Managing Layer 2 devices

[J001]

Hello,

I need to convert few cisco 3750 layer 3 switches as layer 2 devices.
These currently have a direct point to point connection to both our 6509 switches and have static routes with metric to either switch for load sharing.

I wanted to know what the best practices was for
managing these layer 2 devices remotely via ssh, snmp , aaa etc..

Does anyone have a sample configuration ?

Jay

 

[VinceWhirlwind]

Layer2 switches generally have one ip-addressed interface you use for management.

Are your 6509s in a VSS pair? If so, your links back to them can be etherchanneled, otherwise you will have to use spanning tree.

How many VLANs are on these 3750s?

 

[J001]

No the cores are not set up a VSS pairs.

I have statics configured with metrix to load balance to either switch.

I need to set up HSRP and like you mentioned EtherChannel / Trunk connection back to core.

Each 3750 has 2 Vlans (Data/Voice).

 

[VinceWhirlwind]

So you can pick one of the VLANs and give the switch an IP address in that VLAN, or, you can create a management VLAN and give the switch an IP address in that VLAN instead.

If you are setting these up as Layer2 only, then you need HSRP in the Core, but on the edge the config is very simple, you just use spanning-tree. Make sure you set the two cores with lower priority than the edges and one core lower than the other.

If the cores are not VSS then you can create two etherchannels from each switch, one back to each core, but not one etherchannel from each switch going back to both cores.

 

[J001]

Thanks for the info.

Why do I need to ether-channel ?

As from the 3750 I have 2 x 1gig links to each 6509 Core.

Also I have NTP configure with ip to a server will this work ?

 

[VinceWhirlwind]

If you have two links from the 3750 to each core, each of those pairs of links should be etherchanneled. It's very simple - just follow the config guide. Having an etherchannel is the best way to use the pair of links in terms of bandwidth (performance) and redundancy.

 

[J001]

I have configured the layer 2 switch and connected a single uplink to Core. The trunk is up but I cant ping loopback address.

The loopback is on the same subnet as vlans allowed.

Do I need to configure vlan 1 ?

 

[VinceWhirlwind]

What is the IP configuration on the new switch?

What is the interface configuration of the uplink port?

What is the interface configuration of the connected Core switch port?

 

[J001]

1. User Switch Config Brief

spanning-tree mode rapid-pvst
spanning-tree portfast bpduguard default
spanning-tree portfast bpdufilter default
spanning-tree etherchannel guard misconfig
spanning-tree extend system-id


vlan 75
name DATA
!
vlan 501
name Lyr2MGt

interface Loopback0
description Management
ip address 10.10.10.250 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
no ip route-cache
!
Ports 1-48 Configured
interface GigabitEthernet1/0/1
switchport access vlan 75
switchport mode access
switchport voice vlan 77
spanning-tree portfast
!

Port 49 Fibre Link Configured

interface GigabitEthernet1/0/49
description uplink to Core Switch
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 75,501
switchport mode trunk
udld port aggressive
!

interface Vlan1
no ip address
no ip route-cache
shutdown
!
interface Vlan501
ip address 10.10.20.1 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
no ip route-cache
no ip mroute-cache
!
ip default-gateway 10.10.10.253

------------------

2. Core switch

Port Fibre Uplink

interface GigabitEthernet1/1
description uplink to Access Ly2 Switch
switchport
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 75,501
switchport mode trunk
no ip address
udld port disable

interface Vlan75
ip address 10.10.10.252 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
standby 1 ip 10.10.10.253
standby 1 preempt
standby 1 authentication XXXX
end

interface Vlan501
description Lyr2-Management
ip address 10.10.20.252 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
no mop enabled
standby 1 ip 10.10.20.253
standby 1 priority 110
standby 1 preempt
standby 1 authentication XXXX
end

 

[VinceWhirlwind]

On the edge switch, you have your 10.10.10. address on the loopback interface, but on the core switch, you have the 10.10.10. address on the VLAN 75 interface.

You have VLAN 75 trunked between them, so personally, I would have put the 10.10.10. address on the edge switch on the VLAN 75 interface.

 

[J001]

I thought a better configuration was to have the Layer 3 VLAN 75 on the Core switch ?

I can ping everywhere from a PC with a static IP but DHCP does not work ?

 

[VinceWhirlwind]

OK, so you have two ip addresses on your network in the same subnet on different VLANs.

Does your edge switch have IP routing enabled?

You want your edge switch to be Layer2, so you need to disable IP routing and choose one VLAN on that edge switch to be your management VLAN and you need one IP address on that edge switch in the management VLAN and no other IP address.

 

[Quadratic]

Your management network commits the cardinal sin of breaking the one-to-one mapping rule of subnets and vlans. It's not a technical requirement but it's a really good idea to follow that rule unless you have a really good reason to break it.

Either put both IPs in the 10.10.10.0/24 network into vlan 75, or neither.

CCNP, CCDP, CCIP
Core Network Planner, ISP

 

[J001]

OK Im confused !

Vlan 75 is our User VLAN

Vlan 501 is the Management Vlan which allows us to manage the layer 2 switch.

I disabled IP Routing on the layer 2 switch but enabled it again because I thought DHCP may need it.

Are you asking me to remove the 501 Management vlan and configure a layer 3 Vlan 75 on the User switch with an ip from the 10.10.10.x range ? Then disable ip routing ?

 

[VinceWhirlwind]

No. What we're saying is that you want this switch to be a layer2 switch, so disable IP routing on it.

As a layer2 switch, it will not use an IP address to perform any of its functions, but you want to give it an IP address so you can manage it across the IP network. I guess that will be the VLAN 501 address.
Get rid of the loopback0 address.