Add management VLAN best practice

Unanswered Question

I currently have a 1604 routing all traffic from one campus down a pt-pt. Behind the 1604 is 5 3550's. All 3550's are configured with and IP address on VLAN 1. All ports are default configuration. I would like to create a management VLAN and start Inter-VLAN routing using the first 3550 after the 1604 to do the Inter-VLAN routing. I know I need to turn on ip routing on that switch and create the VLAN in layer 2 (vlan 250, name) and in layer 3 (give it IP address). Do I have to turn on ip routing on the other connected switches or just tell them default gateway is the first switch with ip routing enabled and do have to make the switchport connected to the 1604 a routed port or will communication stop until I do make it a routed port. Kind of long winded but it's a live network and I have no lab to try this stuff in. People from another campus access some servers on this network 24 hours a day via terminal services and I don't want to break any communication during the change (if possible). Thanks.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
lamav Thu, 08/14/2008 - 13:26

Ansrew:

A vlan is a layer 2 construct. So, yes, you will create the management vlan in layer 2 on all switches and then create the L3 interface on each box. That is the interface for which you will assign an IP address so that you can access the device remotely.

You dont need to turn on IP routing on these boxes. The ip default-gateway command will suffice.

But on one of those 3550 boxes, or the 1604, you will want to advertise the management subnet so that you can have remote reachability to the devices that sit in that vlan.

Vlan 1 is the default vlan that all ports are placed in and it is also the native vlan for dot1q trunks. Moreover, it is this vlan that the control plane uses to exchange protocol information for CDP, PaGP, LACP, etc. So, I would recommend having separate data and management vlans in addition to the default vlan 1.

HTH

Victor

Just to clarify in my mind - I would do the following on each switch (different IP on each switch)?:

sw1#conf t

sw1(config)#vlan 250

sw1(config-vlan)#name Management-VLAN

sw1(config-vlan)#exit

sw1(config)#interface vlan 250

sw1(config-if)#ip address 192.168.250.1 255.255.255.0

sw1(config-if)#exit

sw1(config)#exit

sw1#wr mem

How do I then "advertise" the management subnet from either the switch or router? I would like to eventually follow your suggestion and have the data not on vlan 1 but I figure I better get myself squared away on how this works before I mess with the current data subnet.

lamav Thu, 08/14/2008 - 14:15

Looks good....dont forget to add the ip default-gateway command or enable ip routing and use the ip route 0.0.0.0 0.0.0.0 command.

Take note that this approach assumes that you have L2 adjacency between the switches and the layer 3 device.

lamav Thu, 08/14/2008 - 16:47

Devices in the same vlan are said to have L2 adjacency.

To make sure devices are in the same vlan, L2 connections (trunks) must exist between them.

So, imagine one 3550 configured for L3 with the SVI vlan interface configured on it. Lets say its the SVI for the management vlan (vlan 250).The other 4 3550s will all have SVIs on vlan 250 configured (as you showed earlier) and the default gateway or ip route command will have the IP address of the L3 SVI as the next hop.

The 4 3550s will be able to reach that L3 3550 and have it as the default gateway if there is a trunk built between them.

S1:

vlan 250

name mgmt_vlan

int vlan 250

ip address 10.10.250.1/24

ip default gateway 10.10.250.5/25

int gi1/0/1

description ***L2 trunk to Default Gateway switch***

switchport

switchport trunk encapsulation dot1q

switchport mode trunk

S2:

vlan 250

name mgmt_vlan

int vlan 250

ip address 10.10.250.2/24

ip default gateway 10.10.250.5/25

int gi1/0/1

description ***L2 trunk to Default Gateway switch***

switchport

switchport trunk encapsulation dot1q

switchport mode trunk

S3:

vlan 250

name mgmt_vlan

int vlan 250

ip address 10.10.250.3/24

ip default gateway 10.10.250.5/25

int gi1/0/1

description ***L2 trunk to Default Gateway switch***

switchport

switchport trunk encapsulation dot1q

switchport mode trunk

...S4...

S5:

vlan 250

name mgmt_vlan

int vlan 250

ip address 10.10.250.5/24

ip default gateway 10.10.250.5/25

int gi1/0/1

description ***L2 trunk to S1***

switchport

switchport trunk encapsulation dot1q

switchport mode trunk

int gi1/0/2

description ***L2 trunk to S2***

switchport

switchport trunk encapsulation dot1q

switchport mode trunk

int gi1/0/3

description ***L2 trunk to S3***

switchport

switchport trunk encapsulation dot1q

switchport mode trunk

int gi1/0/4

description ***L2 trunk to S4***

switchport

switchport trunk encapsulation dot1q

switchport mode trunk

int gi1/0/5

description ***Routed Connection to 1604 Router***

no switchport

ip address 1.1.1.1/30

router eigrp 100

network 10.10.250.0 0.0.0.255

1604:

int fa0/1

ip address 1.1.1.2/30

Description ***Routed Connection to L3 3550 Switch***

This is one way to do it.

Let someone else on here do a sanity check...

HTH

Victor

Actions

This Discussion