Other suggestions for not using VLAN 1 for mgmt are: - Before version 5.4 of CatOS, VLAN 1 couldn't be removed from VLAN trunk links.
- VLAN1 is default VLAN which means if it was the mgmt VLAN and switches weren't configured to put all ports in another VLAN if someone plugged into one of these ports on this switch they're on your mgmt network. Along this line of thinking, if you use VLANxx for mgmt then chances are the only interfaces in that VLAN on that device is the logical management interface and trunk ports. The trunk ports being the only physical ports in the mgmt VLAN. This makes it hard for a casual user to plug into a open port and get to the mgmt VLAN/network unless they know which IP subnet it is and telnet there, etc. Also, make the mgmt VLAN a non-native VLAN on the trunk port if its 802.1Q so it is tagged. This way if someone knows what VLAN it is it'll be harder to get to it if they decide to pull the cable on the trunk port :) Erick B. --- "R. Benjamin Kessler" wrote: > I think Cisco generally recommends that your switch > mgmt interface is on a > different VLAN than your "regular" (read: > end-user/server) devices. This > helps isolate broadcast/multicast traffic so the > switch CPU doesn't have to > process it - especially critical in networks where > there is a high > percentage of broadcast/multicast traffic. > > Additionally, there's a security component to this > line of thinking; if you > have an isolated subnet purely for switch management > then you can restrict > (at the router) who is allowed into that network; > this is in addition to the > various access controls you can employ on the > individual switches. > > A word of caution though...I wouldn't recommend that > you have a single mgmt > VLAN that spanned your entire network unless you > work in a really small > shop - this breaks all sorts of "rules" in the > Core-Distribution-Access > religion and can be difficult to manage. > > Last note; I've seen a document (but can't place my > fingers on it now) that > recommended that you NOT use VLAN # 1 as your mgmt > VLAN. Unfortunately it > didn't elaborate as to why. > > HTH, > > Ben > > > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED]]On Behalf Of > Michael Kelker > Sent: Thursday, March 14, 2002 2:14 PM > To: [EMAIL PROTECTED] > Subject: Management VLANs? [7:38282] > > > this isn't a direct CCNP cert question, but I was > thinking of trying to make > my network infrastructure easier to navigate. I was > thinking of creating a > VLAN on a certain IP scheme and have each piece of > equipment have a virutal > interface on it. > > Am I going about this the right way? How do some of > you address this issue? > __________________________________________________ Do You Yahoo!? Yahoo! Sports - live college hoops coverage http://sports.yahoo.com/ Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=38350&t=38282 -------------------------------------------------- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
