Cisco recommend that all user user traffic is kept away from the management vlan (1). This I accept but how can I implement it??
Say I have 25 users on Vlan 2, on net 192.168.1.0/24 and this then connects to firewall doing its natting thing to an outside address.
To access the Mgt Vlan (1) for Cworks for example this will require a different physical connecton from the Switch Vlan (1) to the Firewall with a different net address. Also on a Cisco3350-48 switch you can t move the Mgt Vlan around like you can on other switches. Has any done something simular and can provide guidance??
Topology comprises of L2 3350's no MLS, Firewall and then Telco Service Provider Router.
No routing just switching on the 3550's
There is a Nokia HA Pair between the LAN 3350 and the Telco Service Provider Router.
The Ciscoworks Server is within the WAN Cloud and the WAN is a private infrastructure within the BT infrastructure, but to answer the question yes the management traffic goes through the WAN infrastructure.
if you want to isolate the management and user traffic strictly, the best way would really be using of a seperate firewall interface for management VLAN.
But if your firewall doesn't have an additional interface and is not trunking capable (probably is not) there is another possibility:
Start routing between VLAN2 and VLAN1 on your 3550 - it's possible even with SMI IOS. Connect 3550 to firewall via a port assignet to VLAN2. Define an inbound access filter on 3550 VLAN2 virtual inteface permitting the only traffic originated from the management workstation (or subnet) to pass to VLAN1. The management traffic will go together with the user traffic on the wire from the firewall to the first switch (but it goes through Internet anyway). But I suppose it's an acceptable risk.
BTW, don't forget you need either a trunk to another switch (with VLAN1 allowed) or a port which is up in VLAN1 for interface VLAN1 to go up while routing on 3550 this way.
We are pleased to announce availability of Beta software for 16.6.3. 16.6.3 will be the second rebuild on the 16.6 release train targeted towards Catalyst 9500/9400/9300/3850/3650 switching platforms. We are looking for early feedback from custome...