Buy or Renew
Buy or Renew
NEW: Try the Beta AI Summary feature on posts in the Routing and SD-WAN forum. Click to go to the forum.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2175
Views
0
Helpful
6
Replies

Management Vlan

Go to solution
wardwolfram
Frequent Visitor
Frequent Visitor

‎10-13-2021 10:50 AM

Hello Team,

I understand the management VLAN concepts with L2 switches - enable the SVI/IP address on the VLAN that you create specifically for it.

When one utilizes L3 switches, which may typically have SVI on most VLAN's, how does one prevent users from these other vlans from not having access to the management VLAN?  Or, what are best practices for a L3 switch management VLAN?

 

Thanks,

 

WW

Labels:
0 Helpful
3 Accepted Solutions

Accepted Solutions

Go to solution
Reza Sharifi
Hall of Fame
Hall of Fame
In response to wardwolfram

‎10-13-2021 11:27 AM - edited ‎10-13-2021 11:29 AM

You would have to use ACL to block SSH/Telnet from all user subnets except the management subnet.

HTH

View solution in original post

0 Helpful

Go to solution
Richard Burts
Hall of Fame
Hall of Fame
In response to Reza Sharifi

‎10-13-2021 01:52 PM

There are several ways to understand management vlan for switches. The more simple understanding is to focus on remote access to the switch (and that seems to be the focus of the original poster who asks " how do your disable switch management access within a L3 subnet/VLAN?".). I agree with Reza that you would use ACLs and would go a step further and suggest that on the switch you configure access-class on all of the vty ports. access-class uses an acl (preferable a standard acl and not an extended acl) to specify what IP addresses are permitted remote access to the switch.  

 

HTH

Rick

View solution in original post

0 Helpful

Go to solution
Joseph W. Doherty
Hall of Fame
Hall of Fame

‎10-13-2021 02:49 PM

"Or, what are best practices for a L3 switch management VLAN?"

In many respects, they might be the same as on a router (which might have multiple routed interfaces).

In the large Enterprise environments I've worked in, for network devices, there was some "trust" for our internal facing interfaces so we didn't ACL control the interfaces, themselves.  Instead we had either Radius or Tacacs logon control, perhaps with a "dynamic" PIN key (e.g. SecureID token).  And/or we had ACL controlling Telnet/SSH/SNMP access to the device (regardless of interface accessed through).

Also, generally, we only ACL'ed interfaces when connected to "untrusted" networks, like Internet connections.

View solution in original post

0 Helpful
6 Replies 6

Go to solution
Reza Sharifi
Hall of Fame
Hall of Fame

‎10-13-2021 11:08 AM

Hi,

how does one prevent users from these other vlans from not having access to the management VLAN? 

Well, users should not have access (username/password) to network devices. If you want to block management subnet from users, you would have to use ACL on the layer-3 switch to make sure the management subnet/vlan is not reachable from the user subnets.

HTH

0 Helpful

Go to solution
wardwolfram
Frequent Visitor
Frequent Visitor
In response to Reza Sharifi

‎10-13-2021 11:17 AM

Let's say the username/password was somehow compromised.

 

Within Packet Tracer, I created a single L3 switch with 5 PC's connected to it. Each PC within their subnet/VLAN could access the switch using SSH. Thus, how do your disable switch management access within a L3 subnet/VLAN? 

 

WW

0 Helpful

Go to solution
Reza Sharifi
Hall of Fame
Hall of Fame
In response to wardwolfram

‎10-13-2021 11:27 AM - edited ‎10-13-2021 11:29 AM

You would have to use ACL to block SSH/Telnet from all user subnets except the management subnet.

HTH

0 Helpful

Go to solution
Richard Burts
Hall of Fame
Hall of Fame
In response to Reza Sharifi

‎10-13-2021 01:52 PM

There are several ways to understand management vlan for switches. The more simple understanding is to focus on remote access to the switch (and that seems to be the focus of the original poster who asks " how do your disable switch management access within a L3 subnet/VLAN?".). I agree with Reza that you would use ACLs and would go a step further and suggest that on the switch you configure access-class on all of the vty ports. access-class uses an acl (preferable a standard acl and not an extended acl) to specify what IP addresses are permitted remote access to the switch.  

 

HTH

Rick
0 Helpful

Go to solution
Joseph W. Doherty
Hall of Fame
Hall of Fame

‎10-13-2021 02:49 PM

"Or, what are best practices for a L3 switch management VLAN?"

In many respects, they might be the same as on a router (which might have multiple routed interfaces).

In the large Enterprise environments I've worked in, for network devices, there was some "trust" for our internal facing interfaces so we didn't ACL control the interfaces, themselves.  Instead we had either Radius or Tacacs logon control, perhaps with a "dynamic" PIN key (e.g. SecureID token).  And/or we had ACL controlling Telnet/SSH/SNMP access to the device (regardless of interface accessed through).

Also, generally, we only ACL'ed interfaces when connected to "untrusted" networks, like Internet connections.

0 Helpful

Go to solution
Richard Burts
Hall of Fame
Hall of Fame
In response to Joseph W. Doherty

‎10-14-2021 11:23 PM

WW

I am glad that our suggestions have been helpful. Thank you for marking this question as solved. This will help other participants in the community to identify discussions which have helpful information. This community is an excellent place to ask questions and to learn about networking. I hope to see you continue to be active in the community.

HTH

Rick
0 Helpful
Customers Also Viewed These Support Documents