06-27-2012 10:06 AM
I've frequently seen recommendations to have a separate "management VLAN". I guess the main ideas are:
a) to keep managment-traffic and data-traffic out of the same Layer 2 broadcast domain? (So that rogue stations in the access-layer can't sniff management-traffic);
b) to be able to give different QoS treatment of management traffic (So that DOS conditions from the access-layer will affect management-traffic less)
c) to be less reliant on correct L3 routing when attempting to manage routers
Now, "management traffic" is "ssh sessions to routers and switches", right? Or does it include logging, SNMP, and flow-accounting traffic too? Does it include RADIUS traffic, or is that another VLAN altogether?
So, to implement this, I just trunk a VLAN around a site and give anything which is a network device an IP address in it?
Got any config examples?
thanks,
David.
Solved! Go to Solution.
06-27-2012 10:18 AM
You're right on all of your values, but there is also security gained. It's easier to filter control plane traffic if you limit it to specific VLANs. Management traffic includes SSH, telnet, SNMP, syslog, Netflow, etc. Generally any control plane traffic would be included. Yes, the management VLAN is trunked like any other to all switches in the network. Take a look at this blog post I just did about the network at CiscoLive!. We used management VLANs in our three main sites. I attached a config template to the post that shows examples of sourcing traffic from the management VLAN SVI as well as doing a filter on control plane traffic.
06-27-2012 10:18 AM
You're right on all of your values, but there is also security gained. It's easier to filter control plane traffic if you limit it to specific VLANs. Management traffic includes SSH, telnet, SNMP, syslog, Netflow, etc. Generally any control plane traffic would be included. Yes, the management VLAN is trunked like any other to all switches in the network. Take a look at this blog post I just did about the network at CiscoLive!. We used management VLANs in our three main sites. I attached a config template to the post that shows examples of sourcing traffic from the management VLAN SVI as well as doing a filter on control plane traffic.
06-27-2012 11:19 AM
Hi Joseph, that's a useful example, thanks. In particular, the setting of the source-interface for the SSH server, etc, was something I hadn't picked up on before.
Also how the switch defends itself with the 'IPV4-MANAGEMENT-ACCESS' ACL - solves another muddle in my head - it's not necessary/desirable to carry the management VLAN *through* a router ... just let the router route, eh? That was doing my head in: I had an edge router and an L3 switch, but how could I get the L3 swtich to put a foot down in the management VLAN without also trying to route it?! Well, the management VLAN between these two *routers* just happens to be a small one.
thanks!
David.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide