Cant access Switch Management via Ethernet

[gadgie]

Guys,

I posted yesterday with a inter vlan problem between my ME3400 switch and 2801 router. i have that sorted now i can ping between all Vlans including vlan1.

The problem i have now is that I cannot ping the management ip or access via telnet, from either the router or any of the devices in the vlans. If change the Vlan whish the management is in, the resilt is the same. However, if I connect another switch to the 3400 via a trunk, I can ping from that switch to first ok.

Is there some sort of built in firewall on the managment?

Any help would be greatfully recieved starting to go bonkers looking for the answer.

I have posted configs below.

ME3400

Building configuration...

Current configuration : 2076 bytes
!
version 12.2
no service pad
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname ednccore
!
enable secret 5 $1$3PYR$m4iGJLHVYEr8Wwjwr8FvM1
enable password password
!
no aaa new-model
system mtu routing 1500
ip subnet-zero
!
!
!
!
!
!

spanning-tree mode rapid-pvst
spanning-tree extend system-id
!
!
!
vlan internal allocation policy ascending
!
vlan 2
uni-vlan community
name LLPA
!
vlan 3
uni-vlan community
name CCTV
!
vlan 4
uni-vlan community
name RCM
!
vlan 5
uni-vlan community
name OPERATIONAL

!
interface FastEthernet0/1
switchport mode trunk
!
interface FastEthernet0/2
switchport access vlan 2
!
interface FastEthernet0/3
switchport access vlan 3
!
interface FastEthernet0/4
switchport access vlan 4
shutdown
!
interface FastEthernet0/5
switchport access vlan 5
shutdown
!
interface FastEthernet0/6
switchport access vlan 3
!

!
interface GigabitEthernet0/1
description Link to Carstairs
port-type nni
switchport mode trunk
!
interface GigabitEthernet0/2
description Linh to Portobello
port-type nni
switchport mode trunk
!
interface Vlan1
ip address 10.1.3.100 255.255.255.0
no ip route-cache
!
ip default-gateway 10.1.3.1
no ip http server
ip http secure-server

control-plane
!
!
line con 0
exec-timeout 0 0
line vty 0 4
password password
login
line vty 5 15
password password
login
!
end

ISR 2801

Current configuration : 2477 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname EDNC2801
!
boot-start-marker
boot-end-marker
!
logging buffered 51200 warnings
enable secret 5 $1$rbUO$R4qAB0PzhuagroMEEvEgL.
!
no aaa new-model
clock timezone PCTime 0
clock summer-time PCTime date Mar 30 2003 1:00 Oct 26 2003 2:00
ip cef
!
!
!

!
username engineer privilege 15 secret 5 $1$tbLh$KHekBQbcaAf.brssI8f9x/
!
!
!
!
interface FastEthernet0/0
description $ETH-LAN$$ETH-SW-LAUNCH$$INTF-INFO-FE 0$$ES_LAN$$FW_INSIDE$
ip address 10.1.5.1 255.255.255.0
duplex auto
speed auto
!
interface FastEthernet0/1
no ip address
duplex auto
speed auto
!
interface FastEthernet0/1.1
encapsulation dot1Q 1 native
ip address 10.1.3.1 255.255.255.0
!
interface FastEthernet0/1.2
--More--   encapsulation dot1Q 2
ip address 10.1.22.1 255.255.255.0
!
interface FastEthernet0/1.3
encapsulation dot1Q 3
ip address 10.1.33.1 255.255.255.0
!
interface FastEthernet0/1.4
encapsulation dot1Q 4
ip address 10.1.44.1 255.255.255.0
!
interface FastEthernet0/1.5
encapsulation dot1Q 5
ip address 10.1.55.1 255.255.255.0
!
router eigrp 10
network 10.0.0.0
auto-summary
!
!
ip http server
ip http authentication local
ip http timeout-policy idle 60 life 86400 requests 10000

