Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

readdressing concerns

Hi All,

As i move from having my management vlan on 1 to something else, i am also going to readdress some of my router inside interfaces. currently quite a few of my router ints are sitting on user vlans. i assume this should be changed, but what is the best practice? is it ok to put the inside ints of the router on the same vlan that the managment of switches is on? also is it ok to the do the same with the inside int of an asa??

TIA,

R

5 REPLIES
Bronze

Re: readdressing concerns

If you are readdressing within the same vlan, you could always use a secondary IP address to minimize downtime:

int f0/0.30

ip address 1.1.1.1 255.255.255.0

ip address 2.2.2.1 255.255.255.0 secondary

New Member

Re: readdressing concerns

Thanks for your reply. I am not quite as concerned about downtime as I am in making sure it gets done correctly. I do not want to take them off of a vlan that is not good and put them on another that is just as "not good"..if that makes sense!

Re: readdressing concerns

Hello,

It is good practice not to use mgmt vlan for user data. Mgmt vlan being the vlan used to manage the switch for telent to configure, troubleshoot, etc. , the premise is if the user vlan have virus, problem, etc. that is isolated in that vlan, the mgmt being in a separate vlan and no user data will not be affected and thus mgmt of the switch for t/s purpose is still intact. Hope that helps.

Please rate helpful posts.

New Member

Re: readdressing concerns

Thanks for your reply.

I understand this and I am changing it, but the question was is it ok for me to place my router inside interfaces on the same vlan as the mgmt vlan, with this not being a user vlan at all. are you saying that i should leave the router inside ints on the user vlan?

New Member

Re: readdressing concerns

> is it ok to put the inside ints of the router on the same vlan that the managment of switches is on?

Ideally, I think management network should be a true Out-Of-Band network both physically and logically. so we are talking about separate switches and routers. In case of a network meltdown, you can still telnet to the router

But most of us probably don't have the resource to build a complete out-of-band network management network... ( i know i don't :P ) .. so the next thing that you can do, i think, is build a separate network managment vlan, throw all of your switch management in it, and route that vlan on your router with a ACL restricting who will have access to Netmgmt network.

HTH

Eric

121
Views
3
Helpful
5
Replies
CreatePlease login to create content