RE: Management VLANs? [7:38282]
I think Cisco generally recommends that your switch mgmt interface is on a different VLAN than your regular (read: end-user/server) devices. This helps isolate broadcast/multicast traffic so the switch CPU doesn't have to process it - especially critical in networks where there is a high percentage of broadcast/multicast traffic. Additionally, there's a security component to this line of thinking; if you have an isolated subnet purely for switch management then you can restrict (at the router) who is allowed into that network; this is in addition to the various access controls you can employ on the individual switches. A word of caution though...I wouldn't recommend that you have a single mgmt VLAN that spanned your entire network unless you work in a really small shop - this breaks all sorts of rules in the Core-Distribution-Access religion and can be difficult to manage. Last note; I've seen a document (but can't place my fingers on it now) that recommended that you NOT use VLAN # 1 as your mgmt VLAN. Unfortunately it didn't elaborate as to why. HTH, Ben -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Michael Kelker Sent: Thursday, March 14, 2002 2:14 PM To: [EMAIL PROTECTED] Subject: Management VLANs? [7:38282] this isn't a direct CCNP cert question, but I was thinking of trying to make my network infrastructure easier to navigate. I was thinking of creating a VLAN on a certain IP scheme and have each piece of equipment have a virutal interface on it. Am I going about this the right way? How do some of you address this issue? Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=38296t=38282 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Management VLANs? [7:38282]
Not sure, I'm understanding your question but try this. Make all of your switches operate in Vlan 2 all other management protocolsCDP,VTP and such are in VLAN 1 and then use the rest of your vlan for date traffic from hosts. Michael Kelker wrote: this isn't a direct CCNP cert question, but I was thinking of trying to make my network infrastructure easier to navigate. I was thinking of creating a VLAN on a certain IP scheme and have each piece of equipment have a virutal interface on it. Am I going about this the right way? How do some of you address this issue? Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=38302t=38282 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Management VLANs? [7:38282]
maybe I'm making this whole thing too complicated. What if I just put a loopback interface on each router/switch on a management subnet. what I'm trying to attempt is to make my entire router / switching structure easier to access by not having to remember exactly which whole ip address is for which router, rather could say that's router 10 so it's 10.10.10.10 (as an example). Michael Kelker wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... this isn't a direct CCNP cert question, but I was thinking of trying to make my network infrastructure easier to navigate. I was thinking of creating a VLAN on a certain IP scheme and have each piece of equipment have a virutal interface on it. Am I going about this the right way? How do some of you address this issue? Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=38305t=38282 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Management VLANs? [7:38282]
Other suggestions for not using VLAN 1 for mgmt are: - Before version 5.4 of CatOS, VLAN 1 couldn't be removed from VLAN trunk links. - VLAN1 is default VLAN which means if it was the mgmt VLAN and switches weren't configured to put all ports in another VLAN if someone plugged into one of these ports on this switch they're on your mgmt network. Along this line of thinking, if you use VLANxx for mgmt then chances are the only interfaces in that VLAN on that device is the logical management interface and trunk ports. The trunk ports being the only physical ports in the mgmt VLAN. This makes it hard for a casual user to plug into a open port and get to the mgmt VLAN/network unless they know which IP subnet it is and telnet there, etc. Also, make the mgmt VLAN a non-native VLAN on the trunk port if its 802.1Q so it is tagged. This way if someone knows what VLAN it is it'll be harder to get to it if they decide to pull the cable on the trunk port :) Erick B. --- R. Benjamin Kessler wrote: I think Cisco generally recommends that your switch mgmt interface is on a different VLAN than your regular (read: end-user/server) devices. This helps isolate broadcast/multicast traffic so the switch CPU doesn't have to process it - especially critical in networks where there is a high percentage of broadcast/multicast traffic. Additionally, there's a security component to this line of thinking; if you have an isolated subnet purely for switch management then you can restrict (at the router) who is allowed into that network; this is in addition to the various access controls you can employ on the individual switches. A word of caution though...I wouldn't recommend that you have a single mgmt VLAN that spanned your entire network unless you work in a really small shop - this breaks all sorts of rules in the Core-Distribution-Access religion and can be difficult to manage. Last note; I've seen a document (but can't place my fingers on it now) that recommended that you NOT use VLAN # 1 as your mgmt VLAN. Unfortunately it didn't elaborate as to why. HTH, Ben -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Michael Kelker Sent: Thursday, March 14, 2002 2:14 PM To: [EMAIL PROTECTED] Subject: Management VLANs? [7:38282] this isn't a direct CCNP cert question, but I was thinking of trying to make my network infrastructure easier to navigate. I was thinking of creating a VLAN on a certain IP scheme and have each piece of equipment have a virutal interface on it. Am I going about this the right way? How do some of you address this issue? __ Do You Yahoo!? Yahoo! Sports - live college hoops coverage http://sports.yahoo.com/ Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=38350t=38282 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
