Switch management

Unanswered Question

Hi All,


I am attempt to align myself with the best practices of cisco, i would like to change my management vlan to something other than vlan 1. right now i have a few trunks between several switches and i am running vtp as well.


i have read so many different things on this issue, that i believe i am even more confused than when i started.


to make this change, i should remove the ip addressing from vlan 1 correct? will this vlan need to be or can it even be shut down? i should assign another random vlan an ip address and do so on all of my switches. now on the trunks between these switches, what do i set as my native vlan? also, do i prune vlan 1 from my trunks? am i missing anything?


TIA,


R

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 3.7 (3 ratings)
Loading.
sundar.palaniappan Thu, 05/25/2006 - 14:01
User Badges:
  • Green, 3000 points or more

1. If you are changing the management VLAN from vlan1 to another vlan then you would have to move the management IP to the newly created vlan interface from vlan1.


2. If you are using VTP then pruning is enabled by default on most Catalyst switches. Hence, trunks wouldn't carry vlan updates for inactive VLANs.


3. The switch may give you an error if you try the default vlan1 interface. Just shut it down. You may want to add a description like 'management vlan moved to xxx'.


4. The default native vlan is 1. You can make any vlan to be the native vlan on your trunks but it's not a mandatory requirement. But if you have too many trunks then that would mean lot of work for you and possible outages during the config change.


Hope I covered all your questions.


HTH,

Sundar


*Please rate all helpful posts.

sundar.palaniappan Fri, 05/26/2006 - 15:23
User Badges:
  • Green, 3000 points or more

The reason why you may want to shut down the vlan1 interface is because most layer 2 switches would support only one management interface. In that case you would have to shut down vlan1 interface to activate another vlan interface.


No, I can't think of a complication by leaving the native vlan to be the default vlan1. If there's any untagged traffic that arrives at the port the switch assumes the traffic came in on vlan1 and that's all it does.


HTH,

Sundar


*Please rate all helpful posts.



gpulos Thu, 06/01/2006 - 08:07
User Badges:
  • Blue, 1500 points or more

i find it a best practice to not use VLAN 1 for anything.


i would create a new VLAN for management and of course, change any respective IP, routes, ports, etc.


complications from leaving VLAN 1 native and/or active could arise from a rouge device being added to the switching environment (port) that is not configured for other than VLAN 1 and have that device cause problems of sorts. if VLAN 1 is carrying most of your vital traffic, this could be impacting and a problem to users.


since VLAN 1 is the default vlan for all ports in virtually all switches, i would keep it as far from impacting my production data/traffic flows as possible.

devang_etcom Thu, 06/01/2006 - 11:16
User Badges:
  • Gold, 750 points or more

hi Sundar,


so here we need to remove the pruning of newly created native VLAN


and what comand 'management vlan moved to xxx' will exectly do...


if we move the native VLAN then it will creat the issue of 802.1Q when two differnet switch trunk port are in different native vlan


please reply me


regards

Devang

eric_chan Fri, 05/26/2006 - 07:33
User Badges:

My experience are:


1) put management on differnet vlan.


2) use Vlan 1 for native vlan.


3) Don't put any user/managment traffic on vlan 1.


4) shutdown Vlan 1 ..


You shouldn't have to re-address your switches.. just move the management IP to new vlan interface.

lburleso Thu, 06/01/2006 - 10:42
User Badges:

I have just a couple more pieces of experience to add.


I avoid explicitly using the native VLAN function (untagged frames) of all trunks. There's really no point in using it, and it adds more config and therefore potential for misconfig.


The _only_ places that I do use the native VLAN functionality is when trunking to a non-Cisco switch. That allows us to plug unmanaged switches into designated trunk ports and deliver a single (edge) VLAN.


Keep the production (client edge) traffic on seperate, regionalized VLANs. Put the servers on another seperate VLAN. This kind of layout allows you to easily set up packet filtering at layer 3 later on.


- Lee

Actions

This Discussion