08-28-2003 05:46 AM - edited 03-02-2019 09:57 AM
Cisco recommend that all user user traffic is kept away from the management vlan (1). This I accept but how can I implement it??
Say I have 25 users on Vlan 2, on net 192.168.1.0/24 and this then connects to firewall doing its natting thing to an outside address.
To access the Mgt Vlan (1) for Cworks for example this will require a different physical connecton from the Switch Vlan (1) to the Firewall with a different net address. Also on a Cisco3350-48 switch you can t move the Mgt Vlan around like you can on other switches. Has any done something simular and can provide guidance??
08-29-2003 12:11 AM
Hi,
what is your network topology?
Are you routing on the 3550 or just switching? If just switching, is there any other router on the site?
There is a firewall between your 3550 and your CiscoWorks server, i.e. your management traffic goes through the Internet?
Regards,
Milan
08-29-2003 01:24 AM
Topology comprises of L2 3350's no MLS, Firewall and then Telco Service Provider Router.
No routing just switching on the 3550's
There is a Nokia HA Pair between the LAN 3350 and the Telco Service Provider Router.
The Ciscoworks Server is within the WAN Cloud and the WAN is a private infrastructure within the BT infrastructure, but to answer the question yes the management traffic goes through the WAN infrastructure.
Hope this helps
09-01-2003 05:13 AM
Hi,
if you want to isolate the management and user traffic strictly, the best way would really be using of a seperate firewall interface for management VLAN.
But if your firewall doesn't have an additional interface and is not trunking capable (probably is not) there is another possibility:
Start routing between VLAN2 and VLAN1 on your 3550 - it's possible even with SMI IOS. Connect 3550 to firewall via a port assignet to VLAN2. Define an inbound access filter on 3550 VLAN2 virtual inteface permitting the only traffic originated from the management workstation (or subnet) to pass to VLAN1. The management traffic will go together with the user traffic on the wire from the firewall to the first switch (but it goes through Internet anyway). But I suppose it's an acceptable risk.
BTW, don't forget you need either a trunk to another switch (with VLAN1 allowed) or a port which is up in VLAN1 for interface VLAN1 to go up while routing on 3550 this way.
Regards,
Milan
09-01-2003 05:51 AM
Excellent, thank you, I had assumed the additional interface on the Firewall but hadnt considered the internal routing on switch between vlans and trunk to the Firewall.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide