@David Ruess thanks for answering.

So no IP address by default, no management vlan by default?

Do I have to connect to a specific port to configure it?

So its not managed via web by default?

A new switch has no configuration on it except VLAN 1 which all ports are in by default. You can make any VLAN your management VLAN and you can connect any port you want and configure it to meet your needs.

Hello @matias.huartamendia ,

Correct, there is no IP address configured by default and all interfaces are in VLAN 1 which can be considered the default management VLAN.

Initial configuration of the switch is done by using the console port and a terminal emulation software - Putty for example. Once you configured a management IP address for the switch, a username and password, the enable secret password, you can access the switch remotely using the telnet protocol or the web interface.

Hope this helps.

@liviu.gheorghe thank you for that.

Lets say I configure the IP to be 10.8.9.254 and VLAN 9, will I be able to connect to that IP only on VLAN 9 access port interfaces, or any other VLAN in other switches if routing is configured appropriately?

Would that mean the management vlan is 9 now, and it has to have a subnet and default gateway to be routable?

---

@matias.huartamendia wrote:

Lets say I configure the IP to be 10.8.9.254 and VLAN 9, will I be able to connect to that IP only on VLAN 9 access port interfaces, or any other VLAN in other switches if routing is configured appropriately?

If routing is configured appropriately in your network, you can connect to IP 10.8.9.254 from anywhere in your network.

Would that mean the management vlan is 9 now, and it has to have a subnet and default gateway to be routable?

---

Correct. Your new management plan 9 has to have a subnet and gateway. Also routing must be configured on the gateway (router) in order to enable reachability between this subnet and the rest of the network.

@liviu.gheorghe ok great thanks for the response. And if I configured the port to be VLAN9 and I do not configure VLAN 9 in other switches, I can restrict management of the switch via this port ONLY, right? I can still define a gateway to get out tthe internet for example.

@liviu.gheorghe thanks ffor that.

I understand that's the approrpiate way, although I was trying to evacuate the doubt if my procedure would work as well, which I think it does. Correct me if I am wrong

It would work only if your vlan 9 subnet is not known to the rest of the network.

SW1(pure L2SW)(VLAN9 mgmt vlan)-SW2(transit)-SW3(L3 capability for inter-vlan)
SW1 have VLAN 9 and it SVI
SW3 have VLAN 9 and it SVI 
SW2 since it only l2 transit need VLAN9 no IP

do I need GW ? since it pure L2SW it need GW point to SVI of VLAN 9 in SW3 

do I need other VLAN and it SVI in pure L2SW ? No need, this VLAN 9 SVI IP is ok for mgmt like ping (check the status of SW) telnet (telnet need IP in device even if it Pure L2SW)

How I make my network more secure ? put all mgmt VLAN in VRF this make L3 layer totally separate

MHM 

This pure l2 SW' and you config vlan 9 as mgmt vlan then you need 

1-L3 device (l3 sw or router) connect to this l2 sw via trunk or access port and  these port allow vlan 9

2- ip default gateway toward vlan 9 of l3 device 

This make l2 SW connect to any IP outside subnet of vlan 9.

If you config multi vlan SVI ip in l2 SW 

Same as above except 

1- port connect to l3 device must allow all vlan that have IP

2- l3 device must config with IP for vlan config in l2 SW (and have IP).

That all 

MHM