Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1114
Views
0
Helpful
2
Replies

What is gained from a management VLAN?

Go to solution
dtbullock
Level 1
Level 1

‎06-27-2012 10:06 AM

I've frequently seen recommendations to have a separate "management VLAN".  I guess the main ideas are:

a) to keep managment-traffic and data-traffic out of the same Layer 2 broadcast domain?  (So that rogue stations in the access-layer can't sniff management-traffic);

b) to be able to give different QoS treatment of management traffic (So that DOS conditions from the access-layer will affect management-traffic less)

c) to be less reliant on correct L3 routing when attempting to manage routers

Now, "management traffic" is "ssh sessions to routers and switches", right?  Or does it include logging, SNMP, and flow-accounting traffic too?  Does it include RADIUS traffic, or is that another VLAN altogether?

So, to implement this, I just trunk a VLAN around a site and give anything which is a network device an IP address in it?

Got any config examples?

thanks,

David.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Joe Clarke
Cisco Employee
Cisco Employee

‎06-27-2012 10:18 AM

You're right on all of your values, but there is also security gained.  It's easier to filter control plane traffic if you limit it to specific VLANs.  Management traffic includes SSH, telnet, SNMP, syslog, Netflow, etc.  Generally any control plane traffic would be included.  Yes, the management VLAN is trunked like any other to all switches in the network.  Take a look at this blog post I just did about the network at CiscoLive!.  We used management VLANs in our three main sites.  I attached a config template to the post that shows examples of sourcing traffic from the management VLAN SVI as well as doing a filter on control plane traffic.

https://supportforums.cisco.com/community/netpro/network-infrastructure/network-management/blog/2012/06/19/the-ciscolive-us-2012-network-what-we-made-possible-part-1

View solution in original post

0 Helpful
2 Replies 2

Go to solution
Joe Clarke
Cisco Employee
Cisco Employee

‎06-27-2012 10:18 AM

You're right on all of your values, but there is also security gained.  It's easier to filter control plane traffic if you limit it to specific VLANs.  Management traffic includes SSH, telnet, SNMP, syslog, Netflow, etc.  Generally any control plane traffic would be included.  Yes, the management VLAN is trunked like any other to all switches in the network.  Take a look at this blog post I just did about the network at CiscoLive!.  We used management VLANs in our three main sites.  I attached a config template to the post that shows examples of sourcing traffic from the management VLAN SVI as well as doing a filter on control plane traffic.

https://supportforums.cisco.com/community/netpro/network-infrastructure/network-management/blog/2012/06/19/the-ciscolive-us-2012-network-what-we-made-possible-part-1

0 Helpful

Go to solution
dtbullock
Level 1
Level 1
In response to Joe Clarke

‎06-27-2012 11:19 AM

Hi Joseph, that's a useful example, thanks.  In particular, the setting of the source-interface for the SSH server, etc, was something I hadn't picked up on before. 

Also how the switch defends itself with the 'IPV4-MANAGEMENT-ACCESS' ACL - solves another muddle in my head - it's not necessary/desirable to carry the management VLAN *through* a router ... just let the router route, eh?  That was doing my head in: I had an edge router and an L3 switch, but how could I get the L3 swtich to put a foot down in the management VLAN without also trying to route it?!  Well, the management VLAN between these two *routers* just happens to be a small one.

thanks!

David.

0 Helpful
Customers Also Viewed These Support Documents