Re: Switch Management-Why should I configure a management vlan?

gokada · ‎09-09-2003

Please help me understand the reasons/benefits of having a management vlan. It seems that configuring a mgmt vlan would make the environment more "complicated" and keeping it simple is better, isn't it? We have a large enterprise environment and think it would be simpler and more effective to configure all IDF/Access switches to reside on the same vlan as the users. By doing so, it would eliminate routing updates from getting to the IDF switches.

Also, should we run the IDF switches in transparent mode, server mode, or client? We have a building with 1500 users, 15 floors, a core switched environment with 6500's on every floor. The core is in the 1st floor with the server farms connected directly.

please advise. Thanks for your response in advance.

Greg Okada

Network Engineer

keith.campbell · ‎09-10-2003

It may be less complex to have your network as one big flat VLAN when there is very little traffic and no problems...... but think of what will happen if you have one of your 1500 users with a problematic PC or software generating lots of broadcasts. How would you access your management when your one and only VLAN is blocked and your switches are unreachable.

By having a separate VLAN for management you have a much better chance of being able to access your switches during a broadcast storm or other problem.

Even if all your users are equipped with the latest and fastest workstations there is significant reduction in workstation performance if they are connected to a large flat network where they are processing every broadcast seen by the entire company. Cisco recommend no more than; 500 IP , 300 IPX, 200 Appletalk, 200 NetBIOS or 200 multi-protocol, devices on a flat network due to workstation cpu utilization during broadcast handling.

Routing updates should be tiny compared to your background network traffic generated by 1500 workstations.

Take a look at the CCDA/CCDP Cisco Press books and details on the Ciso web site under the headings of Internetworking Design Guide within technical documentation.

Best of luck !

jamey · ‎09-10-2003

Good doc for your type of questions:

http://cisco.com/en/US/products/hw/switches/ps663/products_tech_note09186a0080094713.shtml

robho · ‎09-10-2003

Hi,

Please do not configure the management interface to be on the same vlan as user traffic. The link below explains the consequences.

http://www.cisco.com/warp/public/473/103.html#ibm

This link will also explain the benefits of VTP.

http://www.cisco.com/warp/public/473/103.html#vlan_trunking_protocol

-Robert

gokada · ‎09-11-2003

Thanks for your help.

andrew.butterworth · ‎09-14-2003

Greg

Of all the big-ish networks I have installed recently we haven't had any separate management vlans. We have used Layer-3 core and distribution layers (Native cat6k/sup2/,msfc2) and then used layer-2 access layers with 1 or 2 user vlans per access-layer switch (cat6k sup2/pfc2) depending on the number of users, the switch having a fixed address in the user vlan. Adding management vlans is not really necessary and just adds to the complexity of the design.

I know some people will disagree but with the performance levels of cat6k and 4k switches the archaic practice of using spanning vlans and management vlans is completely unnecessary. Stick with your original thoughts and just put the Sc0 interface in the user vlan - you can protect it with ip permit lists if you must.

Andy

gokada · ‎09-16-2003

Many thanks for your response. I appreciate it as always.

Greg