Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
5706
Views
23
Helpful
11
Replies

Management VLAN

Go to solution
jai.s401
Level 1
Level 1

‎09-04-2021 11:18 AM

can I have two management vlan for a switch??

 

Should a management vlan always be default (VLAN 1) ?

Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Richard Burts
Hall of Fame
Hall of Fame
In response to Joseph W. Doherty

‎09-07-2021 01:18 PM

It is an interesting question "what is a management vlan". The simple answer is that the management vlan is used to help you manage the switch. But what does that really mean?

- if you want to remotely access the switch (via telnet or SSH) that is a management function and requires an interface with an IP address, and that becomes your management vlan.

- if you want to use a GUI for the switch that is a management function and requires an interface with an IP address, and that becomes your management vlan.

- if you want the switch to send syslog messages so that you are aware of what is going on with the switch that is a management function and requires an interface with an IP address, and that becomes your management vlan.

- if you have an SNMP server that tracks what is going on with the switch that is a management function and requires an interface with an IP address, and that becomes your management vlan.

- if you want a switch to use NTP to learn time (and possibly to sync with other devices in the network) that is a management function and requires an interface with an IP address, and that becomes your management vlan.

It might be an interesting question about having more than one management vlan. Some layer 2 switches limit you to one active vlan interface with an IP address. So obviously these limit you to a single management vlan. Other layer 2 switches (and all layer 3 switches) allow multiple active vlan interfaces with IP addresses. For these you might have multiple management vlans. It could be possible (though I would not say that it was a particularly good idea) to have one vlan interface used for telnet/SSH, and a separate vlan interface used for GUI, and a separate vlan interface used for syslog, and a separate vlan interface used for SNMP, and a separate vlan interface used for NTP.

As @balaji.bandi points out some organizations will use a separate vlan for management functions and not allow any data traffic in that vlan, but that certainly is not a requirement.

HTH

Rick

View solution in original post

Go to solution
Richard Burts
Hall of Fame
Hall of Fame
In response to jai.s401

‎09-08-2021 10:51 PM

I am glad that you find my explanation helpful. Yes the interface with an IP address need not be a physical interface and in fact using a physical interface is quite unusual. The usual implementation uses a switch vlan interface (SVI) which is a virtual interface. Thank you for marking this question as solved. This will help other participants in the community to identify discussions which have helpful information. This community is an excellent place to ask questions and to learn about networking. I hope to see you continue to be active in the community.

HTH

Rick

View solution in original post

11 Replies 11

Go to solution
balaji.bandi
Hall of Fame
Hall of Fame

‎09-04-2021 03:38 PM

No not necessary, it can be anything, if you are using different VLAN as MGMT, you need to allow them in your Trunk.

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Go to solution
Martin L
VIP
VIP

‎09-04-2021 05:03 PM - edited ‎09-04-2021 05:27 PM

No, you can use whatever you like. Moreover, I think security principles still do not recommend using vlan 1 at all ! I mean do not use vlan 1 for data usage, however, some of control plane protocols will stay and use vlan 1 by default.  Another benefit is TS. To simplify L2 troubleshooting, keep user data out of vlan 1.  

Find doc titled Best Practices for Catalyst 6500/6000 Series and Catalyst 4500/4000 Series on cisco web site to get more info

 

Regards, ML
**Please Rate All Helpful Responses **

 

 

0 Helpful

Go to solution
Joseph W. Doherty
Hall of Fame
Hall of Fame

‎09-05-2021 06:44 AM

"can I have two management vlan for a switch??"

Unless you're using a L3 switch, there's only, I believe, one management IP, so unsure how you would have two management VLANs.  On a L3 switch, management can be accomplished against any reachable interface IP, assuming that interface IP doesn't block "management" access.

"Should a management vlan always be default (VLAN 1) ?"

Generally, no.  As @Martin L notes, because Cisco switches often use VLAN 1 for special purposes, it should be avoided, whenever possible.

0 Helpful

Go to solution
jai.s401
Level 1
Level 1
In response to Joseph W. Doherty

‎09-06-2021 01:39 AM

what exactly is a management vlan,
From my understanding, it is a vlan with an SVI for remote access to the switch.
so we can create multiple vlan with SVI of different segment right.
0 Helpful

Go to solution
balaji.bandi
Hall of Fame
Hall of Fame
In response to jai.s401

‎09-06-2021 02:07 AM 

what exactly is a management vlan,

This is for your Manangment only, that means no other traffic will be using this VLAN, (but you can use other vlan also for management if you do not like to have dedicated Manangment VLAN - it all depends on network)

 

Manangment VLAN is to manage all the device like SSH/Tenlet any other protoocol, rather mixing with other Data VLAN. to control manner.

 

so we can create multiple vlan with SVI of different segment right.

VLAN 1 is default normal by Cisco default native. you can create as many as SVI based on the device support.

