Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Management VLAN: Correct Implementation?

Greetings,

Currently we have about 20+ Cisco switches. All ports are in the default VLAN 1.

I would like to create a management VLAN. I have read that this is good practice.

I am unsure how to do this from a logical and physical perspective.

I would appreciate any thoughts on this.

Regards,

Gary

5 REPLIES
Bronze

Re: Management VLAN: Correct Implementation?

Hello Gary,

basically, VLAN 1 should not be used for user traffic, and should be configured as the management VLAN. That is because e.g. VTP (trunk) control traffic is using that VLAN, and it is absolutely necessary for that traffic to flow. As with regard to the configuration of your switches, this means that you would give the VLAN 1 interface a management IP address from the same network. Let's say you want to configure the first two switches (the subsequent configuration of the remaining switches would be the same), it would look like this:

Switch1

!

interface Vlan1

ip address 192.168.1.1 255.255.255.0

!

interface FastEthernet0/1

switchport access vlan 2

spanning-tree portfast

!

interface FastEthernet0/2

switchport access vlan 2

spanning-tree portfast

!

interface GigabitEthernet0/1

switch trunk encapsulation dot1q

switchport mode trunk

Switch2

!

interface Vlan1

ip address 192.168.1.2 255.255.255.0

!

interface FastEthernet0/1

switchport access vlan 2

spanning-tree portfast

!

interface FastEthernet0/2

switchport access vlan 2

spanning-tree portfast

!

interface GigabitEthernet0/1

switch trunk encapsulation dot1q

switchport mode trunk

As you see, no user port is part of Vlan 1, only the management interface. The user ports in this example are part of Vlan 2, but obviously you could use whatever Vlan number you want to...

Does that clear things up ?

Regards,

Nethelper

New Member

Re: Management VLAN: Correct Implementation?

Is is possible to change the "management" VLAN to something other than 1?

For instance, this may help prevent someone from getting access to the management VLAN as a result of that VLAN being the "default" VLAN on any newly attached switches. Thus if the management VLAN were VLAN 2, it would require setting up access to that VLAN and hopefully prevent accidental access.

Purple

Re: Management VLAN: Correct Implementation?

Yes you can make the mgt. vlan any vlan number you want .

New Member

Re: Management VLAN: Correct Implementation?

I *think* that Cisco best practice is not to use

default VLAN1 either. I think you should define another VLAN for your management traffic.

Those who are more wise than me, please correct me if I'm wrong :-)

Regards

New Member

Re: Management VLAN: Correct Implementation?

I have always thought it was best to put your management on a seperate vlan (VLAN1000) and just leave VLAN1 for protocol traffic.

Check this artical out http://tinyurl.com/56bwd (VLAN Security White Paper)

Here is a clip from the artical

+++++++++++++++++

Therefore, with regard to VLAN 1, the above rule simply translates into the recommendations to:

• Not use VLAN 1 for inband management traffic and pick a different, specially dedicated VLAN that keeps

management traffic separate from user data and protocol traffic.

• Prune VLAN 1 from all the trunks and from all the access ports that don’t require it (including not connected

and shutdown ports).

Similarly, the above rule applied to the management VLAN reads:

• Don’t configure the management VLAN on any trunk or access port that doesn’t require it (including not

connected and shutdown ports).

• For foolproof security, when feasible, prefer out-of-band management to inband management. (Refer to [3] for

a more detailed description of a out-of-band management infrastructure.)

+++++++++++++

dj

141
Views
5
Helpful
5
Replies
CreatePlease login to create content