Campus Switching and Routing

Reply
Frequent Contributor I
Posts: 64
Registered: ‎03-21-2011

Management IP on S2500

I have an S2500 serving as a router in my main distribution closet. Several VLANs are configured with VLAN Interfaces. Each VLAN Interface is assigned the gateway IP of the VLAN it represents.

 

I have an S2500 as the uplink switch for each Intermediate distribution closet that I want to work at layer 2 alone. It should pass VLAN'S on trunk ports and data to access port but no routing.

 

I want to put an IP address on my layer 2 closets to access the GUI but it then creates routes that causes me problems. How do I put a management IP on the switch without routing?

 

Can I disable routing like on a Cisco (no ip route)?

 

Thanks for the help,

Guru Elite
Posts: 8,456
Registered: ‎09-08-2010

Re: Management IP on S2500

Any L3 interface that you have set on the stack can be used as a management address.

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Frequent Contributor I
Posts: 64
Registered: ‎03-21-2011

Re: Management IP on S2500

I understand. The problem is that I don't want a L3 interface. I don't want the intermidiate closets routing. However, I want to put an IP address on the switch so I can access the GUI. How do I do that?

Guru Elite
Posts: 8,456
Registered: ‎09-08-2010

Re: Management IP on S2500

Not sure I understand. If you want an independent mgmt interface, you can use the out of band management port on the back of the switch.

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Frequent Contributor I
Posts: 64
Registered: ‎03-21-2011

Re: Management IP on S2500

I may not fully understand how the out of band interface works. My understanding is that it would be on a completly different network making it "out of band".

 

Most of my layer 2 switches at my intermediate distribution frames allow me to assign a managment IP to the switch. The management IP is not "out of band" so I can access the switch via te IP from any vlan in my network due to the layer 3 switch at the Main Distribution Frame.

 

It seems that if I give an IP address to an S2500, it has to be on a layer 3 interface. That creates routes that conflict with my true router at the Main Distribution Frame.

 

How do I avoid this?

Aruba
Posts: 429
Registered: ‎05-30-2012

Re: Management IP on S2500

Mark,

Your understanding is correct, the out-of-band port is a seperate network and a different physical port (rear of the chassis).

 

Back to your initial question/issue, I can confirm we do not have a "no ip routing" command. Now what I'd like to better understand is if the issue you're concerned with is if you do put an IP on the switch, you want to make sure that clients don't use it as a default gateway? If that isn't the issue, then if you do put an IP address on the switch, only traffic destined to that IP is going to get routed to your defined default-gateway so it shouldn't create a conflict.

 

Another option would be that you could put an ACL on the RVI that only allowed ssh and web-ui access so even if a client tried to use the MAS as a default-gateway, traffic would not pass. Alternatively, you coud create an in-band management VLAN which is used to manage the switches but on a VLAN that clients can't get to.

 

Perhaps you could give us a topology diagram just to understand this better?

 

Best regards,

 

Madani

Frequent Contributor I
Posts: 64
Registered: ‎03-21-2011

Re: Management IP on S2500

 

It seems like this creates a routing conflict as two devices have routes to the same network. As soon as I make the 192.2 management interface, the route comes up and breaks all routing to that vlan on this switch. The MDF continues to work fine. However, it can not reach this switch on vlan13.

 

Routes on what I would like to be the later 2 switch at the top of IDF1 with an IP address to manage it from other VLANs.

C 10.72.192.0/20 is directly connected: vlan13
C 10.72.192.2/32 is directly connected: vlan13

 

Routes on my router this is at the top of my network in the MDF

C 10.72.0.0/20 is directly connected: vlan1
C 10.72.0.1/32 is directly connected: vlan1
C 10.72.32.0/20 is directly connected: vlan3
C 10.72.32.1/32 is directly connected: vlan3
C 10.72.192.0/20 is directly connected: vlan13
C 10.72.192.1/32 is directly connected: vlan13
C 10.72.241.0/24 is directly connected: vlan31
C 10.72.241.1/32 is directly connected: vlan31
C 10.72.254.0/24 is directly connected: vlan44
C 10.72.254.1/32 is directly connected: vlan44
C 10.72.255.0/24 is directly connected: vlan45
C 10.72.255.1/32 is directly connected: vlan45

 

Here is the result of a ping to 192.2

 

PING 10.72.192.2 (10.72.192.2): 56 data bytes

36 bytes from 74.112.104.1: Communication prohibited by filter

Vr HL TOS  Len   ID Flg  off TTL Pro  cks      Src      Dst

 4  5  00 5400 53eb   0 0000  3d  01 29bf 192.168.2.100  10.72.192.2 

 

Request timeout for icmp_seq 0

36 bytes from 74.112.104.1: Communication prohibited by filter

Vr HL TOS  Len   ID Flg  off TTL Pro  cks      Src      Dst

 4  5  00 5400 01a0   0 0000  3d  01 7c0a 192.168.2.100  10.72.192.2 

 

Request timeout for icmp_seq 1

36 bytes from 74.112.104.1: Communication prohibited by filter

Vr HL TOS  Len   ID Flg  off TTL Pro  cks      Src      Dst

 4  5  00 5400 05be   0 0000  3d  01 77ec 192.168.2.100  10.72.192.2 

 

Request timeout for icmp_seq 2

36 bytes from 74.112.104.1: Communication prohibited by filter

Vr HL TOS  Len   ID Flg  off TTL Pro  cks      Src      Dst

 4  5  00 5400 91cd   0 0000  3d  01 ebdc 192.168.2.100  10.72.192.2 

 

Request timeout for icmp_seq 3

36 bytes from 74.112.104.1: Communication prohibited by filter

Vr HL TOS  Len   ID Flg  off TTL Pro  cks      Src      Dst

 4  5  00 5400 f59e   0 0000  3d  01 880b 192.168.2.100  10.72.192.2

Aruba
Posts: 429
Registered: ‎05-30-2012

Re: Management IP on S2500

Mark,

So this is the topology?

 

S2500-IDF --------- VLAN13 ---------- MDF

10.72.192.2                                     10.72.192.1

 

And the DG on the S2500-IDF is 10.72.192.1 right?

 

Looking at the pings, they are sourcing from 192.168.2.100, where is that network?

 

Can you private message me your configs? It might be easier to troubleshoot.

 

M.

Frequent Contributor I
Posts: 64
Registered: ‎03-21-2011

Re: Management IP on S2500

I attached a basic LAN topology we use in our building. I was hoping this would be fairly simple problem to understand. As far as I know, most LANs still just have 1 router. And if you had turned on multiple router in your LAN, and those routers all claimed to have the a route to the same LAN directly connected to it.

 

So, if all three closets in my diagram have a total of 6 data and PoE switches (2 switches per closet), I know have 6 routers in my LAN that claims to have VLAN 13 directly connected supported by routes.

 

If I leave the IP unconfigured on all switches eccept the desired router, everything works fine. The problem is that I can't use the GUI to  or connect to the switch remotely to manage.

 

As soon as I configure an IP on VLAN 13, a route is created and the VLAN breaks on that switch.

 

There must be a way to avoid this, I just don't know how.

Frequent Contributor I
Posts: 64
Registered: ‎03-21-2011

Re: Management IP on S2500

Ok. I got another detail. After more testing I have found that the routing only breaks on one IP. The management IP on VLAN 13 on the non-router closets. If my computer is on VLAN 13, I can reach it. routing for all other devices on VLAN 13 works fine.

 

So, why would just the interface IP not route? Does it have something to do with the /32 route that is created? Why are there 2 routes for each configured interface?

 

Very different behavior from Cisco...

Search Airheads
Showing results for 
Search instead for 
Did you mean: