Connecting Cisco 3750 to Routed Network for Management

Joined
Dec 5, 2003
Messages
517
Cisco novice here. I have two Cisco 3750s (stacked), and just performed an express setup to assign an IP address for management. Now I need to connect this switch to my primary network for management purposes only (not trying to cascade my primary network switch). I want the 3750's to be isolated, however I want to manage this switch from my primary network. What is the next step?
 
You can use an ACL applied to your VTY lines. If you need the config say something and I'll post a template.
 
Thanks Vito. Please post a template if its not too much trouble. How does Access Control Lists apply to this situation? In this situation the isolated switch (network) will be plugged into an access port on my 2960G (primary network). Can you provide a quick background (or point me in the right direction) in regard to the specifics of how to configure this switch properly and provide management from my local (routed) network?
 
I don't think I'm understanding what you want to do. I was talking about limiting management access to your switch.

Are you saying you want an isolated network BEHIND the switch? So basically a VLAN that can only communicate with itself?
 
The more I read, the more it seems like the latter. If you don't want hosts on that switch touching your network you could give them IPs but no gateways, or you could use the 3750s as the gateway and use an ACL that blocks traffic from that subnet out, or you make your link to the 2960 a trunk and not pass traffic from that VLAN through it. There are a lot of ways to accomplish that, it if really is what you're asking.

I might still be confused though, lol.
 
My understanding is vague. Here is a better description of what I am trying to accomplish. I have purchased three iSCSI SANs and have four servers that will utilize this storage with dedicated NICs (4 ports/server). I want to build an isolated SAN network, however I would like to be able to access and configure the SAN switch from my LAN. The SAN network will be separate from my LAN, the network will not be routable (even if I wanted to, I don't have access to upstream routers). At the very least it would be nice to configure/monitor the SAN switch from my production LAN. How can this be accomplished?

You mentioned that I can make my link to the 2960 a trunk, but not pass traffic through it... what are the benefits of doing this? Again, my understanding of this is limited to what I have learned in the last few days. If you are setting up a trunk, isn't the purpose to allow access to multiple VLANs through a single port? What are we accomplishing here?
 
All three options would accomplish what you want. There are other options as well. I would probably just use the 3750 as the gateway and use ACLs to deny traffic in and out of that subnet.

The purpose of a trunk is to pass multiple VLANs, but in this situation you could keep the 3750 L2, create a trunk between the 2960 and the 3750, make the SAN VLAN on the 3750 and not allow that VLAN to go through the trunk. That would prevent hosts in that VLAN from sending traffic over the trunk, which would isolate it.
 
What configuration changes do I need to make to my 2960G for this to work? Right now all ports are configured as access ports with RSTP enabled.
 
switchport mode trunk
switchport trunk allowed vlan <vlan>

You would only allow the management VLAN to traverse the trunk, not the SAN VLAN.
 
Thanks Vito. Can I choose any port on the 3750G for management? Do I need to use a crossover cable between a 3750G and the 2960G? You have been very helpful... I will report my findings tomorrow. Unfortunately I don't manage the 2960G but can interface with the folks that do to establish a trunk port. Do I need to make any other changes on the 2960G? I have portfast enabled, assume that only holds true for access ports... perhaps I am wrong.
 
Also, what if I plug into an access port on the 2960G that already has the management VLAN assigned to it? Can you tell me why I need a trunk port rather than an access port with VLAN already assigned to inter connect the switches for management only? Are there settings I need to change to prevent these switches from cascading?
 
No, you just need an access port for 1 VLAN. You should just make it a trunk anyway like vito showed, it makes it easier to deal with in the future if you need to add more VLANs (swi trunk allow vlan add <>... dont forget the ADD haha, been there already).

What you will do, though, is something like this:

Say this is your management uplink
int gi1/0/1 -- VLAN 999

Say this is the rest of the switch
int range g1/0/2 - 48 VLAN 1000
int range g2/0/1 - 48 VLAN 1000

Create a L3 VLAN interface for VLAN 999.
Don't create a L3 VLAN interface for VLAN 1000.

Then, anything in VLAN 1000 cannot route to your main network, but you can still manage it due to the IP on VLAN 999. I think this is what you want, but it took me a few reads haha.
 
LOL... I am not sure what I want, I think I need to step back and review what I know and clearly don't know. I want to connect two switches (2960G and 3750G) so I can manage the switch from my Public LAN (maybe eventually route the SAN network down the road, not now), however I don't want any of the traffic on the other ports to be exposed to the Public LAN. Also want to optimize the switch for iSCSI traffic, hopefully all optimizations (flow control, jumbo frames, disable broadcast storm control, etc.) can be applied such that the interface to the "management port" will still work with the upstream switch. Here is a dump of an interface on my upstream switch (public LAN) for configuration reference:

interface GigabitEthernet0/1
switchport access vlan 475
switchport mode access
switchport nonegotiate
no cdp enable
spanning-tree portfast

I also have a few questions to better my understanding of things, perhaps some of you can be of assistance so I can properly form my request.

1. Should I use a "regular" port on my Public LAN and uplink port on my 3750G (SAN Switch)? Do I have to make configuration changes? Do I need to use a cross over cable here?

2. How do you specify a port as an "uplink" port vs. a regular port?

3. What is the difference between trunk port and uplink port? As mentioned, you can use an access port if you are not passing multiple VLANs, correct?

4. Can someone make an example configuration? What is the configuration on the public LAN switch vs. configuration on the SAN switch? Do I need cross-over cables? Do I have to use certain ports on either switch to accomplish this? How do I write the ACL to block traffic from other ports (allow switch management access only from public LAN)?

5. The 2960G has four dual-purpose ports, are these all considered uplink ports? Can these ports be used as regular ports?


In short, I want to access the management functions on my SAN switch as an appliance (an endpoint). I don't want to "cascade" the switches if I don't have to in order to accomplish this.


Everyone - thanks for your patience!
 
First.. never use spanning tree portfast on a port that has a switch. Make sure you change that when you connect the switch.

To make it easy on you since you're new, aside from taking off spanning tree port fast... that will work fine. Ultimately, after setting this up, you should try to understand how to put a trunk on.

Your questions:
1. No crossover cable needed... it will automatically take care of this (read: auto-MDIX)
2. An uplink port is simply a term that means traffic going outisde of that switch will be put on that wire. You can set it up to either route out the port or if the default GW exists across that link upstream.
3. A trunk port is commonly used as a L2 agg/uplink port. A routed port is used as a L3 agg/uplink port.
4. Below. It's intentionally missing one thing important... and you don't need an ACL. Set this up first and I'll explain after if you can't figure out why.
5. Any port can be an "uplink" port. Read #2.

Here's a template, again, one important thing is missing.
Code:
! On the 2960:
conf t
int g0/1
no spanning-tree portfast

! On the 3750:
! this creates entries in the vlan DB so you can use them on the switch
conf t
vlan 475
vlan 500

! this puts the "uplink" port into a separate management vlan
int gX/X/XX
swi access vlan 475
swi mode access
no shut

! These are the rest of the ports... you should look up this range command to see how to use it
int range gX/X/XX - XX
swi access vlan 500
swi mode access
no shut

! This creates a management IP. Take an available static IP from vlan 475 on your 2960 and assign it here
int vlan 475
ip addr X.X.X.X Y.Y.Y.Y
no shut
 
This thread makes me giggle.. :p

First.. never use spanning tree portfast on a port that has a switch. Make sure you change that when you connect the switch.
OP, this is good rule of thumb, if you dont have a physical loop in your topology then it really doesn't matter as a loop couldn't form anyways. Faster ports with better physical security are better imo, anyway that you slice it. We always turn on portfast on our trunk ports... always. There are tons of cases where you want to put your trunks into portfast mode too, ESX hosts is one, VoIP, any host that is not a switch thats going to send any frames with tags... the list goes on.

Shut up justin, I can hear what you're going to say... " well, well, well.... what if someone accidentally plugged a cable in between the switches and created a loop".. Well, thats why I said its a good rule of thumb :cool: plus theres all kinds of other sweet little features, bpdufilter, bpduguard, etc,etc
 
Haha, yeah.. something along those lines. It's a fine line for sure, but like you mentioned there are use cases.

At least portfast can (almost always) recover from a loop eventually unlike the commonly used "no spanning-tree 1-4094"
 
“just2cool” – You mention that the example you wrote is missing something… I can’t see what. Can you explain? I have it working, had to disable spanning tree on the VLAN I setup up for the management interface (no span VLAN X)… otherwise the port would be shutdown on the 2960 with portfast setup. I also opted to do access ports and let AUTO-MDIX take care of the crossover. I couldn’t think of any reasons why I want to trunk VLANs if I am only doing management. Please correct me, I am a novice after all that knows enough to be dangerous.

Other comments regarding this post:

Access lists are only going to control which IP addresses can access the CLI-interface (this case, the management interface). While I need to limit which computers on my Public LAN can access the management… I also want to make sure all my other interfaces can’t be seen from my Public LAN. My first inquiry was in regard to the physical connections and interface configuration to accomplish my objective, which was to access the CLI on my 3750 stack from my Public LAN.

I wanted to isolate the hosts behind the switch, such that regardless of whether a gateway is set, there is no physical way to connect to my Public LAN. I accomplished this by moving all ports to a new VLAN (non-routed or trunked to my Public LAN), thereby isolating all hosts on my SAN switch stack.

“just2cool” – You mentioned that I should create a VLAN 1000 for the rest of my switch, but not create an L3 VLAN interface for the VLAN 1000. I am not sure what you mean by this. Do you mean assign ports to VLAN 1000, but not create an interface named VLAN 1000? Can I do this? I am not sure what a VLAN interface means, to me it’s a logical identity that shouldn’t get an “interface,” rather a logical grouping of ports which are part of the same broadcast domain. Can you clarify? Also what is a Layer 3 VLAN interface… interface with IP attached? You can only have one of these on your switch, correct? Can you give me an example of what a routed port (L3 agg/uplink) is, and what scenario I would have this? I have a router upstream that handles my routing.

Also, why do I want to disable spanning tree portfast on a port that has a switch. I was under the vague assumption that spanning tree was used to ensure there is only one path, and as a result no loops in the network… that will create broadcast storms among other issues.
 
Haha, damn man, that's one loaded post :D. Good to see you trying to learn.. a lot of people just want config. You'll have to read up on a bunch of the stuff I'll put here, but this will at least give you short and sweet answers.

“just2cool” – You mention that the example you wrote is missing something… I can’t see what. Can you explain?
A default gateway set on the switch so you can access it outside of that management VLAN. It looks like you've set this already if it's working for you.

I have it working, had to disable spanning tree on the VLAN I setup up for the management interface (no span VLAN X)… otherwise the port would be shutdown on the 2960 with portfast setup.
That's something you definitely don't want to do. You must have bpdu guard enabled by default on portfast ports which casues them to be instantly err-disabled upon reception of a bpdu. In this case, the easiest fix would be to just take off spanning tree portfast on that interface on both sides, but leave spanning tree running. More explanation at the end..

I couldn’t think of any reasons why I want to trunk VLANs if I am only doing management. Please correct me, I am a novice after all that knows enough to be dangerous.
You don't need a trunk for this at the moment, it's only for the future. Maybe you wanted the SAN VLAN to be accessible via that link in the future while maintaining the same management VLAN. Making it a trunk now would prevent you from bringing the link down to make it into a trunk later and add another VLAN to it.

I wanted to isolate the hosts behind the switch, such that regardless of whether a gateway is set, there is no physical way to connect to my Public LAN. I accomplished this by moving all ports to a new VLAN (non-routed or trunked to my Public LAN), thereby isolating all hosts on my SAN switch stack.
Yes -- and again because you don't have a trunk nor a VLAN interface, they'll continue to be isolated.

Do you mean assign ports to VLAN 1000, but not create an interface named VLAN 1000? Can I do this? I am not sure what a VLAN interface means, to me it’s a logical identity that shouldn’t get an “interface,” rather a logical grouping of ports which are part of the same broadcast domain. Can you clarify? Also what is a Layer 3 VLAN interface… interface with IP attached? You can only have one of these on your switch, correct?
Yes, you're correct. Apparently, the 2960 can only have one. Sorry, to steer you down a path of confusion there -- I've never used a 2960.

But for learning sakes, yes, a VLAN interface = Layer 3 VLAN interface = VLAN with IP attached. All the same. On more capable switches (multilayer switches), you can have a bunch of these. This IP could then be a default gateway for the hosts in that VLAN. Your 3750 can do this. You could create VLAN interfaces and have the 3750 to do the inter-VLAN routing. Meaning, going from one VLAN to the other would not touch your router. And your router could just be used for WAN/Internet. All depends on what you want to accomplish and what your needs are...

Can you give me an example of what a routed port (L3 agg/uplink) is, and what scenario I would have this? I have a router upstream that handles my routing.
You can't do this on your 2960. But on your 3750, you could go into an interface and do "no switchport" and give it an IP address just like you would to a VLAN. Run dynamic routing protocols, etc... don't worry about this considering you have a separate router.

Also, why do I want to disable spanning tree portfast on a port that has a switch. I was under the vague assumption that spanning tree was used to ensure there is only one path, and as a result no loops in the network… that will create broadcast storms among other issues.
Spanning tree is, yeah. Portfast is a feature where, once the port has it's link up, it will immediately start using that port. If there's a loop, it will eventually detect it and fix it. Non portfast spanning tree will listen for a period of time (~15sec with rapid spanning tree) before using the port and will prevent startup loops, as well as recover from them if they're induced later.
 
Back
Top