Hi folks,
I'm back with another field experience from the C9300-m switches which I now have a workaround for.
I can't show any screenshots or CLI output since all switches I had to install at customers I have already fixed.
Usually I want to give my switches a fixed IP and not rely on any DHCP IP for switches even if it is only for their management. I believe switch IP's must be stable at all times.
For regular MS switches you have a separate management IP that you can set in the left status pane of a switch. However for Catalyst switches running native IOS-XE when you change the setting from DHCP to Static you are redirected to the routing page since you now have to create an actual SVI on the switch to accomplish this. And yes you HAVE TO do it in this order after your switch has been online in dashboard with a DHCP IP or dashboard will continue labeling it as DHCP even if it is a fixed IP SVI.
However in the recent stacks I installed I had a many occasions that the switch refuses to use the static SVI and remains on the DHCP IP which can be annoying and keeps you from removing the firewall rules to reach dashboard on VLAN 1. Sometimes a simple reboot of the switch will resolve the issue but here I will outline the method if the switch is already in production and can't just be rebooted.
Since they use the management VRF on the switches for the local status page, the IP on the switch to reach dashboard and potentially route packets in L3 mode lives in the global routing table. So to have regular routing not interfere with management routing I have noticed the switch installs static specific routes towards the Meraki cloud IP's. These routes appear when the switch has chosen it's uplink towards the dashboard.
When you use the command show uac active-vlans you will see a list of VLAN's the switch has an IP in and will show which one has the highest score to reach dashboard (ip state 15 and the highest score at the end) So even if your main score is the same with your selected SVI it will still use the DHCP IP since that one has IP state 15...).
When you use the command show uac uplink db you will see a ping fail counter of one on the interface you WANT to use for management.
I believe this has to do with the fact that you can't ping dashboard from your wanted IP since it uses the other VLAN as exit interface on the most specific routes to dashboard. And this won't change on it's own.
So the solution to this is to also create a fixed IP SVI on VLAN 1 where it now uses the DHCP IP and then set it as v4 uplink to dashboard. Wait for 5 minutes and then put your wanted SVI as v4 uplink to dashboard again.
After 5 more minutes you will see the switch/stack now uses the correct IP. And the show uac commands will now show a better score for your SVI. I believe when you flip this over the switch gets configuration pushed where the static routes to dashboard are moved to the SVI you want instead and then that ping succeeds.
When you are done you can safely remove the vlan 1 SVI and you're done.
