Switch Management

Unanswered Question
May 27th, 2009

I know that Cisco recommends to set aside a management VLAN just for itself because you wouldn't want your management IP address on a production VLAN because if for any reason that VLAN cannot be communicated across, then you can no longer connect to it (The Switch)

My question is, let's suppose you have 3 VLANs

VLAN 1 (production)

VLAN 2 (Production)

VLAN 3 (Switch Management)

If you're always on VLAN 1 for work purposes and you're the admin, and something happens where the VLAN fails and no one can communicate, how do you access the Switch Management VLAN now that VLAN 1 (The VLAN you're always on) has failed?

I hope I'm explaining this thoroughly, but I'd like to understand what the best practice is for creating management VLANs and ALWAYS being able to access it no matter what.



I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4 (1 ratings)
cisco_lad2004 Wed, 05/27/2009 - 11:14


From my experience I use a dedicated VLAN ( not 1) and terminate it on actual switch as an SVI. This is then routed on next device within a VRF so it is isolated from global routing table.

Of course this does not guarantee that I can access the switch no matter what. if anyone remove the vlan from the switch I have a problem.

another (costly) method is to have a dedicated out of band management using an access server so you can get in via console to your switch.



nelson.garcia Wed, 05/27/2009 - 11:23

Thank you for the fast response.

My co-worker suggests, for all-the-time-access to your switch no matter what, is to access your switch from the internet through your PIX.

For instance you could plug up a cable to one of your PIX Fast Ethernet interfaces and the other side to the management VLAN on your switch, and from there you can access your switch or switches anytime.

Of course, this would require you have a backup internet connectino because even if the VLAN you're normally on fails, you won't have a connection out through your main internet, thus, disregarding the always-being-able-to-manage-your-switch-no-matter-what scenario.

Let me know what you think guys. Thanks cisco_lad. =)


nelson.garcia Wed, 05/27/2009 - 18:18

Anyone have any thoughts on that last configuration I posted? Would it work?

cisco_lad2004 Wed, 05/27/2009 - 22:04

If the goal is to access the switch remotely from home for instance, then yes access via internet is a solution.

FW is desirable but not scalable if you dedicate one port per switch.

In this case an alternative is to assign a public IP address to the switch management VLAN and ensure the access is via SSH. you also secure it further by only allow in specific IPs to telnet or ssh to the switch.


hobbe Fri, 05/29/2009 - 02:43

The "only way" to have access to the switches "all the time" is through the serial interface (cli).

This means that the switches have to be in a close vincinity of eachother or special equipment needs to be attached to the serial links.

I use this to connect and make changes to systems that for diefferent reasons does not have an ip address.

On each site I have a computer set up with several serial ports to monitor and make changes to different switches/routers/firewalls

this means as long as I can somehow reach that computer I do have a way into the different systems.

the way in can be fx through a ipsec vpn tunnel over the internet terminating in a firewall or it can be a SSL vpn tunnel to a firewall who then sends me to the computer, a kvm switch or something similar.

The possibillities are endless.

The best part is that it is possible to make a quite secure solution.

cisco_lad2004 Fri, 05/29/2009 - 14:02


I beg to disagree. Command line interface (cli) has nothing to do with serial interfaces. Console or VTY access can still allow use of CLI.

the crunch is how do u get to the switch console or vty at all times....and yes I agree there many possibilities.


davidsudjiman Fri, 05/29/2009 - 15:00

My company (and the company I worked before) manage lost of routers from the customers. The way we do it basically for all non core device we just create a vlan that is routed across management subnet. and Yes, there is always a problem when somebody screw up the network and we lost management link routes and we thought we've lost the devices yet it's only a routing issue. Or, worst scenario, we've lost our management link to our Data Center.

Now, for the core devices, we put another access measurement by creating OOB Management via ISDN, 3G, or just another separate link from primary management link to a console switch or KVM.

Using PIX? Well, PIX will also does the job but this is not popular solution whilst KVM or console switch has much more console port compare to PIX.


David Sudjiman



This Discussion