I've been asked to assist in the design of a "OOB" management network, but I have a limited number of resources available. I have the following:
- 1 Cisco 3750-X stack pair w/ a C3KX-NM-1G network module in each.
- 8 Cisco 2960-24TC-L "aggregate" switches.
We run a Layer 2 Collapsed Core network topology with a Cisco 6509-E VSS core. We have 128 access switches connected to our core via 1Gps Port-Channels. It's a mix of copper and fiber uplinks. Fiber to the second floor and copper in our datacenter.
The current thinking by our consultant is to configure the management SVI on each of our access switches with their own VLAN uplinked to our 2690 "aggregate" switches. The aggregate switches will in turn be uplinked to the 3750-X stack via a 802.1q trunk and configured with IP Unnumbered to emulate a Layer 3 link bypassing, in essence, L2 communication between the production access switches. The 3750-X stack will have a Loopback configured for each individual VLAN that the production access switches will use as a Default Gateway.
The idea/concern is that we do not want our management network to pass STP traffic through to the other access switches or risk any sort of network convergence between the two separate networks. Kind of a "Poor Man's" Private VLAN setup.
I'm wondering if this is the best or most efficient way to set this up or if there is a better way to go about it.
Best Answer
I know the 3750X's have a management interface on the back which is a 10/100 Fast ethernet port. Its right next to the RJ-45 console port. I also believe that the 2960 switch that you listed there also has a management port on the front of it, above the SFP ports.
Assuming your switches aren't too far away, you could use the management interfaces to manage your devices remotely if you will. Of course you would require additional cabling back to another "management switch" which would likely contain the VLAN required just to manage these devices.
Otherwise, you could also run a terminal server server such as an OpenGear or something of that nature and have the console connections linked back to this device in order to remotely control them if your entire network is having issues or what not.
These management interfaces do operate on their own VRF and will also not participate in STP as they're not running on the active VLAN that is being trunked down to them. However, I have seen it where some organizations like to have the management VLAN on the same subnet as the hosts on the switch. This allows them to ping and check the arp table/mac address table and pinpoint where devices are a bit easier than if it was just a simple L2 network. There are of course pro's and con's to each method, however, given that you wanted to go about a out-of-band method. I would say the management interface is probably is your best direction.