping -I ens32 -c 2 172.16.254.254
    ARPING 172.16.254.254 from 172.16.254.41 ens32
    Unicast reply from 172.16.254.254 [02:04:96:6D:59:9B] 0.916ms
    Sent 2 probes (1 broadcast(s))
    Received 1 response(s)[/code]
    and on the switch i get this from iparp
    # sh iparp vr "VR-Mgmt"
    VR Destination Mac Age Static VLAN VID Port
    VR-Mgmt 172.16.254.41 00:50:56:b6:ac:1e 2 NO Mgmt 4095
    Dynamic Entries : 6 Static Entries : 0
    Pending Entries : 1
    In Request : 15389 In Response : 1671
    Out Request : 30438 Out Response : 3924
    Failed Requests : 4656
    Proxy Answered : 3913
    Rx Error : 0 Dup IP Addr : 172.16.254.254
    Rejected Count : 307 Rejected IP : 172.16.254.41
    Rejected Port : Rejected I/F :
    Max ARP entries : 4096 Max ARP pending entries : 256
    ARP address check: Enabled ARP refresh : Enabled
    Timeout : 20 minutes ARP Sender-Mac Learning : Disabled
    Locktime : 1000 milliseconds
    Retransmit Time : 1000 milliseconds
    Reachable Time : 900000 milliseconds (Auto)
    Fast Convergence : Off [/code]
    I'm going mad soon 🙂


  • 2.  RE: Two X440 stacked random access to management

    Posted 09-01-2017 11:15
    In short, don't do it this way :)
    The mgmt port is for true out-of-band management and shouldn't be connected back into the same switch.

    Take a look at the discussion in this thread: https://community.extremenetworks.com/extreme/topics/recommendation-for-configuration-of-management-...


  • 3.  RE: Two X440 stacked random access to management

    Posted 09-01-2017 11:18
    Hello Magnus,

    At first glance it looks like a duplicate IP. The arping output is showing 00:04:96:98:04:B6 and 02:04:96:6D:59:9B. These are both Extreme Switches. The one starting with 02 is a stack mac address. Can you confirm what the other switch is? It may be one of the nodes in the stack. You should be able to find this with the "show stacking detail" output if you want to paste it in here.


  • 4.  RE: Two X440 stacked random access to management

    Posted 09-01-2017 13:05
    Thank you so much for your help!


  • 5.  RE: Two X440 stacked random access to management

    Posted 09-01-2017 11:25
    Can you send us a "show vlan" output?


  • 6.  RE: Two X440 stacked random access to management



  • 7.  RE: Two X440 stacked random access to management

    Posted 09-01-2017 11:15
    Thank you
    If i understand this correctly, i just need to set an IP on VLAN401 (it our mgmt vlan) and then i can manage the switch without connection to the management port?



  • 8.  RE: Two X440 stacked random access to management

    Posted 09-01-2017 11:15
    The mgmt VLAN in the switch is dedicated for the management port. It is separate to the rest of the ports and they will not mix. Any of the created VLAN IPs can be used to manage the switch.


  • 9.  RE: Two X440 stacked random access to management

    Posted 09-01-2017 11:18
    Hi

    both mac belong to stack-1
    # sh stacking detail
    Stacking Node 00:04:96:98:04:b6 information:
    Current:
    Stacking : Enabled
    Role : Master
    Priority : Automatic
    Slot number : 1
    Stack state : Active
    Master capable? : Yes
    Stacking protocol : Enhanced
    License level restriction :


