Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
317
Views
0
Helpful
4
Replies

Moving User traffic away from defualt Vlan 1

makkers
Level 1
Level 1

‎08-28-2003 05:46 AM - edited ‎03-02-2019 09:57 AM

Cisco recommend that all user user traffic is kept away from the management vlan (1). This I accept but how can I implement it??

Say I have 25 users on Vlan 2, on net 192.168.1.0/24 and this then connects to firewall doing its natting thing to an outside address.

To access the Mgt Vlan (1) for Cworks for example this will require a different physical connecton from the Switch Vlan (1) to the Firewall with a different net address. Also on a Cisco3350-48 switch you can t move the Mgt Vlan around like you can on other switches. Has any done something simular and can provide guidance??

Labels:
0 Helpful
4 Replies 4

milan.kulik
Level 10
Level 10

‎08-29-2003 12:11 AM

Hi,

what is your network topology?

Are you routing on the 3550 or just switching? If just switching, is there any other router on the site?

There is a firewall between your 3550 and your CiscoWorks server, i.e. your management traffic goes through the Internet?

Regards,

Milan

0 Helpful

makkers
Level 1
Level 1
In response to milan.kulik

‎08-29-2003 01:24 AM

Topology comprises of L2 3350's no MLS, Firewall and then Telco Service Provider Router.

No routing just switching on the 3550's

There is a Nokia HA Pair between the LAN 3350 and the Telco Service Provider Router.

The Ciscoworks Server is within the WAN Cloud and the WAN is a private infrastructure within the BT infrastructure, but to answer the question yes the management traffic goes through the WAN infrastructure.

Hope this helps

0 Helpful

milan.kulik
Level 10
Level 10
In response to makkers

‎09-01-2003 05:13 AM

Hi,

if you want to isolate the management and user traffic strictly, the best way would really be using of a seperate firewall interface for management VLAN.

But if your firewall doesn't have an additional interface and is not trunking capable (probably is not) there is another possibility:

Start routing between VLAN2 and VLAN1 on your 3550 - it's possible even with SMI IOS. Connect 3550 to firewall via a port assignet to VLAN2. Define an inbound access filter on 3550 VLAN2 virtual inteface permitting the only traffic originated from the management workstation (or subnet) to pass to VLAN1. The management traffic will go together with the user traffic on the wire from the firewall to the first switch (but it goes through Internet anyway). But I suppose it's an acceptable risk.

BTW, don't forget you need either a trunk to another switch (with VLAN1 allowed) or a port which is up in VLAN1 for interface VLAN1 to go up while routing on 3550 this way.

Regards,

Milan

0 Helpful

makkers
Level 1
Level 1
In response to milan.kulik

‎09-01-2003 05:51 AM

Excellent, thank you, I had assumed the additional interface on the Firewall but hadnt considered the internal routing on switch between vlans and trunk to the Firewall.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents