Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
Community Member

Other VLAN as management VLAN

Is it recommendable to use other than VLAN1 as management VLAN.? What impact could I have in my 100+ switches network..?

Community Member

Re: Other VLAN as management VLAN

I think its better to have a different mgmt vlan from security point of view.. by default all switch port are in vlan1. So anyone who connects to vlan1 may have access to your mgmt vlan too..

For my company we are having a separate mgmt vlan and all the switches ip address will follow this mgmt vlan ip address assignment..

Which means for the switch:-

1. you have to create a mgmt vlan for e.g. vlan 55.

2. set int sc0 <55> 10.55.x.x ...for example of switch ip address (cat OS)

3. create int vlan55 and assign switch ip address

ip address 10.55.x.x (IOS)

Hope this helps...

Re: Other VLAN as management VLAN


1) I agree it's better to move the management to another VLAN from the security point of view. I noticed big trouble in a case of broadcast storm in VLAN1, e.g.

2) I think you should also change the default gateway on your switch if you want to access the management interface from another VLAN (your management station can be in behind a router, e.g.), you can use IP permit list or ACL on the router to restrict the access to the management VLAN.

3) There are also some troubles brought by moving management interface to another VLAN than VLAN1.

Could anybody tell me how to use L2trace command in that case, .e.g.?

Or any other effective way how to find a port to which a particular device (I know it's IP address only) is connected?



Community Member

Re: Other VLAN as management VLAN

Another doubt to clear before proceding: Management traffic (CDP, STP BPDUs, DTP, etc) is still transported over VLAN 1 even if I use another one as Mgmt VLAN, or is it automatically changed..? I think it actually remains in VLAN1 since it cannot be I certain..??.

Re: Other VLAN as management VLAN

Almost correct.

The only exception is STP. When you remove VLAN1 from a trunk, no STP BPDUs for VLAN1 are sent (all other VLANs are sending their STP BPDUs, of course).

Read VLAN1 part of

for details.



Re: Other VLAN as management VLAN

As Milan states, you are quite correct in this.

My approach is to use VLAN1 as mgmt vlan by default. This is more fool-proof as it cannot be deleted or so. This advantage outweighs the potential security hazard of new ports being in the mgmt vlan by default.

In general the network admin (probably you) will configure the correct (not vlan 1) vlan for user ports. Disabling auto-trunking mode on acces ports helps to reduce the risk even further.



CreatePlease to create content