cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1491
Views
5
Helpful
15
Replies
Highlighted
Beginner

Smart Install - vstack vlan other then vlan 1

Hello people

Has anybody managed to get smart install working on a vlan other then vlan 1?

Our setup would be:

DHCP  - Local director

TFTP  - ekstern server

Management vlan 209

My issue is that when I connect the client switch to a normal trunk "sw mode trunk" we use vlan 1 as native per default and obviously no traffic is comming from vlan 209 to the new switch. It just works (downloads IOS and startup-config) when I connect the client switch to an access port on vlan 209.

I have gone through several docs and videos but all show vlan 1 as the vstack vlan .

According to this guide should be possible to use a different vlan then 1 as management for the vstack.

http://www.cisco.com/en/US/docs/switches/lan/smart_install/configuration/guide/smart_install.pdf

Anyone could help me? I am kinda stuck here..

Best regards

Isaac

1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted

Yeah I'm not sure how big the STP thing will be, I'm racking my brain trying to remember, I think when VLAN_Inconsistencies are detected on a trunk the VLAN isn't allowed to enter forwarding state or something, but my memory of that is fuzzy at best. I think you can stop that, maybe with something like BPDUFilter on the upstream side of the trunk. In that case you could turn it on to allow Zero Touch to configure and upgrade the switch, then as soon as the switch is configured you could have native vlan matching on both sides and the BPDUFilter could be disabled. I sort of see that as something like a join window, it does make it not true zero touch, but includes a security feature where you have to intervene before a smart install can occure. For me that's a good thing, but for others it might be a pain in the ass. Obviously in either case be careful when playing with anything that can interfear with STP, BPDUFilter is an obvious exclimation point for that warning.

I think you would have trouble with L3 as the defaut config on a blank switch will have all ports in switchport mode and you can't zero touch the switch and also set the port into no switchport mode at the same time. Unless you are refering to having the L3 SVI for VLAN 1 on the director. Obviously that solves all your problems with Smart Install needing vlan 1, but then you need routing back to your TFTP Server and to DHCP, possibly to TACACS and to your management station so in my mind you are basically starting to actively use VLAN 1 for management. In my case this is unacceptable as all our switches have a low numbered VLAN (never 1) as their management interface and that is the only interface I let LMS contact them on. Since LMS does discovery through CDP and CDP always finds the IP of the lowest numbered VLAN on your neighbouring switch, creating VLAN 1 would be very bad for us. It also goes against all the security principals regarding the use and appropriate pruning of vlan 1.

View solution in original post

15 REPLIES 15
Highlighted
Hall of Fame Community Legend

How to use Zero-Touch SmartInstall

This is my document but it works on VLAN 1.  This is because a brand new switch only has VLAN 1.

I didn't bother using other VLANs because, in my opinion, defeats the purpose of Zero-Touch. 

Highlighted

Hello Leolaohoo

Thanks for your reply.

Your document was one of the documents I had come across when searching for material that could help me

The thing is that we already use other vlans than 1 for management and we have around 80 locations and therefore I need to have a central TFTP server in our Datacenter so routing between management vlan and the TFTP server is needed.

Did you ever tried to use a remote TFTP server?

I am trying to do some routing on vlan 1 on the Director but is not working until now. Will keep trying.

Thanks for your help.

Best

Isaac

Highlighted
Hall of Fame Community Legend

My issue is that when I connect the client switch to a normal trunk "sw mode trunk"

Hi Isaac,

Why are you making the port a trunk?  Your zero-touch port should be an access VLAN 209.  The new switch, however, requires human intervention to change the ports from default VLAN 1 to VLAN 209.  VLAN 209 must also be created on the VLAN database.

Did you ever tried to use a remote TFTP server?

I have used a TFTP server remote from the appliance and I have used a TFTP server local to the appliance.  The latter (TFTP local to the appliance) is my recommendation.

Highlighted

Hello again

The port is a trunk cause on our productioon environement the connection between switches are Trunk ports therefore I need to find a way to get SmartInstall working on a trunk port.

About port configuration that is not an issue. As soon as the switch is configured with SI all ports and vlans are configured as they have to. 

For me the local TFTP is not possible - will have to go for the remote.

Best

Isaac Alves

Highlighted
Hall of Fame Community Legend

For me the local TFTP is not possible

Really???  You can't even use the VStack Director as a TFTP server?

The port is a trunk cause on our productioon environement the connection between switches are Trunk ports therefore I need to find a way to get SmartInstall working on a trunk port.

I have never seen that before.  Sorry, I won't be able to help you there. 

Highlighted

Hello leolaohoo

I can not use the Director as tftp server cause we have 3 different types of switches on our net and the flash on our directors is not big enough to accomodate images plus the different configurations.

Thanks for your help.

I will keep on my research for SI on trunk ports

Best

Isaac

Highlighted

The only other way I have seen this work is when you have OOB Management ports (fa0), then you can assign access vlan 209 (or any other VLAN ID) to that port which is routed so it has no concept of VLAN tags anyway and it will get a DHCP address, from there Smart Install will pick up and config/update your switch.

However you now have me thinking, if you had a trunk with vlan 209 (management) as the native VLAN, and you blocked any spanning-tree port consistency stuff that might detect/block on a VLAN mismatch, wouldn't that come out as VLAN 1 on a new switch which would get you a DHCP address on VLAN 1 and get your smart-install going anyway? That would be my though, might have to give it a go some time just to see if it can be made to work. Like you I'm not a fan of cisco saying don't use VLAN 1 and don't use it as the native VLAN but then they turn around and say you must use VLAN 1 for Smart Install. The must be a better best practices way of doing this.

Highlighted

Hello Kevin

I will look at the OOB managment (never worked with that.)

About what you said, that I could stop stp from running on those ports I thought about it, but stopping STP... not so happy for it.

I have thought about use the L3 director to route vlan 1. Any experience on that?

Best

Isaac

Highlighted

Yeah I'm not sure how big the STP thing will be, I'm racking my brain trying to remember, I think when VLAN_Inconsistencies are detected on a trunk the VLAN isn't allowed to enter forwarding state or something, but my memory of that is fuzzy at best. I think you can stop that, maybe with something like BPDUFilter on the upstream side of the trunk. In that case you could turn it on to allow Zero Touch to configure and upgrade the switch, then as soon as the switch is configured you could have native vlan matching on both sides and the BPDUFilter could be disabled. I sort of see that as something like a join window, it does make it not true zero touch, but includes a security feature where you have to intervene before a smart install can occure. For me that's a good thing, but for others it might be a pain in the ass. Obviously in either case be careful when playing with anything that can interfear with STP, BPDUFilter is an obvious exclimation point for that warning.

I think you would have trouble with L3 as the defaut config on a blank switch will have all ports in switchport mode and you can't zero touch the switch and also set the port into no switchport mode at the same time. Unless you are refering to having the L3 SVI for VLAN 1 on the director. Obviously that solves all your problems with Smart Install needing vlan 1, but then you need routing back to your TFTP Server and to DHCP, possibly to TACACS and to your management station so in my mind you are basically starting to actively use VLAN 1 for management. In my case this is unacceptable as all our switches have a low numbered VLAN (never 1) as their management interface and that is the only interface I let LMS contact them on. Since LMS does discovery through CDP and CDP always finds the IP of the lowest numbered VLAN on your neighbouring switch, creating VLAN 1 would be very bad for us. It also goes against all the security principals regarding the use and appropriate pruning of vlan 1.

View solution in original post

Highlighted

Hello Kevin

Thank you for bearing with me.

I agree with you that starting to "play" with STP to allow Smart Install to work on a production environement is not applicable. The all idea about Smart Install would be to save sometime but if I have to start tweakling with STP it can degenerate in some major issues.

The idea was what you said: to use L3 SVI on the Director to manage the Smart Install network. I could maybe have one Director per branch. Vlan 1 stops at the branch cause it is not allowed on the uplink and hope that by doing that LMS would not see it (that range is also excluded from LMS discovery).

Anyway my problem now is a routing problem: vlan 1 ip can send traffic from the clients to the remote TFTP but the traffic does not know how to get back. The only way I could think of would be to NAT vlan 1 ip adresses to an adress known outside the branch but... I was thinking about using 3560C as Directors and as Border switch but NAT is not one of their features (checked Cisco docs). Stuck again...

Thank you for your help

Isaac

Highlighted
Hall of Fame Community Legend

I was thinking about using 3560C as Directors

I believe you can't use 3560C as Directors.  You need a minimum of a 24-port switch from the 3560-/3750- family of switches.

Highlighted

Hello Leolahoo

The 3560C can be used as directors (I am using one right now). The IOS inside the 3560C is the same - as far as I tested like the one inside the 3560 24 ports.

My issue now is a NAT issue: the 3K/4K series may not be used to do NATning. That feature is simply not supported.

Any idea on how I could keep SVI Vlan 1 intern to the branch office thus allowing the Vstack clients to communicate with an external TFTP server?

Best

Isaac

Highlighted
Hall of Fame Community Legend

The 3560C can be used as directors (I am using one right now). The IOS inside the 3560C is the same - as far as I tested like the one inside the 3560 24 ports.

Thanks Isaac.  I need to update my documentation.

Highlighted

Welcome

Content for Community-Ad