cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
700
Views
10
Helpful
10
Replies

Managment VLAN on a Switch

edw
Level 1
Level 1

Hi,

I'm trying to get a Management Vlan running which isnt VLAN1 due to the secruity issues and best practise.

I have programmed switch as shows:

!

ip subnet-zero

!

interface FastEthernet0/1

switchport access vlan 10

!

.

.

.

.

!

interface FastEthernet0/24

switchport trunk encapsulation dot1q

switchport mode trunk

!

interface GigabitEthernet0/1

!

interface GigabitEthernet0/2

!

interface VLAN1

no ip address

no ip directed-broadcast

no ip route-cache

shutdown

!

interface VLAN10

no ip directed-broadcast

no ip route-cache

shutdown

!

interface VLAN20

ip address 172.30.20.1 255.255.255.0

no ip directed-broadcast

no ip route-cache

!

ip default-gateway 172.30.20.25

but I cant ping 172.30.20.1 from my machine. When I move the Manageemtn back to vlan1 I can do this fine. I also cant ping the gateway when I am running management on VLAN20 ??

Any ideas or thoughts ?

Thanks

Ed

1 Accepted Solution

Accepted Solutions

Hi Ed

The pix knows the vlan by the config you assign to the interface ie.

interface ethernet1 100full

interface ethernet1 vlan1 physical

interface ethernet1 vlan2 logical

ethernet1 is the inside interface. The above config says

the physical port is assigned to vlan 1

the logical port is assigned to vlan 2

Now if you want to use vlan 20 as a management vlan for the switch then on the relevant pix interface, and i believe it is a DMZ interface in your case, you will need vlan 20 assigned either as the physical or logical.

So you would have one vlan for the data and one for the management ie your interface config would look like

interface ethernet1 100full

interface ethernet1 vlan20 physical

interface ethernet1 vlan2 logical

where vlan 20 is the management vlan and vlan 2 is the data vlan. You don't have to have them this way round by the way, it could just as easily be

interface ethernet1 100full

interface ethernet1 vlan2 physical

interface ethernet1 vlan20 logical

Hope this makes sense. I won't be posting for a week or so but hope this solves your problem

Jon

View solution in original post

10 Replies 10

ankbhasi
Cisco Employee
Cisco Employee

Hi Ed,

I will like to know from where are you trying to ping this switch? I mean your machine is connected to which switch and on which vlan?

If you are not in vlan 20 then do you have any router or switch doing routing between your vlan and vlan 20?

Ankur

Richard Burts
Hall of Fame
Hall of Fame

Ed

You have condensed the config in a way that makes it difficult to analyze your problem. You show one switch interface as an access port in VLAN 10, you do not show any switch ports assigned to VLAN 20, and you show a switch port as a trunk.

You have also not told us where your PC is connected or how it is configured (in particular what IP address, mask, and default gateway). You have also not told us what device is doing inter VLAN routing.

Any one of these things could be the issue that is causing the problem. So if you give us more information we might be able to find your problem.

HTH

Rick

HTH

Rick

Hi,

Sorry - trying to get out of work;)

My machine is in inside of the interface of a PIX firewall and has static maps for both vlan to the switch. I can ping a machin on the switch on vlan10 and I can also ping 172.30.20.1 when it is assigned to vlan 1 but when I move it to vlan 20 it stop pinging ?? The trunk port is going to the second interface on the firewall.

Basically my question is howcome when I move the management port from vlan1 to vlan 20 I lose this pinging ???

Thanks

Ed

Hi,

Just read my last ...

What I'm saying is I can ping the 172.30.20.1 address of the switch when the management vlan is vlan1 bbut when I move that management vlan to 10 I lose it. I'm going through a PIX firewall.

But if we ignore the fact of the PIX and my machine. I lose pinging the PIX interface in the same way. IE I can ping 172.30.20.25 when vlan 1 is management interface but not when vlan 10 is ???

Does that make better sense ?

Thanks

Ed

Hi Ed

Following on from Rick's post could you just clarify. You talk of the vlan interface being in vlan 10 but your switch config shows the vlan interface being vlan 20.

Yet the only port allocated on your switch is one in vlan 10 ?

Jon

Hiya Jon,

This is following from the post you answered the other day. Its basically about moving the management to another vlan.

The management is on vlan 20 not 10 this was my mistake. So I have tried setting vlan 20 up as a management vlan, yet when this is set as the management one I can't ping the firewall card and I also can't ping from the firewall in. yet if I move the management to vlan 1 its fine. As for vlan 10 - this works fine regardless of which interface is set to management. IE its not affected.

The only port needing configure is port 1 on vlan 10 for test purposes. port 24 is connected to the pix.

So in enssance using the command ping 172.30.20.25 in either situation only gets a response when i have entered:

conf t

int vlan1

management

yet when I then do the commands

conf t

int vlan 20

mangement

I get nothing...... ;(

I am slightly confused as to why I don't get a ping response from the pix card... ?

Now one thought I had in the last 30 mins is do I need to create a logical interface for vlan20 on the pix - at present the gateway is set to the pix physical address, but does the PIX know that its vlan1 and vlan 20 ??? Would this make a difference.

Thanks

Ed

Ed

I would think that the PIX would need to know that it was trunking and would need a logical interface for VLAN 20.

Also I am not sure that I fully understand what you were saying about changing the management VLAN between VLAN 1 and VLAN 20. You seem to show using the management command to move it. Were you also moving the IP address between VLANs? Perhaps you can be a bit more explicit about all the commands that you are using to make the change.

HTH

Rick

HTH

Rick

Hi,

Yes the management command in IOS moves the ip address and shutdown the old interface and start up the new automatically.

http://www.cisco.com/en/US/docs/switches/lan/catalyst2900xl_3500xl/release12.0_5_wc5/cli/clicmds.html#wp1052840

I now beleive I need to enter vlan20 as the physical interface on the firewall as it isnt understanding the vlan20 tagged packets.

Is this the correct way to change the management vlan by the way ??

Thanks

Ed

Hi Ed

The pix knows the vlan by the config you assign to the interface ie.

interface ethernet1 100full

interface ethernet1 vlan1 physical

interface ethernet1 vlan2 logical

ethernet1 is the inside interface. The above config says

the physical port is assigned to vlan 1

the logical port is assigned to vlan 2

Now if you want to use vlan 20 as a management vlan for the switch then on the relevant pix interface, and i believe it is a DMZ interface in your case, you will need vlan 20 assigned either as the physical or logical.

So you would have one vlan for the data and one for the management ie your interface config would look like

interface ethernet1 100full

interface ethernet1 vlan20 physical

interface ethernet1 vlan2 logical

where vlan 20 is the management vlan and vlan 2 is the data vlan. You don't have to have them this way round by the way, it could just as easily be

interface ethernet1 100full

interface ethernet1 vlan2 physical

interface ethernet1 vlan20 logical

Hope this makes sense. I won't be posting for a week or so but hope this solves your problem

Jon

Hi,

Yep tried this yesterday and worked great. I'm assume this is the secure way to do it..

Thanks

Ed

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: