Solved: The original poster has asked

eddie.sardinha · ‎12-10-2014

Hello Everyone,

I'm still learning cisco and networks in general but I need to separate management traffic from the regular network. The switch is a cisco catalyst 5406-E. My question is do I need to create a new subnet for the VLAN and how would I do that? The commands I have to create a VLAN and add the switch ports are

Switch(config)# vlan 15

switch(config-vlan)# name Management

switch(config)# interface GigabitEthernet2/6

switch(config-if)# switchport access vlan 15

Now this creates vlan 15 and adds the GE 2/6 interface to vlan 15. How do I add it to a new subnet? Am I going in the right direction?

Richard Burts · ‎12-13-2014

I agree with Jon that knowing more about the environment would be nice. But the original post asks a simple question and I believe that it is possible to answer it without additional information. To add a subnet you need to configure the layer 3 SVI and assign an IP address. It might look something like this

interface vlan 15

ip address 172.16.15.1 255.255.255.0

HTH

Rick

HTH

Rick

View solution in original post

Jon Marshall · ‎12-12-2014

Do you mean a 4506-E switch ?

If so it's not clear what the switch is connected to.

When you create a management vlan it is usually for a number of switches. The vlan does have an IP subnet and it needs to be routed on L3 switch(es).

So usually you would have -

a) a pair of L3 switches or stacked L3 switches with the management vlan and a L3 vlan interface (SVI) for that vlan. The L3 switches will also have SVIs for the user vlans.

b) a number of L2 switches that are connected to the L3 switches using trunks. On these trunks will be the user vlans plus your management vlan. On these switches there is only one SVI and this will be for the management vlan. This SVI will have an IP address from the management IP subnet and the switches default gateway will be the IP address of the management SVI on the L3 switches.

So what, if anything connects to your 4500 switch ?

If you just have that switch and it is routing for the vlans you can actually manage it with a loopback address rather than using a management vlan.

Jon

Richard Burts · ‎12-13-2014

I agree with Jon that knowing more about the environment would be nice. But the original post asks a simple question and I believe that it is possible to answer it without additional information. To add a subnet you need to configure the layer 3 SVI and assign an IP address. It might look something like this

interface vlan 15

ip address 172.16.15.1 255.255.255.0

HTH

Rick

HTH

Rick

eddie.sardinha · ‎12-15-2014

Thanks for all the responses and the information! I will try that but first I need this switch port to be on Vlan 15 but also be able to access it from another vlan. Do I need to run the command switchport trunk or can I have a switchport on multiple vlans?

switchport trunk allowed vlan 1,2,3

Jon Marshall · ‎12-15-2014

It needs to be a trunk link to have multiple vlans on it.

ie.

int gi0/1

switchport mode trunk

switchport trunk encapsulation dot1q <-- note this may not be needed ie. if the command is not there it is not needed.

then you can allow only the vlans you want with your command although if you want vlan 15 on it you will obviously need to modify it.

If you don't use your command all vlans are allowed across.

Jon

Jaroslav Kratochvil · ‎12-15-2014

In general, if you want to use separated VLAN for management, you can create VLAN + SVI (routed interface of the VLAN) with IP address + some access list on SVI and VTY (“SSH/telnet lines”) for better security.

Example:

==== C4500 – L3 SWITCH CONFIG ====

//create VLAN 15

vlan 15

name MGMT

//create access list with ip addresses, from which management of all switches with SVI 15 will be accessible

//Note: this access list (ACL) does not control access to management of L3 switch/router where the ACL is applied on SVI, only to all other switches in VLAN 15 that have default gateway set to ip address 10.0.15.1 (see next step)

ip access-list extended MGMT_SWITCH

remark ====ICMP====
permit icmp any 10.0.15.0 0.0.0.255

remark ====ADMIN====

permit ip 10.0.1.0 0.0.0.255 10.0.15.0 0.0.0.255

remark ====MONIORING-SERVERS====

permit ip 10.0.100.0 0.0.0.255 10.0.15.0 0.0.0.255

remark ====NTB-SERVICE====

permit ip 10.0.200.0 0.0.0.255 10.0.15.0 0.0.0.255

//create SVI/interface of the VLAN 15, add IP address and assign access list

//Note: DO NOT assign empty access list to interface, it can make your router inaccessible!