 

Hope this make sense ?

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

Go to solution
Joseph W. Doherty
Hall of Fame
Hall of Fame
In response to jai.s401

‎09-06-2021 07:15 AM

If I recall correctly, a Cisco non-L3 switch doesn't have/support SVIs, but if a manageable switch, it can have/support a management IP.  The latter, I also recall (?) can be assigned to any VLAN on that switch.

The difference with a management IP vs. a SVI, the former is just a host IP, the latter is an L3 interface IP.

As to what a management VLAN is, it's just a VLAN restricted to management purposes, such a telnet/SSH, SNMP, etc., traffic.

As you can generally control what's allow to access a Cisco platform, i.e. a management VLAN should be needed to "protect" the platform, what the management VLAN does is help preclude anyone "snooping" traffic on that VLAN.

0 Helpful

Go to solution
Richard Burts
Hall of Fame
Hall of Fame
In response to Joseph W. Doherty

‎09-07-2021 01:18 PM

It is an interesting question "what is a management vlan". The simple answer is that the management vlan is used to help you manage the switch. But what does that really mean?

- if you want to remotely access the switch (via telnet or SSH) that is a management function and requires an interface with an IP address, and that becomes your management vlan.

- if you want to use a GUI for the switch that is a management function and requires an interface with an IP address, and that becomes your management vlan.

- if you want the switch to send syslog messages so that you are aware of what is going on with the switch that is a management function and requires an interface with an IP address, and that becomes your management vlan.

- if you have an SNMP server that tracks what is going on with the switch that is a management function and requires an interface with an IP address, and that becomes your management vlan.

- if you want a switch to use NTP to learn time (and possibly to sync with other devices in the network) that is a management function and requires an interface with an IP address, and that becomes your management vlan.

It might be an interesting question about having more than one management vlan. Some layer 2 switches limit you to one active vlan interface with an IP address. So obviously these limit you to a single management vlan. Other layer 2 switches (and all layer 3 switches) allow multiple active vlan interfaces with IP addresses. For these you might have multiple management vlans. It could be possible (though I would not say that it was a particularly good idea) to have one vlan interface used for telnet/SSH, and a separate vlan interface used for GUI, and a separate vlan interface used for syslog, and a separate vlan interface used for SNMP, and a separate vlan interface used for NTP.

As @balaji.bandi points out some organizations will use a separate vlan for management functions and not allow any data traffic in that vlan, but that certainly is not a requirement.

HTH

Rick

Go to solution
Joseph W. Doherty
Hall of Fame
Hall of Fame
In response to Richard Burts

‎09-07-2021 06:25 PM - edited ‎09-08-2021 07:32 AM

"Other layer 2 switches . . . allow multiple active vlan interfaces with IP addresses."

Rick, can you describe an actual L2 switch that does?  I'm curious how the switch "maps" multiple management IPs to VLANs.  I presume the switch would somehow config a particular management IP to a particular VLAN.

"For these you might have multiple management vlans. It could be possible (though I would not say that it was a particularly good idea) . . ."

Agree, not generally a good idea.  Don't recall seeing anyone do that (i.e. multiple management VLANs), either.

"As @balaji.bandi points out some organizations will use a separate vlan for management functions and not allow any data traffic in that vlan, but that certainly is not a requirement."

I suspect Balaji didn't mean "any data traffic", but meant no non-management data traffic.  But, if I'm mistaken, Balaji please correct me.

BTW, I have seen management conducted on out-of-band networks, i.e. networks physically different from the networks carrying "normal" traffic.

0 Helpful

Go to solution
balaji.bandi
Hall of Fame
Hall of Fame
In response to Joseph W. Doherty

‎09-08-2021 01:30 PM

Cheers for the correct me here  @Joseph W. Doherty  - 

 

I suspect Balaji didn't mean "any data traffic", but meant no non-management data traffic.  But, if I'm mistaken, Balaji please correct me.

Again as mentioned depends on the requirement and design.

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

Go to solution
jai.s401
Level 1
Level 1
In response to Richard Burts

‎09-08-2021 11:33 AM

Wow, very clear Explanation..!

 

Also please clarify that "interface with an IP address" mentioned above need not be an Physical Interface right?

0 Helpful

Go to solution
Richard Burts
Hall of Fame
Hall of Fame
In response to jai.s401

‎09-08-2021 10:51 PM

I am glad that you find my explanation helpful. Yes the interface with an IP address need not be a physical interface and in fact using a physical interface is quite unusual. The usual implementation uses a switch vlan interface (SVI) which is a virtual interface. Thank you for marking this question as solved. This will help other participants in the community to identify discussions which have helpful information. This community is an excellent place to ask questions and to learn about networking. I hope to see you continue to be active in the community.

HTH

Rick
Customers Also Viewed These Support Documents