Best Practices for management VLAN

insccisco · ‎10-23-2008

Hi guys,

I have a client with a data center where they have lots of VLANs running off a 3750 (main switch) and then they have a 3550 and a 2950 running off from this main 3750.

They have lots of VLANs configured and I see that Vlan1 is not being used. Currently, all the IPs of the switches and routers belong to one of the customer Vlan's.

I've read that this is bad practice and that a management VLAN should be created. But I think I've also read that when it comes to management Vlans, one needs to stay away from Vlan1

So I am not sure how to tackle this.

any help?

thanks

JORGE RODRIGUEZ · ‎10-23-2008

Here is a very good discussion which should answer all your questions.

http://forum.cisco.com/eforum/servlet/NetProf?page=netprof&forum=Network%20Infrastructure&topic=LAN%2C%20Switching%20and%20Routing&topicID=.ee71a04&fromOutline=true&CommCmd=MB%3Fcmd%3Ddisplay_location%26location%3D.2cc12936/14

http://www.cisco.com/warp/public/cc/pd/si/casi/ca6000/prodlit/vlnwp_wp.htm#wp39009

Jorge Rodriguez

flitcraft33 · ‎10-29-2008

Establishing a VLAN for management functionality is a good practice. Using VLAN 1 for it is a bad practice. Essentially it is recommended to get everything you can off of vlan 1 (the default untagged vlan, in most cases). You cannot eliminate all traffic, but if you cut it to a minimum, you can easily discern any big jump in traffic which might be a vlan hopping attack by a hacker. This will also allow you to isolate your management traffic where prying eyes will have a harder time finding it.