Showing results for 
Search instead for 
Did you mean: 

Management Network Design - IP Addressing

Hello !

I have a basic question with IP addressing for management network. We use management IP address to identify each network element. I have come across two forms of IP addressing for management network:

1. Assign the IP address directly to an interface (if its a L2 switch, the interface is made L3 using *no switchport* command) of the network element.

2. Create a SVI i.e., define a management VLAN on each network element, assign IP to this VLAN and assign a port to this VLAN for management.

Both these designs provide IP termination on the network elements for management using standard network management protocols. I am wondering what's the difference between the two. Any significant advantage of one over the other ? Please share your thoughts.

P.S. Many vendors don't seem to support command equivalent to *no switchport* on Cisco L2 switches. I presume the reason for this is they don't have MAC addresses on L2 switch ports. Each switch has only 1 MAC address (which identifies the switch) unlike Cisco switches wherein each interface has its own MAC address and can be converted to a L3 interface.

Thanks & Regards,


Marvin Rhoads
VIP Community Legend

In addition to method #1 and #2 you mention, there's also the use of a loopback interface (applicable on Cisco routers) and, where available, the dedicated Ethernet management port on the device which uses its own management virtual routing and forwarding (vrf) instance, Where applicable, those two methods are the preferred ones as they have a higher degree of reliability and isolation from any routing protocols in the devices' primary routing information bases (ribs or routing tables) and, in some cases even have a dedicated CPU to isolate you from runaway main CPU utilization in the device. For routers the loopback interface is the preferred method. See page 23 of the SBA WAN Deployment Guide.

Between #1 and #2 you can make an argument either way. #1 requires a dedicated physical layer link which can be a good thing (no dependency on a shared trunk being up) or bad thing (requires using a physical port and possibly a scarce inter-floor or inter-building link). The most common method I see and one recommended by Cisco is #2 - a management VLAN SVI. See pages 19-20 of the SBA LAN Deployment Guide, for instance.

Besides the IP addressing, there's a lot of good best practices around securing the management plane and deploying centralized authentication etc. Pay attention to those aspects as well. They are covered in some of the SBA Design Guides (parent page here) as well as in the material supporting Implementing Cisco IOS Network Security, the foundation guide for CCNA Security certification.