Re: Cisco Vlan Best Practices

chueymtz · ‎02-21-2023

I have 3 Vlans on my network Vlan 1 = 10.76.x.x Vlan 2 = 172.16.x.x and Vlan 3 = 192.168.x.x, my question, I noticed that my loopback addresses on the switches are on the 192.168.X.X network and I wanted to use that for my Vlan 3. What is the best Practice? Do i need to have a loopback address? I pulled the loopback address from one switch and noticed that now I can't ssh into it but that is not my main concern. Any suggestions would be greatly appreciated.

balaji.bandi · ‎02-21-2023

Depends on deployment, most of the use case they use loopback address for Manangment,

so you need to show us the config how it was configured, if you like to replace loopback address with different network range, first you need to console or you should have other Layer 3 IP with that you can connect to device and change loopback address IP, make sure that IP in the routing table (either static route or IGP)

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

chueymtz · ‎02-22-2023

Thanks, so the way we connect right now to the switch is by using the gateway address for each Vlan ex: to connect from the VLan1 network we use 10.76.x.1 same for Vlan2 and 3. Is that right or should i add static ip like 10.76.x.30? These are all layer 3 switches that we connect we have 15 of them deployed with a different third octet per site.

David Ruess · ‎02-22-2023

If youre looking at a security aspect you should not be accessing your device on all the VLAN. You should have a management VLAN for that. The device access is the same so no need to have several IPs to be able to access it. That's also why its a good idea to use a loopback. Because if I recall correctly if there are no hosts in a given VLAN then the VLAN could become inactive and I think shutdown the VLAN interface, and you could lose management connection to the device.

Using a loopback you also have central management so you can put an ACL to restrict access. If you only have VLAN interfaces you need an ACL on each one to lock it down.

Just a thought.

balaji.bandi · ‎02-24-2023

if they are different sites and how your routing in place static ?

either you can setup different management or use loopback as management, make sure routing in place to reach that IP.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

David Ruess · ‎02-21-2023

Hello,

For the L2 switch it kind of boils down to what the needs/requirement are. Are you SURE you don't need to log into (ssh) into the device....ever? The loopback is generally used as an anchor or reference. Its not like a router where you have multiple interfaces with IPs you can use for SSH. It also comes down to security. Maybe you want to log into your switch with this IP only. You can also use it to build tunnels, use it for routing protocols, or use it as an update source for AAA or neighbor peering's in routing. All depends on how you want to use it. If you remove it I would make sure its not being used to reference anything.

Side note: Since all your IPs look to be private addresses. Just assign he loopback another IP not in those ranges. Loopbacks are usually a /32 any so shouldn't take up network space. And you can keep the functionality of having a loopback.

Hope that helps

-David

MHM Cisco World · ‎02-22-2023

we need to see your config, why SSH is stop when remove LO ? are you using access-group under VTY ???

chueymtz · ‎02-23-2023

Is this what you are referring to?

line con 0
stopbits 1
line vty 0 4
privilege level 15
login local
transport input telnet ssh
line vty 5 15