Remotely change a layer3 switch to layer2

mikearama · June 2009

I have one branch office that's an anomoly. The MPLS router (a 2811 ISR) out there connects directly to a 3750 switchstack that has ip routing enabled. I don't know why... it just is.

All of our other zone offices are strictly layer 2 on the far side of the MPLS network. I've been asked to correct this "mistake". So, on Sunday, when no one is at the branch, I get to do my thing. I'm hoping you techies might proof my plan...

The 2811 has two interfaces... with 192.168.22.241 on the branch side. The switchstack port that connects to the router has an IP of 192.168.22.246 /29.

The inside of the switchstack houses the 10.17.31.0/24 subnets, with the gateway of all client devices as 10.17.31.253. Obviously, when I'm done, the 10.17.31.253 IP will move from the switchstack to the inside interface of the 2811.

As I think through it, I know that I need to configure the switch carefully so as to not lose connectivity to it until the last possible moment, and then connect to the 2811 and change the inside interface IP to the correct one.

The switch has the following settings:

ip routing
!
interface FastEthernet4/0/48
description *** To MPLS router ***
no switchport
ip address 192.168.22.246 255.255.255.248
!
interface Vlan1
description *** Markham Office ***
ip address 10.17.31.253 255.255.224.0
!

Here's the plan.
I'll ssh to the 192.168.22.246 IP so that I can change to IP of int Vlan1 to something more appropriate... say, 10.17.31.10
I'll add a default route to 10.17.31.253
Then, no ip routing. This is where I have my first doubt. Will I immediately lost connectivity? or do I get a chance to change int f4/0/48 to switchport first?

Assuming I lose connectivity immediately, I'll log into the 2811 and change the ip of int f0/1 to the previous gateway IP of 10.17.31.253/24.
I'll also have to add network 10.17.31.0/24 to eigrp.

Should I then be able to connect to the new IP of the switchstack... 10.17.31.10?
Should clients then (perhaps after an arp cache timeout) be able to connect to the gateway on the 2811, and hence, to the rest of the WAN?

Preciate any thoughts,
Mike

kryolla · June 2009

looks good but I would add reload in 15 just in case you still cant get in and if everything works then cancel the reload and save the config. Can you lab it up?

mzinz · June 2009

So what is going to happen to the 3700 port when you do 'no ip routing'? Will it just convert the port and automatically change it to 'switchport'? If so, I suppose that link would come up okay... after you change the 2811 config, of course.

Is there a free port on the 2811? It would be nice if you could establish a link between the router and switch ahead of time...

networker050184 · June 2009

You can just run a cable from the AUX on the router to the console on the 3750 and use reverse telnet. It will be pretty hard to configure this thing remotely with out losing connectivity.

mzinz · June 2009

networker050184 wrote: »

You can just run a cable from the AUX on the router to the console on the 3750 and use reverse telnet. It will be pretty hard to configure this thing remotely with out losing connectivity.

How does that work exactly?

networker050184 · June 2009

mzinz wrote: »

How does that work exactly?

Magic....

I couldn't find anything on Cisco's site, but here is something a quick Google brought up.

Aux to console reverse telnet - help needed!

kryolla · June 2009

networker050184 wrote: »

You can just run a cable from the AUX on the router to the console on the 3750 and use reverse telnet. It will be pretty hard to configure this thing remotely with out losing connectivity.

if he does that then he doesnt have to configure it remotely he will be on site and since he is on site he doesnt have to run the cable.

OP Once connected to 3750 I would do a
reload in 15
interface FastEthernet4/0/48
switchport

you will loose connectivity then change 2811 port to be in the same subnet as vlan1 the connect back and turn off ip routing , set up a default gateway and cancel reload and save config.

mikearama · June 2009

mzinz wrote:

So what is going to happen to the 3700 port when you do 'no ip routing'? Will it just convert the port and automatically change it to 'switchport'?

No, the port stays layer 3, but the switch will no longer route between the two networks. Since I'm connected to the "outside" network on the switch (the 192.168.22.0 network) and not the "inside" (10.17.31.0 network), I expect "no ip routing" to not disconnect me.

So, I fully expect to have the time to take kryolla's advice and:

kryolla wrote:

reload in 15
interface FastEthernet4/0/48
switchport

I wish I was local to the devices networker... make things so quick and fast. However, I cannot get access on Sunday, so I have to ensure success remotely.

networker050184 · June 2009

kryolla wrote: »

if he does that then he doesnt have to configure it remotely he will be on site and since he is on site he doesnt have to run the cable.

Not sure why he would have to be on site to telnet to the switch.... I guess he would have to be on site to run the cable if no one else could even do that much.

Mike, you do not have to be local to reverse telnet. Like I said just have someone run a roll over cable from the AUX on the router to the console on the switch and you are good to go as if you were using an access server.

mikearama · June 2009

Ah... now I see where you're going. I have to see if I can set that up tomorrow. Brilliant.

kryolla · June 2009

sorry I was assuming this remote site was like a sales office and 1) doesnt have access to the routers and switches or 2) the person isnt that technical and doesnt want to run the cable. Also the switch and router can be on different floors.

networker050184 · June 2009

kryolla wrote: »

sorry I was assuming this remote site was like a sales office and 1) doesnt have access to the routers and switches or 2) the person isnt that technical and doesnt want to run the cable. Also the switch and router can be on different floors.

Yeah there could be some obstacles in the way, but if there is access to run the cable then that is the way to go. I doubt he will be able to get around losing connectivity on this one. Unless there is another free port to run another ethernet drop between the two. His plan does look like it will work, but I wouldn't risk it.

AlanJames · June 2009

also, have you thought about your default gateway etc? if ip routing is enabled, you may have an ip route 0.0.0.0 0.0.0.0.0

layer 2 is normally a default-gatway

food for thought

mikearama · June 2009

I couldn't get the cable run on short notice, so I ended up trying the remote method. And no, I couldn't get it to work.

@ kryolla... good suggestion with the "reload in x" command. Saved my ass.

I was totally wrong about the "no ip routing" command. I instantly lost connectivity. So, after the reload, I connected again, changed vlan1's IP address, added the default route to the new gateway, and then tried to change the layer 3 interface's IP address, but got an error that the IP overlapped with vlan 1. So I couldn't change the IP and I couldn't issue the "no ip routing" command.

I'll get over there this week and connect the cable for reverse telnet, and try again on Sunday.

Preciate the thoughts, guys.

mikearama · June 2009

Okay then... I thought it prudent to lab up this reverse telnet deal before I depend on it for Sunday.

I've run a straight-thru from the AUX port on a 2811 to the console port on a 3750. I've config'd the AUX port per the document Kryolla provided:

line aux 0
modem inout
transport input all
speed 19200

int loopback 0
ip address 200.200.200.1 255.255.255.0
no shut

From the "sh line" command I see that the AUX port uses line 1 (so 2001 in the telnet command).

The docs I could find online make no mention of how to configure the switch... only another router. It's a layer 2 switch, and it has an IP assigned to vlan 1 that is reachable from the router, but I added a loopback int with an IP of 200.200.200.2/24 anyway.

When I use "telnet 200.200.200.2 2001" from the routers' CLI, I get:
"Connection timed out; remote host not responding"

I'm not surprised, as I haven't turned on ip routing.

If I try to telnet to the IP assigned to vlan 1, at least then I get:
"Connection refused by remote host"

Any thoughts? Is there any config required on the switch side? I know I'm trying to connect to the console port, which is on and waiting, but I'm surprised that nothing required. Preciate any insights.

networker050184 · June 2009

You need to use a rollover cable.

Also, you don't need any routing turned on the switch, you are just using the console on that side.

mikearama · June 2009

Tried the rollover as well... no change.

To the loopback it times out, to the vlan1 IP it refuses connection.

I thought this was going to be so simple. Shoot.

kryolla · June 2009

I just did this the other night as my access server is full.

Rollover cable
sh line to get aux line
configure the line for transport input all or telnet and no exec
then telnet loopback address and 200?
everything else is default i.e speed

networker050184 · June 2009

Not sure what you might be missing, its a pretty simple config. Post the config maybe we can help you out.

mikearama · June 2009

Just to reiterate... I'm connecting the AUX port from a 2811 ISR to the console port of a Cat3750.

3750:
!
interface Loopback0
ip address 200.200.200.3 255.255.255.0
!
!
line con 0
exec-timeout 15 0
logging synchronous
login
!

2811:
!
interface Loopback0
ip address 200.200.200.1 255.255.255.0
!
line aux 0
modem InOut
no exec
transport input all
speed 19200
!

2811-1#sh line
Tty Line Typ Tx/Rx A Modem Roty AccO AccI Uses Noise Overruns
0 0 CTY - - - - - 0 0 0/0
1 1 AUX 19200/19200 - inout - - - 2 0 0/0
322 322 VTY - - - - - 0 0 0/0

No joy, with both straight-thru and roller...

2811-1#telnet 200.200.200.3 2001
Trying 200.200.200.3, 2001 ...
% Connection timed out; remote host not responding

networker050184 · June 2009

You need to telnet to 200.200.200.1 2001 not .3. Remember you are telnetting to the AUX port of the router which just happens to be connected to the switch, you don't have to worry about any config ips on the switch. You should also set the speed back to 9600 unless you changed the console speed also.

Also make sure you clear the lines so you don't have any open connections blocking you. Do a show line and if there is a * next to the line its already in use.

mikearama · June 2009

No kidding!! I would never have guessed that.

So now when I telnet to 200.1 2001, I am prompted to authenticate... I had hoped it wanted credentials for the Cat, but those credentials failed. When I enter my AAA username/password for the 2811, it hangs... cursor just blinks... but it doesn't fail authentication. So we're getting there.

networker050184 · June 2009

I see you have login on the switch line con 0, but I don't see a password. You need to either specify a password or a login method.

mikearama · June 2009

Yeah, I left out the password when I posted the config... but it's there.

Anyway, it works. Funny thing... as I mentioned, when I telnet to the loopback IP on port 2001 and authenticate with my AAA account for the router, the cursor just blinks away. I took this to mean it was hung. Anyway, I tapped Enter again, and the login prompt for the switch appeared.

So, networker... I really appreciate this piece of info. Reverse telnet is my new best friend.
And Kryolla... thanks kindly for the "reload in x" command. Not sure how I hadn't come across that before, but I got it now.

networker050184 · June 2009

Glad you got it working. Once a coworker showed me the reverse telnet AUX to console trick I never risk any remote maintenance without console access anymore. Most of our stuff has dedicated console access, but for the ones that don't I just have the field techs wire up a rollover to a nearby device.

Good luck with the maintenance, but with console access there shouldn't be any issue.

Remotely change a layer3 switch to layer2

Comments