cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1326
Views
0
Helpful
10
Replies

Cisco Management VLAN recommendations

peteroseneff
Level 1
Level 1

Hi.

I have a POP with thousand more of catalyst switches with a Cisco 7609 as root deivce. I use default VLAN 1 for management. Inside the SVI interface vlan 1 I configured several /24s

The question is weather Cisco recommends to move those /24s (e.g. to segment management VLAN) into different management VLANs?

Does such a large (is it really large?) MGMT vlan can cause any artefacts, for example, problem with VoD drops on switches (I personally think it is a QoS issue)?

Please tell me what do you think. I've got hot disscussion with my colleague on this question.

10 Replies 10

John Blakley
VIP Alumni
VIP Alumni

It's recommended to have a separate vlan for management from your data vlans. If a broadcast storm were to occur that would take the switch down, you wouldn't be able to get a connection into the switch. Although, from other discussions on here, if your switch is being overwhelmed with so many broadcasts, then the switch probably wouldn't be able to support a remote connection anyway, regardless of being in a separate broadcast domain.

--John

HTH, John *** Please rate all useful posts ***

Giuseppe Larosa
Hall of Fame
Hall of Fame

Hello Petr,

first of all usage of Vlan1 is not recommended for security reasons.

if you are using secondary ip addresses for the second to the Nth subent you can easily move each of them in a separate vlan.

Look at your Vlan database and find 4 unused vlans

create them on your VTP servers

example

vlan 5

name mgmt1

vlan 6

name mgmt 2

vlan 7

name mgmt 3

vlan 8

name mgmt 4

have the new vlans propagated on the correct trunk ports towards the correct switches.

the next step is to migrate each subnet on each new vlan

on the core you need to create

SVI interfaces for the new vlans where you place the second to Nth ip address

Hope to help

Giuseppe

Thanks for your answers.

But I'm really not sure weather do I need to do it (I mean MGMT VLAN splitting ). Everything works fine for now. I know that Cisco recommends to avoid usage of Vlan1. I'm going to change it to some tagged vlan - say Vlan2.

BUT there's a pressure on me from another Dept. They suppose that splitting "lagre" Vlan1 can help to solve existing problem with VoD UDP drops. According to this plan there will be around 50-60 MGMT vlans.

IMHO it's just an empty work, that only complicates configuration of 7906 and configuration of switches.

Petr

It really depends on the applications you use and how much broadcast traffic they generate. Generally speaking a /24 is the accepted high point for a vlan in terms of number of end devices. There will be people who run more end devices on a vlan and those who run less - i always used /25's per vlan.

But as i say it depends on your apps. A vlan obviously passes broadcasts to all end devices within that vlan.

If you don't use QOS currently then you would probably need to look at this for VoD anyway, regardless of the size of your subnets.

Personally i would have one vlan per subnet, it's not really all that much work ie. creation of L3 SVI's for new vlans and allocation of switchports into those vlans - don't forget the "interface range ..." command when doing this. But it does require careful planning.

Jon

Petr

Just a quick follow up. The VoD traffic, is that going across vlan 1 at present or is this on a different vlan altogether. I ask because it is unclear whether vlan 1 is used purely for managing switches in your environment or whether it carries user traffic.

If it carries user traffic then i stand by what i said in previous post but if vlan 1 is only used for management and the VoD is used on a different vlan then i would concentrate on QOS. I would still look to split up the management vlan but i don't think this would be the cause of the VoD drops.

Jon

Jon,

Thank you for understanding my quesion.

Vlan1 is used only for managment. VoD traffic flows in customer data vlans. There's around 50-60 data vlans and the new scheme proposes 1 separate mgmt vlan for every 1 user vlan.

It's obvious that you have to segment customer data vlans as you grow to avoid broadcast storms and setra, but I'm still not sure concerning management. There's only 1000 more MACs, telnet and SNMP traffic.

We are deploying QoS on all devices at the moment.

Petr

The user vlans, are they isolated in the sense that one vlan is only on one switch ie. a user vlan is never on more than one access-layer switch. If so there is an argument to have one mgmt vlan per switch as well as one data vlan per switch. The argument being that you are not running STP across your entire switch topology for the same vlan(s).

If however your data vlans are not isolated one vlan to one switch then i can't see the point in have 1 mgmt vlan per 1 data vlan.

If your switches are not exhibiting any CPU/memory issues with the current setup and your data vlans are not isolated then i would concentrate on the QOS side of things to tackle the VoD issue.

If your data vlans are not isolated per switch i would suggest a compromise may be to have a smaller number of mgmt vlans that allows you to get down to at least a /24 per mgmt vlan but not necessarily have one per data vlan.

Jon

Data vlans are not isolated. Data vlans begin to spread though threads of swiches from aggregation points (typically 3750 switch).

Switches CPUs are okay according to monitoring.

Hello Petr,

>> and the new scheme proposes 1 separate mgmt vlan for every 1 user vlan.

this doesn't make sense.

for the UDP VoD drops as Jon suggested investigate on qos current settings and ways to improve it.

It may help to have 4 management vlans to avoid to use secondary ip addresses as I suggested before but this is not related to the VoD issues.

Hope to help

Giuseppe

Giuseppe

I do believe that 4 (or X) mgmt vlans scheme have one big disadvantage - it's not suitable for configuration (deployment) of switches. When you've got 1 mgmt vlan or 1 mgmt to 1 data everything looks transparent. 4 vlans is not so obvious I think, cause you have to think which one mgmt vlan to define on switch and so on.

Conserning VoD - yes QoS definitly helps here. No quiestions any more.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco