Buy or Renew
Buy or Renew
Join the Catalyst Center Onboarding Ask Me Anything event happening now!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
368
Views
0
Helpful
2
Replies

Management VLAN and routing

etamminga
Spotlight
Spotlight

‎08-21-2002 11:36 PM - edited ‎03-02-2019 12:50 AM

Hi,

A need some advise to back-up my theory. The topic is Management VLANs and routing.

Theory tells me to keep my users out of the management vlan. For this, I configured all my access switchports to NOT use the management vlan.

Attached to my switches I have two routers. Both routers use a dynamic routing protocol to exchange routing information.

On both routers one of the fast-ethernet sub-interfaces is used to connect to the management vlan. This works.

But, when a packet arrives on router 1, the router forwards the packet accross the management vlan to the other router (2) which again forwards the packet to its destination. But theory told me to keep users out of the management vlan! Adding security filters to the management interfaces of the routers interrupts routing. Should I declare these interfaces "passive" for the routing protocols? What is best practise? Where should security be applied? To all router management interfaces, everywhere (on all switches and routers)? What is best practise? Should the routers even have a management interface (I think yes, else I would not be able to connect to the switches)?

Can someone point me to some (network design) documentation on this topic, or share some best practises?

Thanks.

Erik Tamminga

CCDP

Labels:
0 Helpful
2 Replies 2

tim.hunt
Level 1
Level 1

‎08-22-2002 07:53 AM

If your management segment is a seperate Subnet, the routers will not route any traffic to that subnet that isn't destined for it. I think you are confusing VLANs with Subnets. Based on what you said it sounds as if the connection between your routers is a VLAN trunk, which will NOT mingle traffic between VLANs. The only way a packets jumps from one VLAN to another is if it is routed there, and it will only be routed there if your router thinks it is destined for that segment.

TH

0 Helpful

etamminga
Spotlight
Spotlight
In response to tim.hunt

‎08-26-2002 07:48 AM

Yes, the connection between the routers and the switches are trunks. All switches have addresses in vlan 1, the management vlan/subnet.

Consider the following example:

Switch1: 172.16.1.11/24

Switch2: 172.16.1.12/24

Switch3: 172.16.1.13/24

Access vlan: 172.16.2.0/24

Router1 Fa0/0.1: 172.16.1.1/24

Router1 Fa0/0.2: 172.16.2.1/24

Router1 S0/1: 172.16.3.1/30 (connection to 172.18.0.0/16)

Router2 Fa0/0.1: 172.16.1.2/24

Router2 Fa0/0.2: 172.16.2.2/24

Router2 S0/1: 172.16.3.5/30 (connection to 172.17.0.0/16)

Traffic from Router1 S0/1 will go via Router1 Fa0/0.1, via Router2 Fa0/0.1 to Router2 S0/1.

Is this address configuration "good practise"?

How would you "address" a configuration like this.

0 Helpful
Customers Also Viewed These Support Documents

Review Cisco Networking for a $25 gift card