Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Community Member

Management Block

An enterprise composite model includes :

-Server Farm

-Campus Backbone

-Users VLAN

-Edge Distribution

-DMZ

-etc

How we can build a Management Block for all the enterprise?

Can we have one management VLAN for all enterprise?

If the answer is yes, as far as connection between different blocks is layer 3, so how one VLAN can spread in all network?

Thanks,

Taha

1 ACCEPTED SOLUTION

Accepted Solutions

Re: Management Block

Yes, if you have multiple management VLANs - as we do - you need to have a layer 3 switch or a router to route between the different management VLANs. This is especially true if if you have your management servers (e.g. Cisco Works LMS, etc) on the one of the management VLANs and they need to be able to reach all of the devices to be able to monitor them.

We use the same infrastructure for management and user access but you could in theory create a completely separate management network with one or more separate layer 3 switches to do the routing and dedicated links between them.

6 REPLIES

Re: Management Block

You will need to use a separate management VLAN for at least each layer 3 network.

In our environment, we use public address space for user access VLANs and 10.0.0.0/8 RFC1918 address space for management.

Our 10.0.0.0/8 management address space we subnet per campus (our L3 boundaries) and

then again per building.

Here is an example of what our management address block might look like:

10.0.0.0/8 = management

- 10.1.0.0/16 = campus 1

-- 10.1.1.0/24 = campus 1 backbone

-- 10.1.2.0/24 = building 1

-- 10.1.3.0/24 = building 2

- 10.2.0.0/16 - campus 2

- 10.3.0.0/16 - campus 3

Community Member

Re: Management Block

Thanks a lot. It was helpful.

So in the management block we should have at least a L3 switch that has a connection to each layer 3 network?

Re: Management Block

What we did is we configure the management (SVI aka VLAN) interface on the layer 2 switches in the appropriate management VLAN. So the only IP address on the layer 2 switch is a RFC1918 10.0.0.0/8 IP address.

The layer 3 switches (our distribution and core switches) do the routing for the public user access VLAN's as well as the RFC1918 management address blocks. The management VLANs and the user access VLANs are all trunked down to the layer 2 switches from the layer 3 distribution.

So, our layer 2 switches with their private addresses are only reachable from within our local network, while the layer 3 switches which need to also have public addresses on them for routing the user VLANs have remote access to the vty interfaces restricted to the local network using access-lists (i.e. using the "access-class" command on the line vty 0 15).

Community Member

Re: Management Block

OK, Thanks.

How is the infrastructure for the management block? If I want to have a machine in the Management Block that be able to monitor all the devices in the enterprise, what should I do?

I think that we should be able to see all different layer 3 networks from that block. For this purpose we have to have a layer 3 switch for seeing all these network?

Re: Management Block

Yes, if you have multiple management VLANs - as we do - you need to have a layer 3 switch or a router to route between the different management VLANs. This is especially true if if you have your management servers (e.g. Cisco Works LMS, etc) on the one of the management VLANs and they need to be able to reach all of the devices to be able to monitor them.

We use the same infrastructure for management and user access but you could in theory create a completely separate management network with one or more separate layer 3 switches to do the routing and dedicated links between them.

Community Member

Re: Management Block

Thank you very much.

I got it.

149
Views
10
Helpful
6
Replies
CreatePlease to create content