Management VLAN

new_networker · ‎11-12-2008

hi,

I would like to access all the devices from management vlan. Cisco ASA and SSMs have management ports which can be directly connected to the management vlan. However, for routers and switches that do not have dedicated management port, how can they be connected to the management VLAN for secure remote management.

Amit Singh · ‎11-12-2008

Hi,

For a layer 2 switch only a single vlan can be a management vlan. For all the switches in the network, you can have the same vlan travel across the trunk ports to use as a management vlan for all the switches. You can can have all the routers connected to the same vlan which is a dedicated management vlan on your network.

On a Layer-3 switch, any vlan can be a management vlan. You have to decide and set one of the vlan which will only be used for the management across the entire network. You can have the same vlan travel across the trunk and have all the routers connected in the dedicated vlan for management.

regards,

new_networker · ‎12-01-2008

I didn't get the part when you say that routers are connected to dedicated vlan for management.

Management VLAN would ideally be a different subnet. Does it mean that a dedicated ethernet interface on the router would be required only for management purpose since the other ethernet interface will be used for network traffic.

Thanks.

mahmoodmkl · ‎12-01-2008

Hi

What Amit meant is

For eg:U will be connecting u r routers in a switch in which vlan r u going to assign the ethernet port of the switch to which the router is connected.

U will be assigning it in a vlan ie a subnet so if u want to manage all u r routers in the same subnet then u need to assign them in the same vlan.It all depends on you how u will make use of u r routers ethernet interfaces.It doesnt mean that the ethernet interface on the router u use for management that u cannot use it for other purpose.

Thanks

Mahmood

Jon Marshall · ‎12-02-2008

The other option is to have a mangement vlan for your switches and then use loopbacks for your routers. There is no fixed rule that all devices need to be in the same vlan and if you have a routed access-layer it is actually better to use loopbacks everywhere.

Unless you are prepared to dedicate an ethernet interface on a router or use terminal server setup on the console ports you cannot avoid having dual purpose interfaces on routers.

Jon

new_networker · ‎12-02-2008

Hi Jon,

Could you please elaborate on how is it better to use loopback in a routed access-layer.

Jon Marshall · ‎12-02-2008

A vlan by defintion works at Layer 2. So if you manage your switches with a vlan that means all the links between your switches tend to be L2 links (usually trunks).

L2 means STP which in and of itself is not that bad but by extending a vlan across the entire L2 topology you are increasing the vulnerability of the network to STP problems.

If you have a routed access-layer then your L3 switches connect back to the distribution layer switches with L3 links. So no vlan is extended on the link so therefore loopbacks would be my choice to manage them with, just as you use loopbacks on routers.

Jon