Trunking and the management VLAN

Unanswered Question
Jun 15th, 2009
User Badges:

I have gotten my 5010's up and can get to them from mgmt0. The ip address for mgmt0 resides in VLAN 2 for me. I am getting ready to trunk my 5010's back to my 6500's. Do I need to make sure that VLAN 2 cannot be seen through the trunk ports since it resides on mgmt0?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Jon Marshall Mon, 06/15/2009 - 12:00
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

It depends.


If you are going to manage the nexus switches in band ie. you need access to them remotely, if the traffic is routed via the 6500 switches then you would need to include vlan 2 on the trunk otherwise you won't be able to reach them.


If you are managing the nexus switches out of band ie. you are not accessing them over the production network then no you don't need to include that vlan on the trunk to the 6500s.


You say you can connect to the 5010s now on vlan 2. This suggests you have either


1) another way to connect to them ie. not via the 6500s


OR


2) you have only connected to them because your machine was in vlan 2.


It all depends on whether you need to use the 6500 switches to get to the 5010s remotely.


Jon

pndennie93 Mon, 06/15/2009 - 12:10
User Badges:

right now vlan 2 is connected to the 6500's via mgmt0. I am worried that if I bring up the trunk ports back to the 6500's the I will have an issue with vlan 2 being seen on mgmt0 and the trunk ports.

Jon Marshall Mon, 06/15/2009 - 12:23
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

So you have a connection from the 5010 to the 6500 and the port is an access port allocated to vlan 2 ?


If so then you have a choice


1) include it on the trunk link and allow one of the connections to block for vlan 2


or


2) do not allow vlan 2 on the trunk link and then you will simply be using the access port link from the 6500 to the 5010


1) would provide some redundancy in case of failure of the access port link altho you could simply add vlan 2 to the trunk link if the access link went down to give you temporary access.


Jon

Jon Marshall Mon, 06/15/2009 - 12:32
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Glad to have helped.


Jon

nate-miller Mon, 06/22/2009 - 07:03
User Badges:
  • Bronze, 100 points or more

I don't think this is technically right- the MGMT and the data-path aren't actually connected. The MgmT 0 port doesn't have any concept that it's on "vlan 2"- it's just an access port.

Similarly, if VLAN 2 is on the trunk port, the IP address you assigned to MGMT0 isn't going to respond.


If you configured "feature interface vlan" and then put an IP address on VLAN 2, you could mange this box that way- on two separate IP addresses, via the two separate connections.


With the current lack of ability to wrap ACLs around the Interface VLANs, I'm more comfortable NOT using interface-vlan commands, and using a single uplink to mgmt0. Loss of the mgmt0 port is now only loss of the ability to manage the switch, not a data-path impacting event. (unless you need to configure the switch to correct an data-path issue, in which case you've got problems.)



The shift to out-of-band is a nice feature, but it's going to require a big shift in thinking from an implementation standpoint.



Actions

This Discussion