Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2210
Views
0
Helpful
3
Replies

default vlan, administration vlan, best practices and issue

Indus DRCI
Level 1
Level 1

‎12-26-2019 03:19 PM

Hello,

 

i would like to have some help because i make some confusions bettween different type of vlan and i would like to know the best practices as we have some issues. 

 

In my configuration on a SG500-X L3,

default vlan is 1

Administration vlan is 1 (192.168.1.0 /24)

native vlan is 1. 

default gateway is an ip address of vlan 1 (192.168.1.254)

niterface vlan 1 : 192.168.1.1

 

- should i change vlan id of vlan administration to another one (for exemple 5) in order to follow best practices? so that means that i must change vlan id on all our network equipments and servers ? 

 

- a few days ago we have made a modification on our switch : we create a new vlan 6 with ip address and change the ip addresse of the default gateway so now we have :

default vlan is 1

Administration vlan in our LAN is 1 (192.168.1.0 /24)

native vlan is 1. 

default gateway is an ip address of vlan 6 (192.168.6.254)

interface vlan 1 : 192.168.1.1

interface vlan 6 : 192.168.6.1

Now we manage the switch on vlan 6 althougt this vlan was created to do link with a router for production traffic. Some traffic from router are routed to the new vlan 6 SVI. For all traffics that the switch doesn't know, it is send to the router.

 

I think there is a mistake in the configuration because we have issues : 

i try to join an iLO HP server, i come from interface vlan 1 and for the return, the switch send me on the vlan 6, wich is the default gateway. So that's why i want to have a little explanation on different type of vlan to try to understand the issue we are facing. 

If i shut server interface, wait a little and no shut the server interface, i can join HP iLO during a few minutes. After it takes the wrong return way.

 

configuration : 

server interface  :

switchport mode access

 

router management interface

switchport mode access

 

router prod interface

switchport trunk allowed vlan add 6 , 20-27

 

If i'm not so clear, tell me.

Thanks,

Elo

 

Labels:
0 Helpful
3 Replies 3

Georg Pauwen
VIP
VIP

‎12-28-2019 04:24 AM

Hello,

 

regarding changing the management VLAN to something else than the default VLAN 1: that is usually a good idea and best practice indeed. One of the reasons to do that is because potential hackers EXPECT you to use VLAN 1 for management...

 

As with regard to your other issue, it is indeed a bit unclear what you are asking. Maybe you can post a schematic drawing of your topology and use that to illustrate what you are running into ?

0 Helpful

paul driver
VIP
VIP

‎01-03-2020 06:06 AM - edited ‎01-03-2020 06:24 AM

Hello

As the switch is running to L3 vlans (1-6) 

you need to enable ip routing to allow communication between users in either vlan

you  also need to create the l2 vlan for vlan 6 and assign that to any access port you wish to run in that vlan, obviously the hosts in each vlan need to have the correct addressing (ip address-subnet mask-default gateway) related to either vlan 1 or 6

The switch itself won’t have a default-gateway it will have a default route pointing towards an external next hop such a router
You show a trunk interface allowing vlan 6-20-27 can you tell me what this is connecting to and also why you have specified vlans that don’t exist


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul
0 Helpful

Indus DRCI
Level 1
Level 1
In response to paul driver

‎01-06-2020 09:54 AM

Hello, 

Georg and Paul thanks for your reply (and sorry for my delay)

 

Paul, 

the switch is connected to an ASA.

So some gateway of production vlans are on the switch L3 and others are on ASA. 

On the trunk, vlans 20-27 are prod vlans that gateway interface is hosted on ASA. Some prod vlans gateway are on the switch L3.

The vlan 1 gateway is on the ASA.

When i tried to join a server iLO on vlan 1, i come from ASA through admin interface, join (SYN) server wich is connected to the switch (access mode), the server answer (SYN-ACK), the switch send the frame to interface trunk vlan 6 (so default gateway), and when SYN-ACK arrive on ASA it block frame as he hasn't got SYN on the same interface. 

I don't understand why the switch send the SYN-ACK on the trunk or I think rather to its default gateway ? 

Before it works when default-gateway of the switch was one of the vlan 1.

It could be simple if all traffic has the same behaviour, but for another server I can join it (the switch send syn-ack on vlan 1).

 

"you  also need to create the l2 vlan for vlan 6 and assign that to any access port you wish to run in that vlan, obviously the hosts in each vlan need to have the correct addressing (ip address-subnet mask-default gateway) related to either vlan 1 or 6" I don't understand : vlan 6 was created in order to have an inter-connection with ASA. All unknow traffic on switch is send to default-gateway so ip address on vlan 6 (wich is hosted on ASA). And on ASA we have static route to join other PROD vlan hosted by switch. But maybe it isn't a good practice. So i don't need other port on vlan6.

 

Thanks, 

Elo

 

 

 

 

 

 

0 Helpful
Customers Also Viewed These Support Documents