Solved: Re: Management Block

tahalotfi · ‎04-18-2007

An enterprise composite model includes :

-Server Farm

-Campus Backbone

-Users VLAN

-Edge Distribution

-DMZ

-etc

How we can build a Management Block for all the enterprise?

Can we have one management VLAN for all enterprise?

If the answer is yes, as far as connection between different blocks is layer 3, so how one VLAN can spread in all network?

Thanks,

Taha

Craig Balfour · ‎04-19-2007

Yes, if you have multiple management VLANs - as we do - you need to have a layer 3 switch or a router to route between the different management VLANs. This is especially true if if you have your management servers (e.g. Cisco Works LMS, etc) on the one of the management VLANs and they need to be able to reach all of the devices to be able to monitor them.

We use the same infrastructure for management and user access but you could in theory create a completely separate management network with one or more separate layer 3 switches to do the routing and dedicated links between them.

View solution in original post

Craig Balfour · ‎04-19-2007

You will need to use a separate management VLAN for at least each layer 3 network.

In our environment, we use public address space for user access VLANs and 10.0.0.0/8 RFC1918 address space for management.

Our 10.0.0.0/8 management address space we subnet per campus (our L3 boundaries) and

then again per building.

Here is an example of what our management address block might look like:

10.0.0.0/8 = management

- 10.1.0.0/16 = campus 1

-- 10.1.1.0/24 = campus 1 backbone

-- 10.1.2.0/24 = building 1

-- 10.1.3.0/24 = building 2

- 10.2.0.0/16 - campus 2

- 10.3.0.0/16 - campus 3

tahalotfi · ‎04-19-2007

Thanks a lot. It was helpful.

So in the management block we should have at least a L3 switch that has a connection to each layer 3 network?

Craig Balfour · ‎04-19-2007

What we did is we configure the management (SVI aka VLAN) interface on the layer 2 switches in the appropriate management VLAN. So the only IP address on the layer 2 switch is a RFC1918 10.0.0.0/8 IP address.

The layer 3 switches (our distribution and core switches) do the routing for the public user access VLAN's as well as the RFC1918 management address blocks. The management VLANs and the user access VLANs are all trunked down to the layer 2 switches from the layer 3 distribution.

So, our layer 2 switches with their private addresses are only reachable from within our local network, while the layer 3 switches which need to also have public addresses on them for routing the user VLANs have remote access to the vty interfaces restricted to the local network using access-lists (i.e. using the "access-class" command on the line vty 0 15).

tahalotfi · ‎04-19-2007

OK, Thanks.

How is the infrastructure for the management block? If I want to have a machine in the Management Block that be able to monitor all the devices in the enterprise, what should I do?

I think that we should be able to see all different layer 3 networks from that block. For this purpose we have to have a layer 3 switch for seeing all these network?

Craig Balfour · ‎04-19-2007

Yes, if you have multiple management VLANs - as we do - you need to have a layer 3 switch or a router to route between the different management VLANs. This is especially true if if you have your management servers (e.g. Cisco Works LMS, etc) on the one of the management VLANs and they need to be able to reach all of the devices to be able to monitor them.

We use the same infrastructure for management and user access but you could in theory create a completely separate management network with one or more separate layer 3 switches to do the routing and dedicated links between them.

tahalotfi · ‎04-20-2007

Thank you very much.

I got it.