how u doing?
Just got a Cisco SF300-24 for studying switch configuration and I'm in doubt about the Management VLAN.
In my conf, I made this VLANs:
Vlan Name Ports Created by
---- ----------------- --------------------------- ----------------
1 1 D
10 DATA fa9-11,fa21-23 S
11 VOIP S
12 PRINTERS fa8,fa20 S
13 SAN fa6-7,fa18-19 S
14 PRIVATE_WIFI fa5,fa17 S
15 PUBLIC_WIFI fa4,fa16 S
16 HOUSE fa2-3,fa14-15 S
99 MGMT fa1,fa13 S
999 NULL fa12,fa24,gi1-4,Po1-8 S
The IP address for each vlan follows this scheme: 10.1..201/24.
First, I eliminated the VLAN 1 and create an 999, that's a black hole. Is this a good configuration for security improvement?
Second, I'd like the VLAN 99 to be the Management one, but I still can ping/telnet/ssh and whatsoever from ANY subnet. What should I use to block this kind traffic in other VLANs and make just this one for management?
Thx in advance!
Best Answer
This is normal behavior for a layer 3 switch, management traffic can be sent to any active Switch Virtual Interface (SVI). If you only want to allow management traffic from a specific vlan/subnet, you could set up ACLs.
A layer 2 switch can be assigned a management IP address, attached to one vlan, called the management vlan. It will only be reachable inside this vlan.
In the case of the SF300, I believe you have to define a management ACL instead of a normal IP ACL if you want to filter management traffic into the switch. Use the
management access-list
command, and then apply the ACL usingmanagement access-class
.