Solved: Changing Management Vlan

mikemercer77 · ‎03-24-2014

Hi I need to change the vlan of my management network and had a few questions. I have two cores (4507's) that i created the new vlan on and started to add the vlan to the access switches (2960's) throughout the campus. is it ok to setup the new vlan and give it an Ip address while still leaving the old one in? will this cause any issues? i will eventually take the old one out once im confident everything is stable. Also, Is there anything else i might have missed in creatin the new vlan? i pretty much just copied anything that was in the config for the old one.

thanks

Mike

Jon Marshall · ‎03-25-2014

Mike

If the config at the top is from your 4500s then it looks like you are setting the STP priority for all vlans on those switches so nothing to worry about.

So assuming you have setup the vlan 4 interfaces on the 4500 with HSRP etc. then -

1) login to the 4500. If you work from the 4500 then the default gateway etc. on the access switch doesn't matter because you are in the same vlan ie. vlan 4

2) make sure that vlan 4 is allowed on the trunk link. You need to make sure it is allowed on both ends

3) Currently you have a vlan 241 SVI on each access switch. So you need to -

a) create a vlan 4 SVI and give it an IP. ie. -

int vlan 4

shut <-- just to make sure it is not brought up yet

ip address x.x.x.x <subnet mask>

At this stage that SVI should be down and the vlan 241 up. To see this do a "sh ip int brief" and it should show you the status of the vlan interfaces.

b) do a "no shut" on the vlan 4 ie.

int vlan 4

no shut

one of two things will happen -

i) either both SVIs will still be up in which case you can then log out of the switch, log back in using the vlan 4 SVI IP and then shutdown the 241 SVI

or

ii) because the 241 SVI is up the vlan 4 SVI won't come up. If this is the case you will then need to shutdown the 241 SVI. When you do this you will automatically be logged out of the switch.

You should however then be able to log back in using the vlan 4 IP address because that SVI should have come up. You must make sure you did the "no shut" under vlan 4 in the previous step.

If that all works and you are now logged in using the vlan 4 SVI IP then you can add -

"ip default-gateway x.x.x.x" <-- where x.x.x.x is the HSRP VIP for vlan 4 on the 4500s.

Once you have done that you should be able to connect to the switch from a remote subnet eg. your PC for example.

Like i say, even if you do get locked out of the switch end user traffic will not be affected but you would then need to login locally to the switch to setup the new management vlan.

Let me know how it goes.

Jon

View solution in original post

Jon Marshall · ‎03-24-2014

Mike

is it ok to setup the new vlan and give it an Ip address while still leaving the old one in?

Depends what you mean by this.

If you mean on the 4500s then yes that is fine ie. it is just another vlan and will route fine.

If you mean on the access switches then it depends on a few things.

Usually a switch not doing inter vlan routing has one SVI for management and a default gateway. The 2960 with the right software is capable of routing so you may be able to temporarily use both although the default route would have to point to one of the management SVI IPs on the 4500s.

So how are you planning on doing this ie. remotely or at the switches and how are the access switches currently setup ?

Jon

mikemercer77 · ‎03-24-2014

I was planning on doing most of it remotely but will do it at the switches if needed. Right now the switch has an vlan interface (vlan241) with an assigned ip of 172.16.241.x and i want to add the new vlan interface(vlan4) with the new ip 10.132.4.x. if i shutdown the current vlan interface, will the switch go down? or will i just lose remote access to the switch? Sorry if that sounds stupid. im coming over from the nortel world and when a switch is setup you assign an ip to the switch or stack and that is your management ip. without it it doesnt work.

thanks

Martin Carr · ‎03-24-2014

If you disable the SVI then you will loose connectivity via the network to it!

As said there is only one SVI on the access switches, therefore you won't be able to have both concurrently, so far as I know it is only the 2960-X that is L3 capable.

As a tip, you may want to look into VTP, this (although frowned upon for sometimes) can make VLAN management easier, as it can propogate VLAN's etc throughout the infrastructure.

Martin

Jon Marshall · ‎03-24-2014

Martin

Just for your info.

With the right software license the 2960 and 2960-S are both capable of routing although it is limted support ie. static routes only and routing is only supported on SVIs.

Jon

Jon Marshall · ‎03-24-2014

Mike

No need for apologies, i'm sure i would sound very stupid on Nortel switches and everythings easy once you know it

Firstly if the vlan interface (SVI) on the access switch goes down it will have no effect on user traffic. It will only affect your ability to connect to it.

The above assumes that the end users connected to access switches are not using the access switch SVI IP as their default gateway which they shouldn't be. From your initial description it sounds like all the default gateways for end users would be on the 4500s ie. those switches are doing the inter vlan routing.

If that's the case, like i say, worse case scenario you just can't get to the switch to manage it and you would need to login locally.

Can you just confirm a couple of things that would help -

1) the 4500s are doing inter vlan routing for all clients ie. no clients have their default gateways set to any access switch SVI IP addresses ?

2) the access switches each have an IP in vlan 241. Do they also have this command in the config -

"ip default-gateway x.x.x.x" <-- where x.x.x.x is a vlan 241 IP assigned to an SVI on the 4500s (maybe an HSRP VIP).

or this command -

"ip route 0.0.0.0 0.0.0.0 x.x.x.x"

Jon

mikemercer77 · ‎03-24-2014

Thanks Jon.

1)All of the default clients have a their gateways pointed to the 4500's.

2)each access switch is setup with a 172.16.241 address assigned to the vlan241 interface

i just went through a bunch of the switches and only found one with ip default-gateway 17.16.241.1. They all seem to be fine. Does it affect traffic if it's not in there?

Jon Marshall · ‎03-24-2014

Mike

If the access switch doesn't have a default gateway then -

1) if proxy arp is disabled on the vlan 241 interface on the 4500s then you should not be able to connect to it remotely

2) if proxy arp is enabled you would be able to connect to it remotely even without a default gateway

whatever the above it does not affect end user traffic as said before.

When i say remote i mean from a network that is not the IP subnet for vlan 241.

The fact that most of them don't have a default gateway set may work in your favour as you change them but i would then recommend setting a default gateway per switch.

Sorry for more questions but i would rather not break your network if i can help it -

1) on the 4500s, are they running HSRP for the SVI between the pair of switches ?

2) have you created the vlan 4 SVIs on the 4500s ?

3) do your trunk links to the access switches allow all vlans or are they configured to only allow certain vlans across

4) on the 4500s do you set STP priorities for all vlans to make the 4500s root and secondary switches ?

If you need any help with the commands to find out all this stuff just let me know.

Jon

mikemercer77 · ‎03-24-2014

ask away i don't want to break it either,

1)The 4500's are running HSRP for the SVI's here's an example of the 241

interface Vlan241
description Switch MGT
ip address 172.16.241.2 255.255.255.0
standby 241 ip 172.16.241.1
standby 241 priority 110
standby 241 preempt

the second core has .3 with a priority of 105

2)I setup the vlan 4 SVI identical to it.

3) the trunk links only allow specific vlans. i just add one if needed

4) im not sure about the STP priorities

Jon Marshall · ‎03-24-2014

1) and 2) Okay, that's good. So the default gateway on the access switches will be the HSRP VIP address of the vlan 4 interfaces on the 4500s.

This also means that even if the default gateway is set on the access switch and it needs changing you should still be able to get to switch because the 4500 has an interface in vlan 4 so it is not remote in that sense.

3) you will need to make sure vlan 4 is added to all trunk links at both ends ie. the access switch end and the 4500 end before making any changes to the SVIs on the access switch.

4) in your running config on the 4500s near the top do you see any "spanning-tree priority ..." lines ?

If so you should add vlan 4 to those lines.

One final question. When you checked the access switches for the "ip default-gateway x.x.x.x" command did you also check for the "ip route 0.0.0.0 0.0.0.0 x.x.x.x" command as well ?

Jon

mikemercer77 · ‎03-25-2014

Crap sorry i just found these on the top of the config:

spanning-tree mode rapid-pvst
spanning-tree portfast bpduguard default
spanning-tree extend system-id
spanning-tree vlan 1-4094 priority 24576

On the access switches i did't find anything that said ip route with an ip address but i did find this: no ip source-route

I also found these spanning tree entries on the access switches:

spanning-tree mode rapid-pvst
spanning-tree portfast default
spanning-tree portfast bpduguard default
spanning-tree extend system-id

Thanks

Jon Marshall · ‎03-25-2014

Mike

If the config at the top is from your 4500s then it looks like you are setting the STP priority for all vlans on those switches so nothing to worry about.

So assuming you have setup the vlan 4 interfaces on the 4500 with HSRP etc. then -

1) login to the 4500. If you work from the 4500 then the default gateway etc. on the access switch doesn't matter because you are in the same vlan ie. vlan 4

2) make sure that vlan 4 is allowed on the trunk link. You need to make sure it is allowed on both ends

3) Currently you have a vlan 241 SVI on each access switch. So you need to -

a) create a vlan 4 SVI and give it an IP. ie. -

int vlan 4

shut <-- just to make sure it is not brought up yet

ip address x.x.x.x <subnet mask>

At this stage that SVI should be down and the vlan 241 up. To see this do a "sh ip int brief" and it should show you the status of the vlan interfaces.

b) do a "no shut" on the vlan 4 ie.

int vlan 4

no shut

one of two things will happen -

i) either both SVIs will still be up in which case you can then log out of the switch, log back in using the vlan 4 SVI IP and then shutdown the 241 SVI

or

ii) because the 241 SVI is up the vlan 4 SVI won't come up. If this is the case you will then need to shutdown the 241 SVI. When you do this you will automatically be logged out of the switch.

You should however then be able to log back in using the vlan 4 IP address because that SVI should have come up. You must make sure you did the "no shut" under vlan 4 in the previous step.

If that all works and you are now logged in using the vlan 4 SVI IP then you can add -

"ip default-gateway x.x.x.x" <-- where x.x.x.x is the HSRP VIP for vlan 4 on the 4500s.

Once you have done that you should be able to connect to the switch from a remote subnet eg. your PC for example.

Like i say, even if you do get locked out of the switch end user traffic will not be affected but you would then need to login locally to the switch to setup the new management vlan.

Let me know how it goes.

Jon

mikemercer77 · ‎03-25-2014

Ok great. i did add the 4 vlan to the gbics on cores and switches. The one thing that was similar with nortel

Thanks a lot Jon.

This has been a huge help! The best part of my switch to cisco has been the communities and forums like this one. Not much shows up in google when you look for help with a nortel device