!
control-plane
!

banner login ^CAuthorized access only!
Disconnect IMMEDIATELY if you are not an authorized user!^C
!
line con 0
login local
line aux 0
line vty 0 4
privilege level 15
login local
transport input telnet
line vty 5 15
privilege level 15
login local
transport input telnet
!
scheduler allocate 20000 1000
end


Thanks in advance

 

[DallasBPF]

post a show flash on both devices

------------------------------------
Dallas, Texas
Telecommunications Tech
CCVP, CCNA, Net+

CCNP in the works

 

[gadgie]

Thanks for the quick response Dallas. I have left the office now for a few days for xmas. I will post flash output when back on Sat.

Look forward to your thoughts


Merry Xmas

 

[DallasBPF]

Also, on your ME3400 do the following just for the time being;

ip http server

so that you do not need to worry about crypto for now, can go back later and revert.

------------------------------------
Dallas, Texas
Telecommunications Tech
CCVP, CCNA, Net+

CCNP in the works

 

[vipergg]

Put a port into vlan 1 and put a device in that address range on it and see if you can ping the switch . If not the problem is on the switch as that is a directly attached device in the same subnet and is not routed at that point if yes then there is something not quite right with the trunk setup though right off the top of my head it is not jumping out at me .

 

[vipergg]

Is there a reason to have auto summary on the router for eigrp also ?

 

[gadgie]

vipergg,

I have tried pinging the switch from a device in Vlan1 doesnt work, but I can ping the GW for the subnet from that device, its totally weird.

As for the auto summary, this is a bench setup so havent changed it yet.

Cheers

Merry Xmas

 

[BrandonSwag]

Can you post a show interface vlan 1? Is the VLAN 1 interface up? I dont see any access interface assigned to VLAN 1 to bring the interface up.

 

[burtsbees]

interface FastEthernet0/1
switchport mode trunk

What's missing? Read your other post...

Burt

 

[gadgie]

Burtsbees,

I had a look at the trunk port, the default encapsulation on the ME3400 is DOT1Q.
If I do a sh int trunk, the encapsulation is showing DOT1Q on fa 0/1.

As i said i can put devices into VLAN1 and have them ping each other and the GW for that subnet.
Just cant explain why I cant acess or ping the VLAN1 interface.

As for VLAN1 the interface is showing up/up.

 

[burtsbees]

Crap...I am blind...

switch(config)#line vty 5 15
switch(config-line)#password blabla
switch(config-line)#login
switch(config-line)#end
switch#wr

Burt

 

[burtsbees]

OK---NIX the last post. Not only am I blind, but I am suffering from cranial rectumitis.
What image do you have on the switch? If you have the METROIPACCESS, then you may have to disable ip routing?

You asked...

"Is there some sort of built in firewall on the managment?"

Actually, there may be on this particular switch.

The switches feature comprehensive security capabilities:

* Network-based security to protect the network from unauthorized traffic
* Switch security to help maintain continuous switch operation
* Subscriber security to shield subscribers from other malicious users

Note By default, ping is supported on network node interfaces (NNIs), but you cannot ping from a user network interface (UNI) because the control-plane security feature drops ICMP response packets received on UNIs. See the "Troubleshooting" chapter of the software configuration guide for methods for pinging from the switch to a host connected to a UNI.
You may want to enter

switch(config)#ip classless

and if you want to ssl in (https), then

ip http login local

Burt

 

[gadgie]

Burt,

Changing the port type of the trunk to the 2801, to nni, has nailed it. Can ping and access the switch from all Vlan's. Although i still cant access from ports on the switch that are in VLAN1 unless the port is set nni, this suits me as I dont neccesarily want to be able to do that anyway.

Thanks for pointing me to the troubleshooting guide in the software config manual.
I should have really read the manual before messing around with the kit, but sometimes I'm like a little boy with a new toy


Thanks to everyone who posted.