I know that Cisco recommends to set aside a management VLAN just for itself because you wouldn't want your management IP address on a production VLAN because if for any reason that VLAN cannot be communicated across, then you can no longer connect to it (The Switch)
My question is, let's suppose you have 3 VLANs
VLAN 1 (production)
VLAN 2 (Production)
VLAN 3 (Switch Management)
If you're always on VLAN 1 for work purposes and you're the admin, and something happens where the VLAN fails and no one can communicate, how do you access the Switch Management VLAN now that VLAN 1 (The VLAN you're always on) has failed?
I hope I'm explaining this thoroughly, but I'd like to understand what the best practice is for creating management VLANs and ALWAYS being able to access it no matter what.
My co-worker suggests, for all-the-time-access to your switch no matter what, is to access your switch from the internet through your PIX.
For instance you could plug up a cable to one of your PIX Fast Ethernet interfaces and the other side to the management VLAN on your switch, and from there you can access your switch or switches anytime.
Of course, this would require you have a backup internet connectino because even if the VLAN you're normally on fails, you won't have a connection out through your main internet, thus, disregarding the always-being-able-to-manage-your-switch-no-matter-what scenario.
Let me know what you think guys. Thanks cisco_lad. =)
If the goal is to access the switch remotely from home for instance, then yes access via internet is a solution.
FW is desirable but not scalable if you dedicate one port per switch.
In this case an alternative is to assign a public IP address to the switch management VLAN and ensure the access is via SSH. you also secure it further by only allow in specific IPs to telnet or ssh to the switch.
The "only way" to have access to the switches "all the time" is through the serial interface (cli).
This means that the switches have to be in a close vincinity of eachother or special equipment needs to be attached to the serial links.
I use this to connect and make changes to systems that for diefferent reasons does not have an ip address.
On each site I have a computer set up with several serial ports to monitor and make changes to different switches/routers/firewalls
this means as long as I can somehow reach that computer I do have a way into the different systems.
the way in can be fx through a ipsec vpn tunnel over the internet terminating in a firewall or it can be a SSL vpn tunnel to a firewall who then sends me to the computer, a kvm switch or something similar.
The possibillities are endless.
The best part is that it is possible to make a quite secure solution.
My company (and the company I worked before) manage lost of routers from the customers. The way we do it basically for all non core device we just create a vlan that is routed across management subnet. and Yes, there is always a problem when somebody screw up the network and we lost management link routes and we thought we've lost the devices yet it's only a routing issue. Or, worst scenario, we've lost our management link to our Data Center.
Now, for the core devices, we put another access measurement by creating OOB Management via ISDN, 3G, or just another separate link from primary management link to a console switch or KVM.
Using PIX? Well, PIX will also does the job but this is not popular solution whilst KVM or console switch has much more console port compare to PIX.
Hi everyone, I would like to thank you in advance for any help you can provide a newcomer like myself!
Im studying the 100-105 book by Odom and am currently on the topic of Port security. I purchased a used 2960 and I'm trying to follow a...
While deploying a number of 18xx/2802/3802 model access points (APs), which run AP-COS as their operating platform. It can be observed on some occasions that while many of their access points were able to join the fabric WLC withou...
I am going to design and build an LAN network under a tunnel underground with long distance between the switches.
I will have 2 Catalyst switches and 8 Industrial IE3000, and they will be connected with fiber.
For now I am planning on use Layer-2 s...