09-19-2013 02:24 PM - edited 03-07-2019 03:34 PM
I need to deploy a 2960S in routing mode (sdm prefer lanbase-routing).
Does the device support VRF-Lite? I suspect it does not.
Really, I only need to isolate L3 transit routes from my management routes. Is the management interface (FastEthernet0) dedicated to it's own VRF like on many other platforms?
If so, that would satisfy my requirements: one VRF for management (on the dedicated port), and one VRF for transit traffic.
Thanks!
09-19-2013 03:24 PM
Does the device support VRF-Lite?
2960-series switches do not support VRF-Lite.
VRF-Lite is supported with 3560/G/E/X, 3750/G/E/X and 3850 starting with IP Services or Advanced IP Services feature set. (I don't remember which one.)
09-20-2013 02:03 AM
The 3850 series includes a management interface within a dedicated management VRF, so no need for 'IP Services' IOS, provided you don't need any more VRFs. 3850 series is the same price as 3750-X series, here in the UK (last time I checked): -
http://www.cisco.com/en/US/prod/collateral/switches/ps5718/ps12686/qa_c67-722110.html
Whilst the new 2960-X series also includes a management interface, it doesn't appear to have a dedicated VRF, which makes sense, because the platform itself can't facilitate VRF-Lite, as Leo commented above: -
http://www.cisco.com/en/US/prod/collateral/switches/ps5718/ps12995/qa_c67-728348.html
09-20-2013 04:22 AM
I've been playing with a 2960S with LAN Lite feature set (no L3 features). The management interface is getting an address via DHCP. I can't even figure out how to tell what it's using as a default gateway, let alone anything VRF-related
Given that this platform doesn't seem to isolate management traffic, I'm struggling to understand the point of this interface. Does it bring any functionality that I couldn't get with a VLAN, SVI and a normal L2 interface?
My application requires limited gigabit L3 switching, and isolation of management prefixes from L3 transit prefixes, because I expect them to overlap.
I'd been thinking I could use WS-C2960S-24TS-L for this purpose, becuase it has a dedicated management interface.
Now it's looking like WS-C3560X-24T-E is the least expensive option.
Ugh. That's a $5700 (list) management VRF.
Am I missing anything about the management interface on the 2960S? It doesn't seem to introduce any new functionality.
09-20-2013 04:43 AM
Whilst 2960-S management traffic will share the same IP Routing table, the management traffic can be out-of-band and not share the same infrastructure as your end-user data. You can then connect up an entire out-of-band management network with dedicated remote access etc. But I agree it is not ideal, because it still shares the same routing table.
If you have a management VRF, then you can assign a dedicated default gateway. Howeever, because the 2960-S management port is sharing the IP routing table, then you'd not want your default gateway forwarding to your management interface. Therefore, you will need to configure specific static routes instead.
09-20-2013 04:58 AM
Management port (FastEthernet0) found in the -E, -X, -S switches are for Out of Bound Management (OoBM) purposes only. It's not designed to be routed or anything. It has to be on it's own seperate subnet. It's designed to be as an alternative method to reach your LAN switches from the DMZ.
09-20-2013 06:41 AM
Thanks Leo and shillings.
You both seem to be saying that the management interface allows me to do something I couldn't do on an old-school 2960, but what you're describing is easily accomplished without the management port.
Sure, I could plug the management port into a dedicated management VLAN, give it an IP address and a default gateway, and access the device only via the management interface.
On the other hand, I could also:
Same result really, isn't it?
The only benefit to using the management interface appears to be that it's impossible to accidentally trunk your management VLAN somewhere it doesn't belong.
09-20-2013 07:49 AM
The management interface is also restricted to specific traffic types: -
Supported Features on the Ethernet Management Port
The Ethernet management port supports these features:
09-20-2013 08:03 AM
shillings,
It seems like you're underscoring my point that the presence of this management interface is a non-feature.
Golly, what else can't it do?
Those SNMP restrictions are probably only restrictions to information about the interface, rather than information available via the interface.
I think I've figured out the solution to my original problem: L3 forwarding without allowing management and transit routes to pollute one another. The unfortunate answer is NAT. I don't like it, but I'm planning to hide all of my management applications behind a NAT rule on the management LAN's first hop router. This way, the management plane won't need any routes other than the directly connected prefix.
09-20-2013 08:58 AM
shillings,
It seems like you're underscoring my point that the presence of this management interface is a non-feature.
Golly, what else can't it do?
I didn't say how useful the restricted features were, just that they were there
09-20-2013 04:15 PM
Management port isn't a switch port. It's a very, very "basic" or "vanilla" Layer 3 port. Won't do routing but you can give the FastEthernet0 an IP address. Think of it as an iLO to a server. It's slow but with very limited function which you can reach separately.
I mostly use the Management Port for ZeroTouch and after the switch is built, this interface is defaulted and disabled. When I do use it in production, it would be to upgrade the firmware (another method aside from USB). All I do is assign the interface with a /30 IP address and connects straight to my laptop.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide