Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1849
Views
0
Helpful
3
Replies

How to configure catalyst switchs for in-band management

sbaxevanis1
Level 1
Level 1

‎03-09-2022 12:54 PM

I have two C3750E switches connected to each other via EtherChannel ports SW Ver. 15.2(2)E

I have configured 3 VLANs which all work and I have configured the out-of-bad mgmt ports (FastEthernet0) but I would also like to have in-band management so that I can come in trough my FW/Router to fully manage/monitor the switches.

In this configuration I believe I can't/shouldn't configure an IP on the loopback0 interface correct?

I'm using the FW/Router for the default route - since this allows me to place a stateful FW between all interfaces including VLAN's and well as to apply Snort on these without bothering with ACL's

 

Questions

I have defined the Mgmt ports (FastEthernet0) as network 192.168.11.0/24; hence one switch is 11.2 and the other 11.3

I have setup routing on the closest switch to allow me to connect to 11.2 but I can't connect to 11.3 even though from the 11.2 switch I can connect to 11.3 (the other switch) I'm thinking this is because the farthest switch 11.3 doesn't understand to routing back since the packet would need to traverse the 11.0 network and then go through the switchport which is on a totally different network (vlan).

 

hence for maximum flexibility I would like to leave this setup as is on the 11 network and think of it as out-of-band and create an in-band which I think I need to do via a new VLAN say 10.

Do I therefore do the following

switch 1

interface vlan 10

ip address 192.168.10.2 255.255.255.0

allow vlan 10 to pass via my port-channel to the other switch

 

switch 2

interface vlan 10

ip address 192.168.10.3 255.255.255.0

 

Thanks

Labels:
0 Helpful
3 Replies 3

Reza Sharifi
Hall of Fame
Hall of Fame

‎03-09-2022 01:23 PM

In order for the communication to work from another vlans, you need a default route or a default gateway on each switch pointing to whatever device is doing the routing.

ip default-gateway 192.168.10.1 assuming .1 is the gateway for this subnet.

 

HTH

0 Helpful

sbaxevanis1
Level 1
Level 1
In response to Reza Sharifi

‎03-09-2022 02:00 PM

Default-gateway explanations will not work unless you have 10Gib interfaces- what is typical as in my case are multiple 1Gib interfaces on a PC running FW/Routing/IPS/etc.  hence each interface can only handle 1Gib max which is ok since my switch only has 1Gib ports.  I have therefore split LAN (Ethernet) traffic on one interface, WiFi traffic on another and subdivided the WiFi into VLAN's so that I can apply FW rules as needed.  I have two switches connected via Etherchannels using 4 ports = 4Gib and have also split my HyperV between the two switches to provide fail over and max bandwidth.  Hence when LAN Ethernet traffic is destined for the servers it should flow directly from the client to the switch and into the HyperV, while LAN client traffic to the Internet flows from client to the 1st switch and then through the EtherChannel to the datacenter switch and via the FW to the Internet.  WiFi traffic always flows through the FW to either the LAN or Internet. 

 

I therefore don't see what I should configure as default-route since their will be a different default-route on each VLAN; one for the LAN Ethernet, one for the WiFi (internal) one for the WiFi (Guest) etc.

 

Thanks

 

0 Helpful

mlund
Level 7
Level 7

‎03-11-2022 02:55 AM

Hi

There are things here that might be unclear. But I will try to give my  opinion.

As Reza states, there have to be a route or default-gateway to get this to work. However this also depends how the switches are configured.

If the switch has "no ip routing" you will have to use "ip default-gateway" to get it to work. In this configuration you will have just one interface configured in the switch, and this interface will be the management interface. So in your case, remove the ip address from the fa0 interface and then configure as you plan, interface vlan10 with  ip 192.168.10.2, and then "ip defult-gateway 192.168.10.1". This will not interfere with the traffic on other vlans, because that traffic is just Layer2 switched.

However if your switch has "ip routing" then the switch will do routing between Layer3 interfaces that is configured on the device.

If you remove the ip address from fa0, and also removes all Layer3 interfaces ( if there are any) from the config, and only configure interface vlan 10 with ip 192.168.10.2 and in this case "ip route 0.0.0.0 0.0.0.0 192.168.10.1", then there can be no routing between vlans because the switch doesn't have L3 information for those, and will just do L2 switching. Be aware though, do not delete the L2 vlan that is configured.

/Mikael

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card