Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1015
Views
4
Helpful
5
Replies

management vlan on switches

Go to solution
suthomas1
Level 6
Level 6

‎10-24-2013 09:49 AM - edited ‎03-07-2019 04:13 PM

Hi,

This is a very basic question, however i am trying to understand it clearly.

Managment vlan , as i know is used purely for device management in network.

If i have a network comprising of Core switch, firewall , wan router , edge switches & certain appliances ( like ACS, WLC ) , how do i go about doing the management vlan for these.

Where should the management vlan be configured & how would devices connect to it?

Appreciate all inputs.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
JohnTylerPearce
Level 7
Level 7

‎10-24-2013 10:13 AM

The network design will depend on your Network topology, and how your Network Management software etc is laid out.

My advice, would be to create a Management VLAN, we'll call it VLAN 10 in this example. This ill be the vlan interface on your switches ,etc, that you will connect to manage the device. So you would want your NMS to either be on this vlan, or have a NIC that's on this VLAN to capture data.

If you're running MPLS, you could create a Management VRF, as well, and basically do the same concept, except for with VRFs and not VLANs.

As far as ACLs go, you could create a ACL that only allows management IPS to access the device, anything other than that is dropped. Just make sure this s for management traffic though, you don't want to kill everyone's access.

I hope this helps. Please feel free to ask more questions.

View solution in original post

0 Helpful
5 Replies 5

Go to solution
JohnTylerPearce
Level 7
Level 7

‎10-24-2013 10:13 AM

The network design will depend on your Network topology, and how your Network Management software etc is laid out.

My advice, would be to create a Management VLAN, we'll call it VLAN 10 in this example. This ill be the vlan interface on your switches ,etc, that you will connect to manage the device. So you would want your NMS to either be on this vlan, or have a NIC that's on this VLAN to capture data.

If you're running MPLS, you could create a Management VRF, as well, and basically do the same concept, except for with VRFs and not VLANs.

As far as ACLs go, you could create a ACL that only allows management IPS to access the device, anything other than that is dropped. Just make sure this s for management traffic though, you don't want to kill everyone's access.

I hope this helps. Please feel free to ask more questions.

0 Helpful

Go to solution
suthomas1
Level 6
Level 6
In response to JohnTylerPearce

‎10-24-2013 10:25 AM

Thanks.

So would the following steps be good for it:

1. Create a management vlan SVI ( VLAN 10 - 192.168.100.x /24 ) on core switch ( 6509 in this case )

2. All the devices in the network ( firewall, edge switches, solar winds work station , ACS ) should have one interface with its ip belonging to VLAN 10.

Please correct if above are wrong. Also, where would IPS like devices fit , do they need to be provided with management vlan ip and can they be placed on the management vlan?

0 Helpful

Go to solution
mescheries1
Level 1
Level 1
In response to suthomas1

‎10-24-2013 11:04 AM

The fact is we want to monitor the router, we do have already the vlan10 on FE0, and the wan on FE4. I want to create a trunk port on FE1 to allow vlan391(Management) on witch the switches, and other equipements have managed; and the vlan931 as an other subnet of our network.

I've createdthe vlan interfaces, ans I define FE1 as trunk, and I Allowed the vlan 1,391,931,1002-1005 on it.

The problem is the vlans are unreachable.

When I issue tne command show Ip Int bri, I can see that FE0, vlan391, vlan931 are up (Status and protocol)

Is there any thing special that I have to do to make the trunk works on the Cisco 871 ?

Thank you

============================================

interface FastEthernet1

switchport trunk allowed vlan 1,391-931,1002-1005

switchport mode trunk

duplex full

speed 100

!

interface Vlan391

ip address 10.193.9.134 255.255.255.128

no autostate

!

interface Vlan931

  ip address 10.193.253.19 255.255.255.248

standby 23 ip 10.193.253.17

standby 23 priority 90

no autostate

!

0 Helpful

Go to solution
mescheries1
Level 1
Level 1
In response to mescheries1

‎10-24-2013 11:42 AM

I am So sorry Suthomas1,

I posted my previous message in the wrong post.

I fact, In out network, the management VLAN is a subnet on witch we put the management interfaces of the switches, Management interface of the firewall, ILO interfaces of HP Servers, ect.

And only the SysAdmin vlan can telnet or SSH or HTTP to this vlan

Go to solution
JohnTylerPearce
Level 7
Level 7
In response to mescheries1

‎10-24-2013 01:10 PM

The problem is the vlans are unreachable

How exactly are the vlans unreachable? Where are they unreachable from? Are you trying to get to them from a machine, that is on this vlan? If so, make sure all the trunks have the Management Vlan (391), so a switch, isn't blackholing L2 traffic so to speak.

Also make sure the vlan is added to all switches that need the Management VLAN (391)

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card