management Vlan issue?

[paulk29]

Hi,
I have two 6513 Switches A & B with SUP720 Supervisor Modules.
I have them connected via trunk Ports. Both have VTP enabled A being the Server and B the client. I have 3 Vlans set up 1,2 ( 192.168.1.1 ) & 3 ( 10.30.20.1 ). I set the Vlans up on Switch A and have users hanging off ports on Switch B. They can route between Vlans 2 & 3 no problem.
What I want to do is have Vlan 1 as the management Vlan and have an IP address from each Switch in this Vlan so I can telnet to etc. Normally I’d have used the loopback address but it seems you cant put a loopback address in a Vlan.

Does anyone have any suggestions?

Thanks

Paul


Paul Kilcoyne B eng. CCNA

 

[ADB100]

If I were you I would forget the Management VLAN unless you have any external Layer-2 only switches, even then I probably wouldn't bother with a separate management VLAN. Since you are using IOS and each of the Cat6500's are Layer-3 I would just use a routing protocol and /32 loopback interfaces. Create a separate /30 point-to-point subnet between the 2 switches as a routing interface/VLAN.

You can easily protect access to the VTY lines and SNMP (and WEB if you have enabled it?) with ACLs and/or user authentication.

Andy

 

[paulk29]

Andy,
thanks for that. I'm not sure I understand though can you maybe show me a short config example?

Cheers

Paul

Paul Kilcoyne B eng. CCNA

 

[ADB100]

Paul

I assume you have a Gigabit trunk (possibly EtherChannel as well?) between the 2 switches. I also assume you are allowing all VLANs down this trunk so you can span VLAN's between switches - I would discourage this unless you have a Layer-2 requirement such as NIC Teaming. Create another VLAN and assign a /30 IP Subnet to this and make sure it is allowed on the trunk between the switches (eg 10.255.1.1/30 on one side and 10.255.1.2/30 on the other side). Create a loopback0 (or whatever number you choose) interface on each switch and assign a /32 host IP address (mask 255.255.255.255) to each interface (for example 10.255.255.1/32 & 10.255.255.2/32). Enable a routing protocol that understands subnet masks such as EIGRP or OSPF (RIP2 does as well but takes longer to converge). Add all IP networks in use to the routing protocol, passify any interfaces where you don't need to send routing updates out of.

!6513-A

VLAN 10
name User-VLAN-10
VLAN 100
name Server-VLAN-100
VLAN 900
name P2P-Link
!
interface loopback0
ip address 10.255.255.1 255.255.255.255
!
interface Port-channel1
switchport trunk native vlan 4000
!
interface GigabitEthernet1/1
switchport mode trunk
channel-group 1 mode desirable non-silent
!
interface GigabitEthernet1/2
switchport mode trunk
channel-group 1 mode desirable non-silent
!
interface VLAN 10
ip address 192.168.1.1 255.255.255.0
!
interface VLAN 20
ip address 192.168.2.1 255.255.255.0
!
interface vlan 900
ip address 10.255.1.1 255.255.255.252
!
router ospf 1
network 192.168.1.1 0.0.0.0 area 0
network 192.168.2.1 0.0.0.0 area 0
network 10.255.255.1 0.0.0.0 area 0
network 10.255.1.1 0.0.0.0 area 0
passive-interface default
no passive-interface VLAN 900
!



!6513-B

VLAN 10
name User-VLAN-10
VLAN 100
name Server-VLAN-100
VLAN 900
name P2P-Link
!
interface loopback0
ip address 10.255.255.2 255.255.255.255
!
interface Port-channel1
switchport trunk native vlan 4000
!
interface GigabitEthernet1/1
switchport mode trunk
channel-group 1 mode desirable non-silent
!
interface GigabitEthernet1/2
switchport mode trunk
channel-group 1 mode desirable non-silent
!
interface VLAN 10
ip address 192.168.1.2 255.255.255.0
!
interface VLAN 20
ip address 192.168.2.2 255.255.255.0
!
interface vlan 900
ip address 10.255.1.2 255.255.255.252
!
router ospf 1
network 192.168.1.2 0.0.0.0 area 0
network 192.168.2.2 0.0.0.0 area 0
network 10.255.255.2 0.0.0.0 area 0
network 10.255.1.2 0.0.0.0 area 0
passive-interface default
no passive-interface VLAN 900
!


Good luck

Andy

 

[ADB100]

Typo:

VLAN 100 should read VLAN 20:

!
VLAN 20
name Server-VLAN-20
!


Andy

 

[paulk29]

Andy,
thanks very much for the help. Again a few things;

1. Why do you need a point to point Vlan link?

2. Are routing updates only being exchanged on VLAN 900?
no passive-interface VLAN 900

3. I was trying to config port-channel 1 as a trunk but it wouldnt let me saying that either the gigabitethernet port be L2 and port channel be L3 or visa versa.
So here's how I got it working;

SW2(config)#interface range fastEthernet 3/11 - 14
SW2(config-if-range)#no ip address
SW2(config-if-range)#switchport
SW2(config-if-range)#switchport trunk encapsulation dot1q
SW2(config-if-range)#switchport mode trunk
SW2(config-if-range)#channel-group 1 mode desirable
SW2(config-if-range)#no shut

Port-channel 1
SW2(config-if)#description TRUNK CHANNEL TO SW1
SW2(config-if)#no ip address
SW2(config-if)#switchport
SW2(config-if)#switchport trunk encapsulation dot1q
SW2(config-if)#switchport mode trunk
SW2(config-if)#no shut

It seems to work now.

4. Finally why do you have the loopbacks with a /32 mask?

Thanks so much again

Paul



Paul Kilcoyne B eng. CCNA

 

[ADB100]

1. You should really only run routing protocols where there are routers listening. If you just enabled it on a User/Data VLAN there is the possibility that a rogue router could be introduced and compromise the network by introducing erroneous routing information.

2. Yes, routing updates are only exchanged on the P2P vlan.

3. The process of creating an EtherChannel in IOS is to set the switchport type and encapsulation of all ports you want in the channel, add the ports to the EtherChannel (this will create the logical 'Port-Channel' interface. If you wish to make changes to the channel such as the allowed VLANs then make them on the Port-Channel interface. If you want to change the channel from Layer-2 to Layer-3 then you have to undo all the channel configuration and re-add it (notepad and paste...).

4. The loopback interfaces do not connect to anything so can only have 1 host hence the /32 mask. If you have quite a few routers in your network (or Autonomous System or Area) then when you do your subnetting allocations for each of your networks you can use the same range of addresses for management. I apply the same logic when creating P2P subnets for P2P links in the WAN or Distribution Layer 10.255.1.0/30, 10.255.1.4/30 10.255.1.8/30 etc. This makes it easier to 'see' each of the devices:

Router 1 l0 - 10.255.255.1
Router 2 l0 - 10.255.255.2
Router 3 l0 - 10.255.255.3
etc

What I usually do is use this interface as the source for SNMP, Syslog, NTP, Telnet, Radius/TACACS+ etc

Andy