Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3035
Views
5
Helpful
5
Replies

VLANs and Management VLANs

Go to solution
imecocisco
Level 1
Level 1

‎07-01-2013 03:07 AM - edited ‎03-07-2019 02:10 PM

Hello,

Although being relatively new to the Cisco world I have some basic experience with IOS.

We currently have two 24port 2960's patched together  using the fiber uplink ports and are acting as core switches for the  business.

One is a client core switch where all local department switches [Cisco SGs] terminate on with a few remaining ports for verious other devices

The second is the server core switch where only servers are connected to.

I've  read in a few places that you shouldnt have your switch management IP  address on the default VLAN and it should be on its own.

The question here is when I put switch IP address on a separate  VLAN and attach it to the port there is no way for me to manage the  switch as a router needs to be involved to route traffic between the two  subnets. I beleive the 2960 does not do intervlan routing.

We  have recently aquired a 3750 however that will allow us to do the above  but before we implement this I was wondering how it is normally done  without any sophisictared routing hardware? We have option 3 which is to  simply use the management port but again that would require a separate  workstation to manage it.

Can anyone educate me on the best way? Or even the correct way?

Thanks!

Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Peter Paluch
Cisco Employee
Cisco Employee

‎07-01-2013 03:53 AM

Hello Ibrahim,

The question here is when I put switch IP address on a separate  VLAN  and attach it to the port there is no way for me to manage the  switch  as a router needs to be involved to route traffic between the two   subnets.

You are completely correct that the management VLAN shall be different from the default VLAN (which is VLAN 1 on Catalyst switches), and it also should be separate from the native VLAN (which also happens to be VLAN 1 on Catalyst switches). And yes, you are absolutely correct that if you configure a standalone management VLAN, you will require a routing function to allow stations in other VLANs to access the management.

When saying that the management VLAN should be separate, we are not saying that absolutely no stations should be assigned to the VLAN. You can have a few dedicated management stations connected directly to ports whose access VLAN is set to the management VLAN, thereby allowing these stations to perform management tasks in your management VLAN. What we are very specific about, though, is that the management VLAN shall be different both from VLAN1 (the default VLAN) and the native VLAN.

I beleive the 2960 does not do intervlan routing.

Starting with 12.2(55)SE and LANBASE feature set, the 2960 does support static routing and routing between connected VLANs.

Can anyone educate me on the best way? Or even the correct way?

Usually, as soon as you implement VLANs, you also implement some kind of inter-VLAN routing, so having a separate management VLAN is not an issue at all - because the routing is already there. The routing may be done using a dedicated multilayer switch, or perhaps on the access switch immediately, or by a router-on-stick.

So whenever an inter-VLAN routing is available, a separate management VLAN is no different to simply having yet another VLAN in your network. Without an inter-VLAN routing, to keep a decent level of security, you need to have dedicated management stations that can be assigned to the management VLAN and perform the necessary tasks.

Best regards,

Peter

View solution in original post

0 Helpful

Go to solution
Richard Burts
Hall of Fame
Hall of Fame
In response to imecocisco

‎07-15-2013 11:36 AM

Ibrahim

As Peter has said, when you implement VLANs - and especially when you implement more than one VLAN - you normally would have provided something that would provide the routing  function. At this point your network does not fit that capability. In the long term I would encourage you to deploy the 3750 using its routing function and that would provide the inter VLAN routing that is needed.

At this point it sounds like your network is small enough and simple enough that you can just continue to have a single VLAN which would handle both data traffic and management traffic.

As networks grow and become more complex it is beneficial to have separation of management VLAN from data VLAN. But I am not sure that your network is there yet.

HTH

Rick

HTH

Rick

View solution in original post

5 Replies 5

Go to solution
Peter Paluch
Cisco Employee
Cisco Employee

‎07-01-2013 03:53 AM

Hello Ibrahim,

The question here is when I put switch IP address on a separate  VLAN  and attach it to the port there is no way for me to manage the  switch  as a router needs to be involved to route traffic between the two   subnets.

