cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
57660
Views
58
Helpful
9
Replies

Management Vlan?

bsciarra1
Level 1
Level 1

Good morning cisco community,

I have a question that may seem dumb to the engineers in this forum.  However, here it is...

I am setting up a 2960 switch to use two vlans I created, vlan 10 and vlan 100.

I originally set these up with ip addresses, it worked but I realized this was bad design since vlan 10 and vlan 100 default gateways are already set up on the router they go to.

Now there are no ip addresses on my switch, I am told to set up vlan 1 as management vlan and use that for telnet, however if vlan 1 is not assigned to an interface, and nothing is plugged into that interface, I cannot telnet.

Does this mean I have to dedicate a machine to each of my switches for management?  I'm about to buy 30 of these, do i need to allocate 30 machines to plug into vlan 1 for management?

Will loopback address achieve the same goal?  How do I set that up?

Thanks....

9 Replies 9

cadet alain
VIP Alumni
VIP Alumni

Hi,

For an interface VLAN ( or SVI) to be up/up, you need 3 things:

1) the VLAN must exist in the vlan database which is the case as it is the default vlan

2) it must be active on one port,whether access port or trunk

3) that port  must be in the stp forwarding state

So you can get rid of your interface vlan for 10 and 100 and give an ip address to interface vlan1

and don't forget the ip default-gateway if you want to manage the switch from another subnet.

Regards.

Alain.

Don't forget to rate helpful posts.

Hi,

As we know that Vlan 1 acts as default management vlan but when i am configuring default Vlan 1 with IP address and default gateway on switch (on GNS3), line protocol still shows down (even I performed shut and no shut). Any idea where am I making a mistake?

Hi There,

I am not sure if SVIs are supported in GNS3, but can't say for sure. we know that vlan 1 can't be removed from cisco switches, so I am not going to ask you to check if you have vlan 1 configured.

This is what you need to create an svi for vlan 1:

int vlan 1

ip address 1.2.3.4 255.255.255.0

no shut

Now you also need to make sure that there is an access port that is assigned to vlan 1 and it should be in up state or a trunk port in up state. In short you need to have a spanning tree instance for vlan 1.

You can use this command to check if you have a spanning tree instance for vlan 1:

sh spanning-tree vlan 1

if switch doesn't show a spanning tree instance for vlan 1 that means you don't meet the conditions I mentioned above. Once you meet those conditions SVI for vlan 1 should be up. In your case I am not sure if it's a configuration issue or a GNS 3 limitation. If you have access to packet tracer then you can try it there and packet tracer supports it for sure. If you follow the steps I mentioned it should definitely work in packet tracer.

You can also share your GNS3 configuration, so I can take a look at it and may be able to find the problem.

Let me know if you have any questions.

Peter Paluch
Cisco Employee
Cisco Employee

Hi,

You do not need to have a separate machine for managing a switch - certainly not. If you assign an IP address to your interface Vlan 1 it can be reachable from VLAN1 either via an access port, or via a trunk port. So the management station can be anywhere, as long as it can reach the VLAN1 in your network, and thus reach your switches and their IP management interfaces.

For example, you would configure your switch as follows:

username admin privilege 15 secret 4dm1n

!

interface Vlan1

ip address 10.0.1.11 255.255.255.0

no shutdown

!

ip default-gateway 10.0.1.1

!

interface Gi0/1

switchport mode trunk

!

line vty 0 15

login local

logging synchronous

This configuration assumes that the Gi0/1 is a trunk port which connects this switch either to a router or to another switch in your topology. This switch will be reachable under IP address 10.0.1.11 and it will use the default gateway 10.0.1.1 to reach IP stations in other subnets. So if there is a management stations somewhere outside in the network 10.255.255.0/24, all it needs is to have simply an IP connectivity with the IP network 10.0.1.0/24 which is not about switching but rather about routing between VLANs.

I strongly advise against using the VLAN1 for management purposes. It is the best option to leave the VLAN1 totally unused - both for user and for management traffic - and instead define a separate VLAN for management, say, 999. For security purposes, it is not advisable to use the VLAN1 for any traffic. The VLAN1 performs many operations between Catalyst switches and should be best left alone for their internal use.

Best regards,

Peter


Hi,


By default, VLAN 1 is the management VLAN. Ensure that there are no redundant links for the management VLAN.

On any lesser switches, such as the 2900 series, the management vlan is where the switch's ip address is configured, and where you can access the switch via telnet or http.

The default management vlan is vlan 1, and in order to assign a different management vlan, you need to shut vlan 1, and then you can no shut a different vlan for management purposes - you can only have 1 active management vlan on these switches.

This is different from the 3550 and 3560 switches where you can have multiple vlan interfaces active at the same time.


Hope this clear you.

Please rate the helpfull posts.

Regards,
Naidu.

Thanks Latchum,

I have a 2950 Switch and was banging my head trying to figure out why my Interface VLAN would shutdown, every time I tried to activate a different Interface VLAN

you can only have 1 active management vlan on these switches.

This is different from the 3550 and 3560 switches where you can have multiple vlan interfaces active at the same time.

This was the clear and concise answer I was looking for!

Moving on now:)

Thank you, I have the 2950 and wasn't shutting vlan1 down, so I couldn't get the management port to work to work on the other vlan. All the other posts I found were saying it should work with the way I had it setup, and it would with the newer switches, but I have an oldie.

Bob Bagheri
Level 1
Level 1

This one can be answered many different ways, depending on your definition of a "Management Network".

Some switches have a separate port just for management which can be wired to a completely separate air gapped network.  That is true out of band management of your devices.

Next option for L3 switch would be to create a routed L3 port and connect to it directly. This is kind of impractical and waste of your port.


If your switch has now L3 address and is connected to a trunk, it needs the "default-gateway" command (as some mentioned already) and you can assign an IP address to either Vlan1 or just a Vlan in your local VLAN database.


Lastly, most security best practices is to use a different VLAN other than 1, because by default, Cisco uses Vlan1 at LAYER2 for VTP (VLAN Trunking Protocol) management as the "NATIVE VLAN", hence the name, management VLAN.  That may be where some confusion comes in with the name "management". Therefore, security guys will tell you to not use the "native vlan 1".  If you do use a different native vlan and you are using VTP, you will need to let some devices or ports know what the specific native vlan is.  

As mentioned already on this thread, for security reason's, it is best practice to use a dummy Vlan on trunks as the "native vlan", so it is probably best to use a different VLAN for management throughout your infrastructure.

Oh, and having an SVI in your VLAN's like you did originally (as long is not the same as your default router IP), is not the end of the world.  One of those SVI's your created could be used to reach the switch as long as the VLAN is allowed on the trunks.

HTH,
Bob

edwardhsue20078
Level 1
Level 1

If a switch has a different management VLAN, would it get updated too?

Review Cisco Networking for a $25 gift card