cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
8409
Views
9
Helpful
10
Replies

2960-S with lanbase-routing: VRF-Lite?

chrismarget
Level 1
Level 1

I need to deploy a 2960S in routing mode (sdm prefer lanbase-routing).

Does the device support VRF-Lite? I suspect it does not.

Really, I only need to isolate L3 transit routes from my management routes. Is the management interface (FastEthernet0) dedicated to it's own VRF like on many other platforms?

If so, that would satisfy my requirements: one VRF for management (on the dedicated port), and one VRF for transit traffic.

Thanks!

10 Replies 10

Leo Laohoo
Hall of Fame
Hall of Fame
Does the device support VRF-Lite?

2960-series switches do not support VRF-Lite.

VRF-Lite is supported with 3560/G/E/X, 3750/G/E/X and 3850 starting with IP Services or Advanced IP Services feature set.  (I don't remember which one.)

shillings
Level 4
Level 4

The 3850 series includes a management interface within a dedicated management VRF, so no need for 'IP Services' IOS, provided you don't need any more VRFs. 3850 series is the same price as 3750-X series, here in the UK (last time I checked): -

http://www.cisco.com/en/US/prod/collateral/switches/ps5718/ps12686/qa_c67-722110.html

Whilst the new 2960-X series also includes a management interface, it doesn't appear to have a dedicated VRF, which makes sense, because the platform itself can't facilitate VRF-Lite, as Leo commented above: -

http://www.cisco.com/en/US/prod/collateral/switches/ps5718/ps12995/qa_c67-728348.html

I've been playing with a 2960S with LAN Lite feature set (no L3 features). The management interface is getting an address via DHCP. I can't even figure out how to tell what it's using as a default gateway, let alone anything VRF-related

Given that this platform doesn't seem to isolate management traffic, I'm struggling to understand the point of this interface. Does it bring any functionality that I couldn't get with a VLAN, SVI and a normal L2 interface?

My application requires limited gigabit L3 switching, and isolation of management prefixes from L3 transit prefixes, because I expect them to overlap.

I'd been thinking I could use WS-C2960S-24TS-L for this purpose, becuase it has a dedicated management interface.

Now it's looking like WS-C3560X-24T-E is the least expensive option.

Ugh. That's a $5700 (list) management VRF.

Am I missing anything about the management interface on the 2960S? It doesn't seem to introduce any new functionality.

Whilst 2960-S management traffic will share the same IP Routing table, the management traffic can be out-of-band and not share the same infrastructure as your end-user data. You can then connect up an entire out-of-band management network with dedicated remote access etc. But I agree it is not ideal, because it still shares the same routing table.

If you have a management VRF, then you can assign a dedicated default gateway. Howeever, because the 2960-S management port is sharing the IP routing table, then you'd not want your default gateway forwarding to your management interface. Therefore, you will need to configure specific static routes instead.

Management port (FastEthernet0) found in the -E, -X, -S switches are for Out of Bound Management (OoBM) purposes only.  It's not designed to be routed or anything.  It has to be on it's own seperate subnet.  It's designed to be as an alternative method to reach your LAN switches from the DMZ.

Thanks Leo and shillings.

You both seem to be saying that the management interface allows me to do something I couldn't do on an old-school 2960, but what you're describing is easily accomplished without the management port.

Sure, I could plug the management port into a dedicated management VLAN, give it an IP address and a default gateway, and access the device only via the management interface.

On the other hand, I could also:

  • Create a management VLAN local to one switch only
  • Allow that VLAN onto only a single access port
  • Create an SVI
  • Plug the access port into my management infrastructure

Same result really, isn't it?

The only benefit to using the management interface appears to be that it's impossible to accidentally trunk your management VLAN somewhere it doesn't belong.

The management interface is also restricted to specific traffic types: -

http://www.cisco.com/en/US/docs/switches/lan/catalyst2960x/software/15.0_2_EX/int_hw_components/configuration_guide/b_int_152ex_2960-x_cg_chapter_0100.html

Supported Features on the Ethernet Management Port

The Ethernet management port supports these features:

  • Express Setup (only in switch stacks)
  • Network Assistant
  • Telnet with passwords
  • TFTP
  • Secure Shell (SSH)
  • DHCP-based autoconfiguration
  • SMNP (only the ENTITY-MIB and the IF-MIB)
  • IP ping
  • Interface features
    • Speed—10 Mb/s, 100 Mb/s, and autonegotiation
    • Duplex mode—Full, half, and autonegotiation
    • Loopback detection
  • Cisco Discovery Protocol (CDP)
  • DHCP relay agent
  • IPv4 and IPv6 access control lists (ACLs)

shillings,

It seems like you're underscoring my point that the presence of this management interface is a non-feature.

Golly, what else can't it do? 

Those SNMP restrictions are probably only restrictions to information about the interface, rather than information available via the interface.

I think I've figured out the solution to my original problem: L3 forwarding without allowing management and transit routes to pollute one another. The unfortunate answer is NAT. I don't like it, but I'm planning to hide all of my management applications behind a NAT rule on the management LAN's first hop router. This way, the management plane won't need any routes other than the directly connected prefix.

shillings,

It seems like you're underscoring my point that the presence of this management interface is a non-feature.

Golly, what else can't it do? 

I didn't say how useful the restricted features were, just that they were there

Management port isn't a switch port.  It's a very, very "basic" or "vanilla" Layer 3 port.  Won't do routing but you can give the FastEthernet0 an IP address.  Think of it as an iLO to a server.  It's slow but with very limited function which you can reach separately.

I mostly use the Management Port for ZeroTouch and after the switch is built, this interface is defaulted and disabled.  When I do use it in production, it would be to upgrade the firmware (another method aside from USB).  All I do is assign the interface with a /30 IP address and connects straight to my laptop. 

Review Cisco Networking for a $25 gift card