Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1955
Views
8
Helpful
4
Replies

Switch or Router IP address for Monitoring

Tang-Suan Tan
Level 1
Level 1

‎10-10-2012 12:53 AM - edited ‎03-07-2019 09:22 AM

Hi all :

I have porblems below need your advice. Usually when we assign IP address for a switch or router, it will be in the VLAN 1 which is default native VLAN.

I have 3 questions below :

1. Right now, for securoty purpose, we do not want to use VLAN 1 and for example we want to set VLAN 50 for network management purpose. Can we just  set VLAN 50 as native VLAN and all the switches and router IP in the network can be seen at VLAN 50?

2. Is this VLAN 50 like VLAN 1 (after set VLAN 50 as native) and no need to do switchport access?  In other words, whatever ports no assigning any VLAN will them automatically assigned to VLAN 50?

3. In this VLAN 50, if we do not want it to be mix with other VLANs and just stand alone, how can it be done because we still need IP to monitor the switch and router IP?

Can we just leave it as layer 2 VLAN? Then by setting the Network Monitoring Station same subnet as all the switches and routers, can we monitor all the switches and router in the same subnet? This is because once we do the InterVLAN routing, the management VLAN will also mix with all other VLANs and this is not what we want.

Thanks!

Warmest regards,

TangSuan Tan

Labels:
0 Helpful
4 Replies 4

Giuseppe Larosa
Hall of Fame
Hall of Fame

‎10-10-2012 01:08 AM

Hello TangSuan,

security recommendations are somewhat different for preventing OSI layer 2 attacks.

You should avoid to use vlan 1 for any purposes. It wil still be used by some L2 signaling protocols but no user traffic or management traffic is recommended on it.

By default Vlan 1 is:  the management Vlan, the native vlan of trunks, the vlan where by default ports are member of.

This is not good for security reasons.

So it is correct to use vlan 50 for management.purposes only to reach network devices. No end user PCs should be connected to the management vlan. Appropriate ACLs have to be configured to block access to management Vlan from client IP subnets, The management Vlan should be  different from native vlan of trunks see below,

A different vlan like vlan 950 should be used as native vlan for all 802.1Q trunks that are in the campus.

No access port should be assigned to the vlan dedicated to be the native vlan on trunks. This vlan has to be different from the management vlan above.

A parking vlan like 999 should be used for all unused ports, No switch should have an SVI configured and active in the parking vlan, so that if someone connects to an unused port he/she is not able to talk with other vlans, The parking vlan has to be left isolated with no L3 services.

Last two recommendations are to avoid L2 attacks like double vlan hopping.

Edit:

answering to your specific questions

>>>1. Right now, for securoty purpose, we do not want to use VLAN 1 and for example we want to set VLAN 50 for network management purpose. Can we just  set VLAN 50 as native VLAN and all the switches and router IP in the network can be seen at VLAN 50?

No, see my explanation above the management vlan should be different from the native vlan used on trunk ports

2. Is this VLAN 50 like VLAN 1 (after set VLAN 50 as native) and no need to do switchport access?  In other words, whatever ports no assigning any VLAN will them automatically assigned to VLAN 50?

No, this will not happen Cisco IOS does not provide this. Again unused ports should use a dedicated parking vlan as explained above and this vlan has to be different from the management vlan, otherwise a user connecting to an unused port can access your network devices !

3. In this VLAN 50, if we do not want it to be mix with other VLANs and just stand alone, how can it be done because we still need IP to monitor the switch and router IP?

As explained before appropriate ACLs configured on the router(s) serving as default gateway of vlan 50 have to be configured to control access.

You should allow only access from the management station and from NOC PCs

Hope to help

Giuseppe

Tang-Suan Tan
Level 1
Level 1
In response to Giuseppe Larosa

‎10-11-2012 12:10 AM

Hi Giuseppe :

Thanks to your answer.

You reminded me good practices to do the switch configuration. Appreciate your reply. I posted some new questions related with this question and if Ok, can you help to answer?

thanks and warmest regards,

Tangsuan

0 Helpful

Harish Balakrishnan
Spotlight
Spotlight

‎10-10-2012 01:13 AM

hello Tan,

Let me try to answer your queries

1.Yes you can set vlan 50 as native on the trunks between switches and if you have L2 switch you can have SVI created for vlan 50 and assign IP address for management purpose. In case of L3 switches you can still use this as management and create SVI for this along with other vlan svi if any,

2. If you want to make one port under vlan 50, you have to manually give switchport access vlan 50 command under the interface to make that as part of that VLAN even if it is native VLAN

3.You need to have an IP configured on VLAN 50 if you want to monitor the switch using that vlan.

ideally What you can do,

Have a L3 device ( Router or L3 witch) Where you have your all SVI terminated. and allow this purticular Vlan on all the trunks and make it native. Then create the L2 and L3 vlan ( SVI) for vlan 50 on all the switch with IP address from the same subne. Have you monitoring station in the same segement  ( if you do not want to route the traffic) or different subnet , it can reach all devices using vlan 50 IP address using the L3 device mentioned above

please let me know if you have further queries

Harish.

Tang-Suan Tan
Level 1
Level 1
In response to Harish Balakrishnan

‎10-11-2012 12:05 AM

Hi Harris and all :

Thanks to your reply!

If I am going to monitor the management VLAN 50, I have to connect to port accessed with VLAN 50, right?

So, can you help to clarify with me below questions :

1. If I want to monitor other devices in other VLANs together with networking devices in the management VLAN 50, can I add the subnet at the Ethernet Port of the monitoring station by using advance TCP/IP setting?

2. Going to another extreme of question 1 above, what if I only want the VLAN 50 isolated from other VLANs for the purpose of just allowed management traffic, I will need to use VLAN ACL to block all other VLANs at all the distribution switches (since access switch uplink only carries multiple VLANs with trunk link with distribution switch and also the distribution switch is the first ingress for all the uplinks from access switch), right?

thanks to your time, warmest regards,

Tangsuan Tan

0 Helpful
Customers Also Viewed These Support Documents