Management VLAN Design and Implementation

Answered Question
Apr 17th, 2012
User Badges:

Greetings, friends.  I'm having trouble getting a clear picture of how a management VLAN ought to look.  I just installed a Catalyst 6509-E as my core switch, and as soon as they arrive I'm going to be replacing all of our other (HP) switches with Catalyst 3560X switches.  I understand the reasoning behind segregating traffic, not using VLAN1, etc., but I've never actually implemented a management VLAN--I've always just accessed the switches via the IPs assigned to them where all the client traffic flows (not VLAN1, by the way).


  1. Is "management VLAN" simply what we as humans call a VLAN we dedicate to management activities, or is there something official in these switches to designate a "management VLAN?"
  2. Is it best practice to include SNMP, netflow, syslog, and NTP as "management" traffic?
  3. There's a lot of documentation talking -about- management and management VLANs, but unless I'm blind or not looking hard enough I can't seem to find any implementation whitepapers or best practices whitepapers that demonstrate setting one up on a campus LAN.  Are you able to point me in the right direction to find such documentation?  Is it perhaps buried in a manual somewhere that isn't explicitly labeled "Management VLAN Design and Implementation" or somesuch?
  4. What is the best practice for accessing the management VLAN?  Inter-VLAN routing + ACLs?  Multi-homed PCs or servers?  Additional PCs to be used as access stations?


Thank you for your wisdom, experience, and advice!

Kevin

Correct Answer by Michel Hegeraat about 5 years 4 months ago

1. Yes, you may want to keep this traffic separate of the other traffic limiting device management access to just this vlan, as this prevents eavesdropping.


2. Indeed all other housekeeping goes via this VLAN altough you could limit it to the interactive or session traffic.


3. On a campus you could think of one big VLAN spanning the campus, one a multi-site environment or where you use L3 to go to you datacenters you probably need multiple management lan's. I've seen implementations where the management traffic was kept separate and even didn't use the routing protocol in use. The whole management lan was statically routed and would work even if OSPF or BGP was down.


4. I feel a situation where the people providing support are connected on the lan giving access to the devices is probably best. A dual homed pc is a good solution I think, other customer feel the management lan should be treated as a DMZ accessible via a firewall,  but the hardcore customer insist on a second pc connected to the management lan.


Points to consider are as always,

Find the single point of failure. Any device, L2 L3 firewall that could cut off management from accessing a part of the network.

Find the right balance between security, costs, easy of access for the business your in.


Cheers,


Michel

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Correct Answer
Michel Hegeraat Wed, 04/18/2012 - 00:08
User Badges:
  • Gold, 750 points or more

1. Yes, you may want to keep this traffic separate of the other traffic limiting device management access to just this vlan, as this prevents eavesdropping.


2. Indeed all other housekeeping goes via this VLAN altough you could limit it to the interactive or session traffic.


3. On a campus you could think of one big VLAN spanning the campus, one a multi-site environment or where you use L3 to go to you datacenters you probably need multiple management lan's. I've seen implementations where the management traffic was kept separate and even didn't use the routing protocol in use. The whole management lan was statically routed and would work even if OSPF or BGP was down.


4. I feel a situation where the people providing support are connected on the lan giving access to the devices is probably best. A dual homed pc is a good solution I think, other customer feel the management lan should be treated as a DMZ accessible via a firewall,  but the hardcore customer insist on a second pc connected to the management lan.


Points to consider are as always,

Find the single point of failure. Any device, L2 L3 firewall that could cut off management from accessing a part of the network.

Find the right balance between security, costs, easy of access for the business your in.


Cheers,


Michel

kpieckiel Wed, 04/18/2012 - 04:57
User Badges:

Thanks, Michel.  I appreciate your input, and it's helpful to me.  You're clear and to the point; you have good communication skills.

Actions

This Discussion

Related Content