Replacing CatOS 4506 with IOS 4507R-E

Unanswered Question
May 28th, 2010
User Badges:

I need to replace existing core switch 4506 running CatOS with a 4507R-E running IOS and keeping existing trunks to 3550 L2 switches. The challenge I have is that since current ip traffic flows under default Vlan1 (management on switches too as interface Vlan1 with respective ip address) and default gateway is set for the WAN router on the same Vlan and segment, I was asked to not only create and assign an interface loopback with a different ip address to the new 4507 but remove all ports and management to a different Vlan number to start releasing Vlan 1 on this switch. My concern is how to achieve that without affecting communication to 3550s switches forward and backward the main router. I am not sure if just with the statement native Vlan X...on each on the trunks to the 3550s could work since the L3 is within the same ip scope. The 3550s swithces should be replaced eventually in the near future, but at this time the core swith is the one affected.


For the new ip address on the loopback interface, I will have to set an static route in the WAN router to be able to reach this and in the future the rest of the switches since there is no routing protocol running on the deployment.


I really appreciate your advice.



Francisco de la Rosa

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Reza Sharifi Fri, 05/28/2010 - 17:54
User Badges:
  • Super Bronze, 10000 points or more
  • Cisco Designated VIP,

    2017 LAN

Hi FRANCISCO,


It is good idea to move the management and production traffic off of vlan 1 completely.  For security reasons native Vlan (vlan 1 ) should be shut down and not used at all.  Vlan 1 is for control traffic ie pagp, cdp, vtp, etc.... So you should create one or multiple vlans (depending on your need) for your user traffic and also another one for management. Then shut down all unsed ports and park them in a different vlan (usually 999).


As for loopback address, you only need loopback address for your layer-3 devices and not for layer-2 devices ie 3550s.


HTH

Reza

Ganesh Hariharan Sat, 05/29/2010 - 21:56
User Badges:
  • Purple, 4500 points or more
  • Community Spotlight Award,

    Member's Choice, February 2016


I need to replace existing core switch 4506 running CatOS with a 4507R-E running IOS and keeping existing trunks to 3550 L2 switches. The challenge I have is that since current ip traffic flows under default Vlan1 (management on switches too as interface Vlan1 with respective ip address) and default gateway is set for the WAN router on the same Vlan and segment, I was asked to not only create and assign an interface loopback with a different ip address to the new 4507 but remove all ports and management to a different Vlan number to start releasing Vlan 1 on this switch. My concern is how to achieve that without affecting communication to 3550s switches forward and backward the main router. I am not sure if just with the statement native Vlan X...on each on the trunks to the 3550s could work since the L3 is within the same ip scope. The 3550s swithces should be replaced eventually in the near future, but at this time the core swith is the one affected.


For the new ip address on the loopback interface, I will have to set an static route in the WAN router to be able to reach this and in the future the rest of the switches since there is no routing protocol running on the deployment.


I really appreciate your advice.



Francisco de la Rosa

Hi Francisco,


To better understand your requirement it would be helpful if you can attach the scehmatic representation of the required network.To my understanding with the above thread you want vlan 1 to be removed from your network which is currently the path for traffic right now.


Can you calrify few things


Is your 4506 is connected to trunk with two 3500 switches ?

What are all the vlan configured in 3550?


Ganesh.H

Giuseppe Larosa Sun, 05/30/2010 - 05:30
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

Hello Francisco,

as Reza has noted removing user traffic from native Vlan is a good move and it is recommended for security reasons.


However, it is not possible to migrate in this way at IP subnet level.

Trying to use a loopback address with an address taken from current IP subnet in Vlan1 is not advisable.


You should simply move all user ports to a new vlan like vlan 100 for example.

The new vlan has to created both as a L2 object eventually propagated by VTP (if you use it) and at OSI layer3 as a switched virtual interface SVI vlan 100



config it

vlan 100

name newclient_vlan

exit


int Vlan 100

desc ip address in current ip subnet but not the same as the one used in WAN router

ip address 10.x.y.z

! important you need to unshut

no shut

!


Interface Vlan100 will be up/up when at least one L2 port (including L2 trunks) is in STP forwarding state for vlan  100 broadcast domain.

This is called autostate.


move ports in vlan 1 in vlan 100


interface gx/y

switchport

switchport mode access vlan 100


this has to be done also on the C3750 switches user ports


Vlan 100 has to be permitted on the trunk links on both sides


Also the port towards the WAN router has to be moved to vlan 100


In this case a new management Vlan with a separate IP subnet is recommended, user PCs have to be in a different subnet.


So I recommend to change also the management IP addresses of all devices in a new IP subnet for security and better control.

You can use vlan 300 for management Vlan for example.

In this way you can use ACL to avoid access to devices from client vlan 100.


Hope to help

Giuseppe Larosa

Actions

This Discussion