You are completely correct that the management VLAN shall be different from the default VLAN (which is VLAN 1 on Catalyst switches), and it also should be separate from the native VLAN (which also happens to be VLAN 1 on Catalyst switches). And yes, you are absolutely correct that if you configure a standalone management VLAN, you will require a routing function to allow stations in other VLANs to access the management.

When saying that the management VLAN should be separate, we are not saying that absolutely no stations should be assigned to the VLAN. You can have a few dedicated management stations connected directly to ports whose access VLAN is set to the management VLAN, thereby allowing these stations to perform management tasks in your management VLAN. What we are very specific about, though, is that the management VLAN shall be different both from VLAN1 (the default VLAN) and the native VLAN.

I beleive the 2960 does not do intervlan routing.

Starting with 12.2(55)SE and LANBASE feature set, the 2960 does support static routing and routing between connected VLANs.

Can anyone educate me on the best way? Or even the correct way?

Usually, as soon as you implement VLANs, you also implement some kind of inter-VLAN routing, so having a separate management VLAN is not an issue at all - because the routing is already there. The routing may be done using a dedicated multilayer switch, or perhaps on the access switch immediately, or by a router-on-stick.

So whenever an inter-VLAN routing is available, a separate management VLAN is no different to simply having yet another VLAN in your network. Without an inter-VLAN routing, to keep a decent level of security, you need to have dedicated management stations that can be assigned to the management VLAN and perform the necessary tasks.

Best regards,

Peter

0 Helpful

Go to solution
imecocisco
Level 1
Level 1
In response to Peter Paluch

‎07-03-2013 11:30 PM

Hello Peter,

Many thanks for such a comprehensive and detailed answer. It answered all questions perfectly.

I just wanted to get a little information.

Unfortunately all my staff are all server setup / specific server application setup people and know next to nothing on Cisco.

I am the only one here with a little Cisco experience in switches and firewalls (I'd like to believe anyway)

My  concern is since all workstations are on default VLAN, by putting my  machine on a separate VLAN that would mean that my PC would have to be  connected directly onto the switch (in which it is not as I go through a  separate switch before getting to the 2960's So I'd have to setup the  interim switch to also have access to that management VLAN I assume?  (Ultimately complicating matters further)

We do have a 3750 with enough uplink ports to potentially use to route the traffic between the two VLANS?

In  order to do this, would I have to change my gateway to the Layer 3  switch? The reason I ask is because my default gateway is currently an  NSA and I really don't want to pass my traffic to the NSA in order to  route back to the management VLAN.

Could you help with the above and possibly show me how to configure it?

Any suggestions however to acheive a safer more secure setup would also be appreciated.

Thanks again!

Ibrahim

0 Helpful

Go to solution
imecocisco
Level 1
Level 1
In response to imecocisco

‎07-15-2013 06:47 AM

Sorry to bother again, can anyone help with the above?

Thanks.

0 Helpful

Go to solution
Richard Burts
Hall of Fame
Hall of Fame
In response to imecocisco

‎07-15-2013 11:36 AM

Ibrahim

As Peter has said, when you implement VLANs - and especially when you implement more than one VLAN - you normally would have provided something that would provide the routing  function. At this point your network does not fit that capability. In the long term I would encourage you to deploy the 3750 using its routing function and that would provide the inter VLAN routing that is needed.

At this point it sounds like your network is small enough and simple enough that you can just continue to have a single VLAN which would handle both data traffic and management traffic.

As networks grow and become more complex it is beneficial to have separation of management VLAN from data VLAN. But I am not sure that your network is there yet.

HTH

Rick

HTH

Rick

Go to solution
imecocisco
Level 1
Level 1
In response to Richard Burts

‎07-31-2013 04:31 AM

Perfect, great advice.

Thanks for all the help Peter, Richard!

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card