interface Vlan15

description MGMT

ip address 10.0.15.1 255.255.255.0

ip access-group MGMT_SWITCH out

//create ACL for VTY line of L3 switch/router; this ACL controls access only to management of L3 switch, access to all other switches with SVI 15 is controlled by previous ACL

ip access-list standard VTY

remark ====ADMIN====

permit 10.0.1.0 0.0.0.255

remark ====MONIORING-SERVERS====

permit 10.0.100.0 0.0.0.255

remark ====NTB-SERVICE====

permit 10.0.200.0 0.0.0.255

//assign ACL to vty lines

line vty 0 4

access-class VTY in

==== OTHER L2-ONLY SWITCHES CONFIG ====

//create VLAN 15

vlan 15

name MGMT

//create SVI 15

interface Vlan15

description MGMT

ip address 10.0.15.50 255.255.255.0

//set default gateway/default route to SVI of c4500

ip default-gateway 10.0.15.1

//some higher-level switches require use of following CLI parameters instead:

ip routing

ip route 0.0.0.0 0.0.0.0 10.0.15.1

This is just one of many ways to do the management separation.

devils_advocate · ‎12-16-2014

A 'VLAN' is simply a Layer 2 broadcast domain.

Mapping a VLAN ID to a subnet is done on the hosts themselves from a Layer 2 perspective.

You have already created Vlan 15 and assigned the host connect to port GigabitEthernet2/6 to this Vlan.

The next step is to pick a subnet and a corresponding subnet mask. This can literally be any Private IP address subnet as long as it is not already in use on your network. You will find that a lot of people use the third octet to match the VLAN ID. For example, you have chosen VLAN 15 so you could use 192.168.15.0 with a subnet mask of 255.255.255.0 which means all the hosts which are in VLAN 15 will have an IP address of 192.168.15.*.

If you were to create vlan 15, put say 10 ports in this VLAN and assign all those 10 connected hosts an IP address in the 192.168.15.* subnet with the same subnet mask, they would all be able to communicate with each other without any additional configuration on the switch itself. A layer 2 switch has no concept of IP addresses because it forwards frames using the destination MAC address. As long as all connected hosts are on the same VLAN and have the same IP subnet and mask, they can communicate with each other at Layer 2.

If however you want hosts in Vlan 15 to communicate with hosts in another Vlan, that is when a Layer 3 device is needed. I suspect your switch is Layer 3 capable meaning it can still function at purely Layer 2 but has the routing features required to forward packets between Vlans. If you want your hosts in Vlan 15 to be able to talk to other Vlans (or the internet) then they need the following requirements met.

All be part of Vlan 15
All have an IP address and subnet mask from the same subnet (i.e 192.168.15.0 /24)
All have a default gateway

In terms of the switch configuration, you need to create what is known as an 'SVI' which is effectively a Layer 3 IP address for each Vlan you have. This IP address will be the 'default gateway' for each of your hosts.

#interface vlan 15
#ip address 192.168.15.1 255.255.255.0
#no shut

You would then give each of your hosts in VLAN15 a default gateway of 192.168.15.1.

Assuming you created an SVI for each of your VLAN's and gave your hosts their appropriate default gateways then they should be able to ping each other.

Some layer 3 switches are not setup to route by default should you may need to do the following in global config mode:

#ip routing

Hope this makes sense!

Richard Burts · ‎12-16-2014

The original poster has asked a fairly simple question but the answer may not be as simple as we might think. If the switchport needs to access several VLANs then we need to understand what kind of access is required. If the access is that traffic for several VLANs needs to go through that switch port then the answer certainly is that the switch port needs to be configured as a trunk. But if the access required is that a device connected on that port needs to access several VLANs then configuring the switch port as an access port and configuring inter vlan routing might achieve the objective.

I also wonder if Gig2/6 really needs to be an access port in VLAN 15. If VLAN 15 is for switch management then what the switch really needs is the SVI interface vlan 15 with an assigned IP address (as I described in my previous response). You do not necessarily need an access port in vlan 15 for switch management to work. It is commonly implemented that the VLAN for switch management is carried between switches on trunk ports, the SVIs provide management access, and there are no physical ports as access ports in VLAN 15.

To give good answers in this situation we really need a better understanding of the environment and the topology of the network. How many switches are there? How are the switches connected to each other? Are there trunk ports already configured? What is connected to Gig2/6? If a host is connected to Gig2/6 then probably the switch port should be an access port in some VLAN. If another switch is connected on Gig2/6 then probably it should be configured as a trunk.

HTH

Rick

HTH

Rick

VLAN for Management Traffic