Cisco – Management VLAN Configuration

ciscomanagementvlan

how u doing?

Just got a Cisco SF300-24 for studying switch configuration and I'm in doubt about the Management VLAN.

In my conf, I made this VLANs:

Vlan       Name                   Ports               Created by    
---- ----------------- --------------------------- ---------------- 
 1           1                                            D         
 10        DATA              fa9-11,fa21-23               S         
 11        VOIP                                           S         
 12      PRINTERS               fa8,fa20                  S         
 13         SAN               fa6-7,fa18-19               S         
 14    PRIVATE_WIFI             fa5,fa17                  S         
 15     PUBLIC_WIFI             fa4,fa16                  S         
 16        HOUSE              fa2-3,fa14-15               S         
 99        MGMT                 fa1,fa13                  S         
999        NULL           fa12,fa24,gi1-4,Po1-8           S

The IP address for each vlan follows this scheme: 10.1..201/24.

First, I eliminated the VLAN 1 and create an 999, that's a black hole. Is this a good configuration for security improvement?

Second, I'd like the VLAN 99 to be the Management one, but I still can ping/telnet/ssh and whatsoever from ANY subnet. What should I use to block this kind traffic in other VLANs and make just this one for management?

Thx in advance!

Best Answer

This is normal behavior for a layer 3 switch, management traffic can be sent to any active Switch Virtual Interface (SVI). If you only want to allow management traffic from a specific vlan/subnet, you could set up ACLs.

A layer 2 switch can be assigned a management IP address, attached to one vlan, called the management vlan. It will only be reachable inside this vlan.

In the case of the SF300, I believe you have to define a management ACL instead of a normal IP ACL if you want to filter management traffic into the switch. Use the management access-list command, and then apply the ACL using management access-class.

Related Solutions

Switch – VLAN configuration

Assuming you will use VL20 as your guest network, do the following:

Every switch that has guest devices on it should have VL 20 on it.
Configure the security profile on the WAG102 to use VL 20 for the guest SSID (check "enable 802.1 VLAN"). For the management profile, uncheck the Enable 802.1q VLAN box.
Make the AP ports on the switches VLAN 20 tagged and VL 1 untagged.
Make the port for the BT router VL 20 untagged.
If you have switch to switch connections, those ports should be set to VLAN 1 untagged and VL 20 tagged.
Everything else (your internal devices, management interface, etc) should be on VL 1 untagged ports.

Cisco – SSH to Access Switch Management Console from other VLANs

Based on @TeunVink's comments, Problem 1 was fixed.

Below are the methods I have used for setting up the management interface.

I chose not to use VLAN 1 for management, as per many recommendations. So I cleared IPs from VLAN 1 and Management Console (Fastethernet0), as:

conf t
int vlan 1
no ip address
exit
int fa0
no ip address
exit

Assuming that VTP is enabled is working between Core and Access switches:

Create a separate management vlan in the core switch. E.g. VLAN 10

conf t
vlan 10
name management
exit

Assign IP address to this vlan

int vlan 10
ip address 10.0.10.1 255.255.255.0
exit

Then connect to the 2960 access switch via console and verify the vlan 10 is present there using show vlan command. It should be there as the VTP already would have taken care of distributing it. Now assign ip separately here for vlan 10 in the access switch as:

conf t
int vlan 10
ip address 10.0.10.2 255.255.255.0
exit

Configure ssh by following this link.

That's it. Now Ping 10.0.10.2 from other vlans to the Access switch. Should be good to go.

This link can be treated as an excellent reference for this purpose.

Best Answer

Related Solutions

Switch – VLAN configuration

Cisco – SSH to Access Switch Management Console from other VLANs

Related Topic