Management VLAN Usage

Unanswered Question
May 11th, 2007

Hi everyone,

I wanted to get everyone's opinion on using VLAN 1 as a management vl or creating a seperate Management VLAN and not use VLAN 1...Pro's? Con's ?

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
smothuku Fri, 05/11/2007 - 04:28

Hi Justine ,

the following info may be useful....

Management VLANs

Communication with the switch management interfaces is through the switch IP address. The IP address is associated with the management VLAN, which by default is VLAN 1.

The management VLAN has these characteristics:

?It is created from CMS or through the CLI on static-access, multi-VLAN, and dynamic-access and trunk ports. You cannot create or remove the management VLAN through Simple Network Management Protocol (SNMP).

?Only one management VLAN can be administratively active at a time.

?With the exception of VLAN 1, the management VLAN can be deleted.

?When created, the management VLAN is administratively down.

Before changing the management VLAN on your switch network, make sure you follow these guidelines:

?The new management VLAN should not have an Hot Standby Router Protocol (HSRP) standby group configured on it.

?You must be able to move your network management station to a switch port assigned to the same VLAN as the new management VLAN.

?Connectivity through the network must exist from the network management station to all switches involved in the management VLAN change.

?Switches running a version of IOS software that is earlier than Cisco IOS 12.0(5)XP cannot change the management VLAN.

If you are using SNMP or CMS to manage the switch, ensure that the port through which you are connected to a switch is in the management VLAN.

Changing the Management VLAN for a New Switch

If you add a new switch to an existing cluster and the cluster is using a management VLAN other than the default VLAN 1, the command switch automatically senses that the new switch has a different management VLAN and has not been configured. The command switch issues commands to change the management VLAN on the new switch to match the one in use by the cluster. This automatic change of the VLAN only occurs for new, out-of-box switches that do not have a config.text file and for which there have been no changes to the running configuration.

Before a new switch can be added to a cluster, it must be connected to a port that belongs to the cluster management VLAN. If the cluster is configured with a management VLAN other than the default, the command switch changes the management VLAN for new switches when they are connected to the cluster. In this way, the new switch can exchange CDP messages with the command switch and be proposed as a cluster candidate.

--------------------------------------------------------------------------------

Note For the command switch to change the management VLAN on a new switch, there must have been no changes to the new switch configuration, and there must be no config.text file.

--------------------------------------------------------------------------------

Because the switch is new and unconfigured, its management VLAN is changed to the cluster management VLAN when it is first added to the cluster. All ports that have an active link at the time of this change become members of the new management VLAN.

Thanks,

Satish

Jon Marshall Fri, 05/11/2007 - 04:35

Hi Mike

Cisco best practice is not to use vlan 1 as the management vlan. In our data centres we use vlan 2 for switch management and we disable the vlan 1 interface.

By default all switch ports are in vlan 1 until assigned elsewhere. This is another reason not to have your management vlan as vlan 1. If a user connects to a switchport that has nto been shutdown and it is in vlan 1 by default they will be in the same vlan as your management switches.

Attached is a link to a cisco security doc on vlans with a particular section on the use of vlan 1.

http://www.cisco.com/en/US/products/hw/switches/ps708/products_white_paper09186a008013159f.shtml#wp39009

HTH

Jon

Michael Sales Fri, 05/11/2007 - 04:43

Hi Jon,

the white paper will help.

In most of my cases, we have flat networks with cisco 3500, 2950, 3550, and 3750 Series. all configured with the basic VLAN1 with IP and all ports assigned to VLAN. BASIC STUFF!!! No one, before me, changed this or thought of security.

In other cases, we have Inter-VLAN routing happening with VLAN 1 as management vlan with seperate subnet, all fa ports are assigned to a seperate internal network subnet VLAN. The engineers that were hired to configure the system designed it this way. by the way, they were "cisco certified"

Actions

This Discussion