Catalyst 2960 SSH and HTTP access

I recently made some network changes at a branch office. Previously, the branch office was on the same vlan as the main office. I am not having any issues with clients and servers communicating between the buildings, but I am having issues accessing my catalyst 2960 switch. See the attached configuration. When I remove vlan 1 from the trunk on gi0/1 (in preparation to remove the entire vlan), I lose all access to the switch. If I keep it, I can ping the switch by name and it replies on its vlan 20 IP (10.10.20.2), but I cannot access the switch via http or ssh from the remote network (vlan 1). I can access the switch via http and ssh from the remote network using the vlan 1 IP - and I can also access it using the vlan 20 IP from within the vlan 20 network. What am I missing in my config?

Thanks in advance.

=~=~=~=~=~=~=~=~=~=~=~= PuTTY log 2013.09.19 17:44:06 =~=~=~=~=~=~=~=~=~=~=~=
sh run
Building configuration...

Current configuration : 4119 bytes
!
version 12.2
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname catalyst-8-psb
!
boot-start-marker
boot-end-marker
!
enable secret 5 $1$N8u7$lscorQXC4DT6cpWGE.9Ag.
!
username Admin password 7 07070F5F4C592B0A
!
!
aaa new-model
!
!
!
!
aaa session-id common
system mtu routing 1500
authentication mac-move permit
!
!
ip domain-name domain.com
!
!
crypto pki trustpoint TP-self-signed-2441581568
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-2441581568
 revocation-check none
 rsakeypair TP-self-signed-2441581568
!
!
crypto pki certificate chain TP-self-signed-2441581568
 certificate self-signed 01
  30820252 308201BB A0030201 02020101 300D0609 2A864886 F70D0101 04050030 
  31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274 
  69666963 6174652D 32343431 35383135 3638301E 170D3933 30333031 30303030 
  35385A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649 
  4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D32 34343135 
  38313536 3830819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281 
  8100ACC5 20D71D57 E9343AEC 936D70C3 2B5F5D6A 307C0302 CD18ABB0 C56FCE3D 
  A514E8A9 FB2FB6FA 33AD3B38 9309B1A3 58CA40BA D821D058 EA294CFE 541D7BCC 
  E270149B 3A7297E4 287F8ED8 9144FD3C 2C4B24E8 863D0C41 29D651A0 C8B8EEA6 
  E752003F D94DAF6F E0E9EA1E CF13B82E 49D39CF9 FE84BF48 2C999A61 8909FDE7 
  62750203 010001A3 7A307830 0F060355 1D130101 FF040530 030101FF 30250603 
  551D1104 1E301C82 1A636174 616C7973 742D382D 7073622E 686E7362 6F726F2E 
  636F6D30 1F060355 1D230418 30168014 6B2D68E5 90A0DAF2 038D9710 0CF557EB 
  8F6896A8 301D0603 551D0E04 1604146B 2D68E590 A0DAF203 8D97100C F557EB8F 
  6896A830 0D06092A 864886F7 0D010104 05000381 8100AACA 827A69E6 0CA81D41 
  AA2A25E4 0BF37AFF 166F4FC2 78EA2175 35B1A296 2D547483 B6B24316 169E0A8A 
  3573A3E7 7A496B70 FDBA31B4 70499748 1A507287 61F33787 A7057F07 CFC20952 
  4796A769 A8EB48B2 D61EF789 9474968F 8D512052 0A76CC60 42394BE3 2A46ABDF 
  FE0F9110 A60A18E7 7D07F092 87264321 C612D303 9D10
  quit
!
!
!
spanning-tree mode pvst
spanning-tree extend system-id
!
vlan internal allocation policy ascending
!
ip ssh time-out 60
!
!
interface Port-channel1
 switchport mode access
!
interface FastEthernet0/1
 description prod-nic1
 switchport access vlan 20
 switchport mode access
 speed 100
 duplex full
 channel-group 1 mode desirable
!
interface FastEthernet0/2
 description prod-nic2
 switchport access vlan 20
 switchport mode access
 speed 100
 duplex full
 channel-group 1 mode desirable
!
interface FastEthernet0/3
 description prod-rac
 switchport access vlan 20
 spanning-tree portfast
!
interface FastEthernet0/4
 description PSBKyocera
 switchport access vlan 20
 switchport mode access
 speed 100
 duplex full
 spanning-tree portfast
!
interface FastEthernet0/5
 switchport access vlan 20
 spanning-tree portfast
!
interface FastEthernet0/6
 switchport access vlan 20
 spanning-tree portfast
!
interface FastEthernet0/7
 switchport access vlan 20
 spanning-tree portfast
!
interface FastEthernet0/8
 description ap-psb
 switchport trunk native vlan 20
 switchport trunk allowed vlan 1,9,12,20
 switchport mode trunk
!
interface GigabitEthernet0/1
 description uplink to firewall
 switchport trunk native vlan 20
 switchport trunk allowed vlan 1,9,20
 switchport mode trunk
!
interface Vlan1
 description inside
 ip address 10.10.10.25 255.255.255.0
 no ip route-cache
!
interface Vlan9
 ip address 192.168.9.2 255.255.255.0
 no ip route-cache
!
interface Vlan20
 description psbadmin
 ip address 10.10.20.2 255.255.255.0
!
ip default-gateway 10.10.20.1
ip http server
ip http secure-server
ip sla enable reaction-alerts
logging trap debugging
logging facility syslog
logging 10.10.10.107
banner login ^CAuthorized Access Only^C
banner motd ^CAuthorized Access Only^C
!
line con 0
 password 7 151E0202016A230A3B3165101C
 logging synchronous
 terminal-type monitor
line vty 0 4
 password 7 045325150D717E41
 transport input ssh
line vty 5 15
 password 7 011B2817595B3400
 transport input ssh
!
end

Open in new window

fisher_kingAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

LibipappachenCommented:
Hi,
As per this
You are using VLAN 1 for management of the network equipment.
You have a L3 switch which is doing the Inter-Vlan Routing.

As a best practice don’t use vlan 1 for anything.
No need to put IP for the user vlans in this switch or any other L2 switches.

for management:
!
interface Vlan20
 description psbadmin
 ip address 10.10.20.2 255.255.255.0
!
ip default-gateway 10.10.20.1

This is ok, if you are using VLAN 20 as the management. But you have to check the syslog configuration as follows.

logging 10.10.10.107

BR,
Libi
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
fisher_kingAuthor Commented:
So I just need to remove vlan 1? I will try it after-hours and let you know.

My logging server is at the other building. The switch's gateway (10.10.20.1) knows the route.

Thanks
0
fisher_kingAuthor Commented:
I have not gotten a maintenance window to make the changes. I will probably not have one until early Nov. I apologize for the delay.
0
fisher_kingAuthor Commented:
I apologize for the late follow-up on this. I still have not had a chance to apply the fix you suggested, but assume it will work. It turns out that I will be replacing the switch next month with a larger one and can clear up the config at that time. Thanks again.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Switches / Hubs

From novice to tech pro — start learning today.