  • 10.  RE: Two X440 stacked random access to management

    Posted 09-01-2017 11:25
    # sh vlan
    -----------------------------------------------------------------------------------------------
    Name VID Protocol Addr Flags Proto Ports Virtual
    Active router
    /Total
    -----------------------------------------------------------------------------------------------
    Default 1 ------------------------------------------------- ANY 0 /0 VR-Default
    Mgmt 4095 172.16.254.254 /24 ----------------------------- ANY 1 /1 VR-Mgmt
    MGMTVLAN 401 ------------------------------------------------- ANY 17/18 VR-Default
    VLAN100 100 ------------------------------------------------- ANY 12/12 VR-Default
    VLAN101 101 ------------------------------------------------- ANY 12/12 VR-Default
    VLAN1052 1052 xx.xxx.60.193 /27 -f--------------------------- ANY 12/12 VR-Default
    VLAN1053 1053 xxx.xxx.115.129/28 -f--------------------------- ANY 12/12 VR-Default
    VLAN1054 1054 xxx.xxx.115.145/28 -f--------------------------- ANY 13/13 VR-Default
    VLAN1055 1055 xxx.xxx.115.161/27 -f--------------------------- ANY 13/13 VR-Default
    VLAN2 2 ------------------------------------------------- ANY 12/12 VR-Default
    VLAN2000 2000 ------------------------------------------------- ANY 12/12 VR-Default
    VLAN2001 2001 ------------------------------------------------- ANY 13/13 VR-Default
    VLAN2002 2002 ------------------------------------------------- ANY 12/12 VR-Default
    VLAN203 203 ------------------------------------------------- ANY 12/12 VR-Default
    VLAN208 208 ------------------------------------------------- ANY 12/12 VR-Default
    VLAN402 402 ------------------------------------------------- ANY 12/12 VR-Default
    VLAN403 403 ------------------------------------------------- ANY 12/12 VR-Default
    VLAN504 504 ------------------------------------------------- ANY 12/12 VR-Default
    VLAN505 505 ------------------------------------------------- ANY 12/12 VR-Default
    VLAN600 600 ------------------------------------------------- ANY 12/12 VR-Default
    VLAN701 701 ------------------------------------------------- ANY 13/13 VR-Default
    VLAN702 702 ------------------------------------------------- ANY 12/12 VR-Default
    VLAN703 703 ------------------------------------------------- ANY 12/12 VR-Default
    WAN 4093 xx.xxx.88.94 /30 -f--------------------------- ANY 1 /1 VR-Default
    -----------------------------------------------------------------------------------------------
    Flags : (B) BFD Enabled, (c) 802.1ad customer VLAN, (C) EAPS Control VLAN,
    (d) Dynamically created VLAN, (D) VLAN Admin Disabled,
    (e) CES Configured, (E) ESRP Enabled, (f) IP Forwarding Enabled,
    (F) Learning Disabled, (h) TRILL Enabled, (i) ISIS Enabled,
    (I) Inter-Switch Connection VLAN for MLAG, (k) PTP Configured,
    (l) MPLS Enabled, (L) Loopback Enabled, (m) IPmc Forwarding Enabled,
    (M) Translation Member VLAN or Subscriber VLAN, (n) IP Multinetting Enabled,
    (N) Network Login VLAN, (o) OSPF Enabled, (O) Flooding Disabled,
    (p) PIM Enabled, (P) EAPS protected VLAN, (r) RIP Enabled,
    (R) Sub-VLAN IP Range Configured, (s) Sub-VLAN, (S) Super-VLAN,
    (t) Translation VLAN or Network VLAN, (T) Member of STP Domain,
    (v) VRRP Enabled, (V) VPLS Enabled, (W) VPWS Enabled, (Z) OpenFlow Enabled
    Total number of VLAN(s) : 24 [/code]


  • 11.  RE: Two X440 stacked random access to management

    Posted 09-01-2017 11:25
    How do you have the MGMT port physically connected? What is on the other end? Do you have both MGMT ports connected on both nodes?


  • 12.  RE: Two X440 stacked random access to management

    Posted 09-01-2017 11:25
    Yes, mgmt port is connected with a cable to port 1:1 on switch 1, but i did not do that to switch 2



  • 13.  RE: Two X440 stacked random access to management

    Posted 09-01-2017 11:25
    I think that might be your problem. The MGMT port should be used for out of band management which means it needs to be connected to another switch. Considering the MAC addresses are shared looping the port into itself can cause come confusion. Disconnect that port and try to access one of the user created IP addresses and see if your issue goes away.


  • 14.  RE: Two X440 stacked random access to management

    Posted 09-01-2017 11:25
    I did as you suggested, added an IP on VLAN401 and disabled port 1:1
    Seems to work great now :)

    I just did as they had done on the old switch, tho there was no stacking involved there.

    But the access to mgmt from all the IP:s configured on the switch is to be expected?
    Is there a way to limit that except thru ACL?

    And thanks for the help! was about to get mad there for a moment 🙂


  • 15.  RE: Two X440 stacked random access to management

    Posted 09-01-2017 11:25
    Yes as long as you can reach the IP you can telnet or SSH to it. There is a way to limit who can access the switch using an access profile for SSH:

    https://gtacknowledge.extremenetworks.com/articles/Q_A/SSH-Access-Profile


  • 16.  RE: Two X440 stacked random access to management