Cisco Ethernet switch Operations Instructions download pdf (Page 73)

Chapter 5. Cisco Systems IGESM management and user orientation 59

򐂰 Avoid carrying management traffic and data traffic in the same VLAN.

򐂰 Limit the use of any VLAN used for management to only those ports that have to use that

VLAN. Prune or otherwise block it from non-necessary links.

򐂰 Only carry VLANs on a trunk that are needed on the other side of the trunk, and prune or

block all other VLANs.

More about the reasoning behind these recommendations can be found in the “Virtual LAN

Security Best Practices”

document at:

http://www.cisco.com/en/US/products/hw/switches/ps708/products_white_paper09186a008013159f.shtml

5.3.4 Considerations: Using the Management Module uplink to manage the IGESM

Scenarios 1, 2, and 7 (7 is a unique case that will be discussed later) provide information

about using the Management Module uplink to provide a management path to IGESMs in a

BladeCenter.

Using this path for scenarios 1 and 2 requires four basic considerations:

1. Disable management over the IGESM uplinks.

Make sure to set External management over all ports on the Management Module to

Disabled. This causes the IGESM to not respond to ARP requests from any ports other

than 15 and 16 for its management interface VLAN’s IP address. Instead, the

Management Module will act as a proxy for any requests to the IGESM for its MAC

address, and all management traffic will flow through the Management Module and into

the IGESM over port G0/15 (or G0/16 if the redundant Management Module is active).

2. Isolate IGESM management VLAN from any blade server facing ports.

Make sure that the VLAN being used between the IGESM and the Management Module is

not used by any of the blade servers within the BladeCenter chassis. This is necessary

because of the Management Module’s ability to proxy for devices on the internal IGESM

management VLAN, which may lead to any device (such as a blade server) placed on this

management VLAN getting proxied by the Management Module. The end result is that

blade servers placed on the same VLAN and IP subnet as the IGESM management

interface VLAN will see duplicate IP addresses (as the Management Module attempts to

tell the world that it is the path to any device on that subnet).

3. Block IGESM management VLAN from IGESM upstream connections.

Make sure that the VLAN being used by the IGESM on its management VLAN interface is

not carried on any of the IGESM’s uplinks. Failure to block this path when attempting to

manage the IGESM via the Management Module may result in intermittent connectivity to

the IGESM. For scenario 1 (physically isolated management and data networks) this may

not be an issue. For scenario 2 it is imperative to remove the IGESM management

interface VLAN from being carried on any of the IGESM uplinks.

4. Confirm the proper IP subnet selection.

Make sure that the IP subnet being used by the IGESM is the same as the subnet being

utilized on the Management Module for its own IP addresses. This is absolutely necessary

for scenarios that utilize the Management Module’s uplink to manage the IGESM.

Adhering to the four rules above enables successful management of and access to IGESMs

via the Management Module’s uplink port as if it were directly connected to the customer’s

management network. This means that you

do not necessarily have to connect to the

Note: Descriptions of these scenarios begin on page 64.

1 ... 72 73 74 ... 266

Comments to this Manuals

No comments

Cisco Ethernet switch Operations Instructions Page 73

Comments to this Manuals

Related products and manuals for Networking Cisco Ethernet switch