Everyone has probably heard the old joke "ready, fire, aim." Unfortunately, this phrase can sometimes describe the implementation of some networks given what appears to be a lack of basic planning prior to configuration. The daily operation of a switched environment can be greatly simplified and future problems avoided by applying a few best practices and a little bit of planning. This begins with planning the method for remotely accessing the switch, followed by basic configuration of the switch, and then configuring connections between switches.
Believe it or not, one of the first things to think about when configuring a new network is management, primarily because network management typically is the last thing to be thought of when the network is implemented, and seemingly one of the most tedious things to change or improve after the network is operational. One item to consider is how to handle remote access to the switch. Catalyst switches support both in-band and out-of-band management. In-band management interfaces are connected to the switching fabric and participate in all the functions of a switchport including spanning tree, Cisco Discovery Protocol (CDP), and VLAN assignment. Out-of-band management interfaces are not connected to the switching fabric and do not participate in any of these functions.
Out-of-band management is achieved initially through the serial console port on the Supervisor module. Each Catalyst switch ships with the appropriate console cable and connectors to connect to a host such as a Windows workstation or terminal server. Consult the Catalyst documentation at Cisco.com to determine the kind of connectors and cables appropriate for each platform. After a physical connection is made between the console port on a Catalyst switch and a serial port on a workstation or terminal server, the administrator has full access to the switch for configuration. At this point, the administrator can assign an IP address to either an out-of-band management (sl0) interface via the Serial Line Internet Protocol (SLIP), a predecessor to the Point-to-Point Protocol (PPP), or assign an IP address to an in-band management interface (sc0 or sc1). Supervisors for the Catalyst 4500 series switches offer an additional out-of-band management interface via a 10 Mbps or 10/100 Mbps Ethernet interface (me1) depending on the Supervisor model.
The choice between out-of-band and in-band management is often not an easy one because each has its pros and cons. An in-band management connection is the easiest to configure and the most cost effective because management traffic rides the same infrastructure as user data. Downsides to in-band management include a potential for switches to be isolated and unmanageable if connectivity to the site or individual device is lost, for example in a spanning-tree loop or if fiber connections are cut accidentally. In addition, if the management interface is assigned to a VLAN that has other ports as members, any broadcast or multicast traffic on that VLAN is seen by the management interface and must be processed by the supervisor.
As the speed of processors has improved with newer supervisors, the risk of overwhelming a supervisor with broadcast/multicast traffic has declined somewhat, but has not been eliminated completely. With these drawbacks to in-band management, why doesn't everyone just use out-of band management? The answer is simple: time and money. Out-of-band management requires a secondary infrastructure to be built out around the devices such as terminal servers, switches, and modems. The benefit of an out-of-band management solution is that it offers a completely separate method of connecting to the devices for management that does not rely upon a properly functioning data infrastructure to work.
Many administrators find themselves implementing both in-band and out-of-band management solutions depending on the reliability of the data infrastructure between the networks that contain the management stations and the devices being managed. For example, Catalyst switches in a typical headquarters location are likely to be on reliable power grids, potentially with backup power, and have redundant connections between devices. A Catalyst switch in a remote office connected to headquarters via a router and a single nonredundant Frame Relay connection might justify out-of-band management. The remote router and switch could be connected to a terminal server and an analog dial-up connection for configuration and remote management. In an ideal world, networking devices would all be accessible via an out-of-band connection, if possible. Sometimes it takes only a wake-up call at 3:00 a.m. or an unplanned road trip to a remote location to compel an organization to install an out-of-band management solution.
All switchports must be members of a VLAN, and, by default, it is VLAN 1. Because VLAN 1 was selected as the default VLAN for all switchports, it was also chosen to handle special traffic such as VLAN Trunking Protocol (VTP) advertisements, CDP, Port Aggregation Protocol (PAgP), or Link Aggregation Control Protocol messages (LACP). By default, in-band management interfaces such as sc0 are members of VLAN 1.
Over the years, a common scenario involving VLAN 1 and the management interface developed. In this scenario, administrators assigned an IP address to sc0, left it in VLAN 1, and created other VLANs for all user traffic. All ports not changed or enabled remain in VLAN 1. Trunked ports between switches are created to connect VLANs, and, by default, all VLANs (1-1005 or 1-4096 depending on trunk type and switch software version) are allowed across a trunk. Because each switch will have a management interface, likely sc0, this can result in VLAN 1 spanning the entire switched network. Remember that IEEE spanning tree only allows seven switch hops between end stations, and many times large networks that allow all VLANs to be trunked can approach or exceed the limit, especially for VLAN 1. When a spanning tree exceeds seven switch hops, the spanning-tree topology can become unpredictable during a topology change and reconvergence can be slow if the spanning tree reconverges at all. A few different options should be considered to alleviate this problem. The first option is to use a different VLAN other than VLAN 1 for the management interfaces in the network. As of Catalyst OS version 5.4(1) and later, VLAN 1 can be cleared from both Inter-Switch Link (ISL) Protocol and 802.1q trunks, thus removing VLAN 1 from the spanning-tree topology on those trunks. Simply substituting a different VLAN number does not alleviate the problem of new VLAN spanning the switched network and potentially exceeding the allowed number of hops. To avoid the problem, either multiple VLANs must be dedicated to network management or the management interfaces must be placed in multiple VLANs along with user traffic. Either way, the management interfaces must be reachable by the network management stations. In the configuration examples later in this chapter, the sc0 interface is placed in a user VLAN along with other ports.
Figure 7-1 shows a simple network diagram of a small remote office with multiple switches. In this figure, VLAN 501 is used as the management VLAN at the remote office.
In a configuration like this, the VLAN numbers in the remote office are only locally significant. This is true because a Layer 3 routed connection separates the remote office from the headquarters location, and VLAN 501 is not carried across the WAN. As a result, the remote office could use any VLAN number for management including VLAN 1.
The example could get trickier if the routers and WAN connections are replaced by switches and a high-speed Gigabit connection between buildings in a campus environment. In this situation, as long as the links between buildings can still be Layer 3 connections and VLAN 501 is cleared from the trunks, it can yield the same result, as in Figure 7-1. Unfortunately, many times with existing implementations, because of legacy Layer 2-only implementations or application design considerations, the links between locations are Layer 2 trunks carrying all VLANs. As a result, VLAN 501 gets carried to the home office switches, and potential spanning-tree problems can result.
It is important to remember that even when VLAN 1 is cleared from a trunk, the previously mentioned special traffic, such as CDP, PAgP, and VTP, is still forwarded across the trunk with a VLAN 1 tag, but no user data is sent using VLAN 1. All trunks default to a native VLAN of 1 unless changed. In the case of an 802.1q trunk, where the native VLAN is untagged, 802.1q IEEE Bridge Protocol Data Units (BPDUs) are forwarded untagged on the common spanning-tree VLAN 1 for interoperability with other vendors, unless VLAN 1 has been cleared from the trunk. Cisco Per-VLAN Spanning Tree (PVST+) BPDUs are sent and tagged for all other VLANs. Refer to the sections on ISL and 802.1q trunking in Chapter 4, "Layer 2 Fundamentals," of this book for more information on trunking and native VLAN operation.
It is a good idea, if possible, to adopt some standards for VLAN numbering. Using consistent VLAN numbers for similar functions at multiple locations can many times help in the operation and troubleshooting of the networks later on. For example, many companies reserve certain VLAN ranges for specific functions. Table 7-1 is a sample of what a company might start with when implementing VLANs on existing and new networks.
Not in use; clear from all trunks
Management VLANs (sc0)
Access layer devices
Data center devices
Internet and partner connections
Reserved for future use
Point-to-point links between switches (Layer 3)
Although this sample uses VLAN numbers in the 1?1005 range, newer versions of Cisco Catalyst OS and IOS support 4096 VLANs using 802.1q trunks. Again, because VLAN numbers are only locally significant when they are carried on trunks between switches, the sample numbering scheme provides great flexibility, and some companies may adopt a much more granular VLAN numbering system. For example, they may dictate that VLAN 50 be used as the management VLAN on all switches at all locations instead of allowing any VLAN in the range from 2?99 to be used. No hard and fast rules exist for VLAN numbering plans, and Table 7-1 represents one approach.