Management VLAN, How to set it up?

Unanswered Question
Nov 8th, 2008
User Badges:

Hi All,

For security reason, better not use VLAN1 as management VLAN, but a dedicated VLAN instead. How to set it up? Can I use VLAN1 first and then change it over? When change over, what is the impact to the network?

Switches are all c3750.

When doing the Express Setup with a Browser, the Management Interface (VLAN ID) can be changed with a number other than 1. is this the right way to setup Management VLAN? or is it the only way?

TIA

Mark

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
andrew.butterworth Sat, 11/08/2008 - 07:36
User Badges:
  • Gold, 750 points or more

The use of a network-wide management VLAN is no longer considered necessary and goes against best practise for deploying a hierarchical switched network. In older switches (Cat 5000's and the like) it was considered best practise to ensure the management interface of a switch was not on the same VLAN as any user traffic. This was to protect the control-plane. This was mainly used with Layer-2 switches. Now however lots of switches are Layer-3 so there are typically multiple layer-3 interfaces you can 'attack' the control-plane from, also the control-plane can now be protected using a service-policy.

If you are using the 3750 as purely a layer-2 access switch and are using Voice VLANs I would usually recommend placing the management SVI in the Voice VLAN. You could deploy unique Management VLAN's per switch but this might seem a bit overkill.

If you are using the 3750 as a layer-3 switch then I would always recommend using a Loopback interface to manage it.


Andy

Jon Marshall Sat, 11/08/2008 - 10:47
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Mark


I agree with Andy in that


1) If the switch is running L3 then a loopback is the best way to manage it.


2) A network wide management vlan goes against the hierarchical model


Both of the above points are really to do with L3 vs L2. You should not be extending vlans from the access-layer all the way to the core through the distribution layer so that is in effect why you shouldn't have on flat management vlan.


Where i differ slightly is that if you have an access-layer that is connected to the distribution layer via L2 trunks then there is nothing wrong with using one vlan to manage all the access-layer switches. And i would not choose an existing data/voice vlan to do this, i would use a dedicated vlan which simplifies QOS configurations etc..


One thing i forgot to say. Best practices are very useful and come out of years of experience from Cisco's involvement with networks but they are still just recommendations. They don't have to be followed slavishly and they do change. If you are designing/implementing a green field site then by all means follow all the best practices but it's not always that simple to implement in an exsiting network.


In answer to your original question you could use vlan 1 and then switch over later. But you need to be aware that if the switches are primarily L2 you would want to be at the console. On L3 switches it is relatively easy because you can have multple L3 vlan interfaces up at the same time. With L2 switches it can be more challenging because to bring up another L3 vlan interface you have to shut down the original one.


Jon

andrew.butterworth Sat, 11/08/2008 - 11:40
User Badges:
  • Gold, 750 points or more

Hi Jon, hows things?


I would frown at having a flat Management VLAN from the Distribution layer down as this will create STP loops, which in my book is something you want to remove. Yes it makes things simpler from a human perspective - i.e. your layer-2 switches have contiguous addresses, however you have to engineer STP into it and no matter how you look at it there will be loops. That was where I was going with the unique management VLANs per access switch - i.e. Data VLAN, Voice VLAN and Management VLAN. The issue with the Managment VLAN is it's another VLAN which might seem to some as overkill for simply managing one device. That is why I suggested using an address in the Voice VLAN (harder to spoof).


I hope I explained that enough?


Andy

Jon Marshall Sat, 11/08/2008 - 11:58
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Hi Andy


Yep, not bad. Looking to move in the next month or so down to Bristol, be nice to get away from London after being here so long.


I understand why you would look at one vlan per switch for management but i just think in a lot of networks isolating a vlan or number of vlans to one switch is just not practical and can quite often reduce your flexibility and it really does depend on what your vlans are meant to map to.


Given the chance to use L3 from the access-layer or L2 i would often go L3 although maybe not in a data centre. And in a new setup if my budget restricted me to L2 only access-layer switches then if i could i would look to contain vlan(s) within a switch but it can as you say make things a lot more complex depending on the size of your network. And i would argue you are still creating more of a straightjacket for yourself by doing this.


And i always think STP gets a bad press especially these days when you have the likes of RSTP. I've seen networks melt with STP loops but then i have seen networks fall apart due to routing/L3 issues as well. I guess i'm just a bit biased based on my first exposure to Cisco networking being L2 switching :-)


I do understand your reasoning and i fundamentally don't disagree with what your'e saying, i just think often in existing networks it's a lot easier said than done.


Jon

markxgzhang Sun, 11/09/2008 - 04:44
User Badges:

Hi Guys,

Thank you very much to your input.

Yes, all 3750s are used as L3 (2 VLANs, one is Server, and one is Workstation, with routing enabled. I suppose this is L3 Setting, isn't it?) And it is a green site so far. The Voice VLAN is not used or configured

Which way is secure, and easy to implement and manage please? And how to do it? Use CLI, or Cisco Network Assistant be able to do this? or a browser has to be used? Does the loopback way need to be configured and managed through Console port only? (Sorry, I do not have enough knowledge about loopback interface, and cannot find enough info either.)


Mark



Jon Marshall Sun, 11/09/2008 - 05:13
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Mark


If all your switches are L3 then use loopbacks. To create a loopback you just need to be logged onto the switch which could be via the console but it could be via telnet/ssh.


3750(config)# int loopback 10

3750(config-if)# ip address x.x.x.x x.x.x.x


then you need to make sure that the address you use for your loopback is included in any routing configuration so that you can remotely manage the switch.


Jon

markxgzhang Mon, 11/10/2008 - 02:25
User Badges:

Thanks Jon, and Andy. I need some time to figure those things out and practice on a device that is not easy to grab. I will come back if there are further questions, and bother you again.

Thanks

Actions

This Discussion