1 2 3 4 Previous Next 57 Replies Latest reply: Jan 31, 2011 7:54 PM by Jared RSS

    Management VLAN

    Steven Williams

      Where is the topics of Management VLAN covered? I really would like to learn more about it because it confuses me till this day. I often reference to my question of, If I have a management VLAN which only the people who need access to switches reside, do I really need to use SSH or can we use telnet?

        • 1. Re: Management VLAN
          Keith Barker - CCIE RS/Security, CISSP

          Hollywood0728 wrote:

           

          Where is the topics of Management VLAN covered? I really would like to learn more about it because it confuses me till this day. I often reference to my question of, If I have a management VLAN which only the people who need access to switches reside, do I really need to use SSH or can we use telnet?

           

          The management VLAN corresponds to the IP subnet that your network devices have an IP address in (which is used for remote management of those devices).   It is also good practice, to only put users in other VLANs (other than the management VLAN).

           

          Regardless, telnet is still plain text, and shouldn't be used (unless inside of an encrypted transport such as IPSec), even if we feel that our management VLAN is completely isolated from users.

           

          Keith

           

          Here is a good discussion regarding the Management VLAN:

           

          https://supportforums.cisco.com/thread/2015714

          • 2. Re: Management VLAN
            Steven Williams

             

            The management VLAN corresponds to the IP subnet that your network devices have an IP address

             

                 Does this reference to vlan 1 interface? What is the reason not to put users in the management vlan? what if they are network admins managing the devices? If your management vlan is a separate vlan and is isolated from all other vlans except maybe the IT department Vlan why would you not use telnet? No one can sniff packets off that vlan. I understand best practices, but I am trying to relate to the world I work in.

            • 3. Re: Management VLAN
              Jared

              Keith pretty much summed this up.  In my network, I keep the IP addresses of my switches on a different subnet (vlan) than normal end user traffic to isolate the broadcast domain of the switches and users.  I have also put other devices in this management vlan that deal with functional systems of the buildings, such as  HVAC controls, Keyfob systems and such.  These are systems that end users have no reason to interface with via IP.

               

              As far as using telnet, I would only use it when absolutely necessary.  If the device supports SSH, then I would stick with that.  It isn't hard to set up and sure makes it nice to help protect against attacks that exploit clear text transports.

              • 4. Re: Management VLAN
                Steven Williams

                Easy to setup on over 700 switches?? LOL

                • 5. Re: Management VLAN
                  Jared

                  ooohhhh.... Well, if you are using VTP, it wouldn't be bad.  If you have an NMS like Ciscoworks or solarwinds, it wouldn't be too bad either.  You could just create a template and push it out to your 700 devices.

                  • 6. Re: Management VLAN
                    Scott Morris - CCDE/4xCCIE/2xJNCIE

                    Yeah, by the time to get to 700 switches you should have some centralized management program in place to make your life easier.

                     

                    That being said...  if it has not been done, or a separate management VLAN has not been configured then I'd say life is going to be miserable for a little while until you DO get it set up!  

                     

                    Planning, planning, planning!

                     

                    Have fun!

                     

                    Scott

                    • 7. Re: Management VLAN
                      Jared

                      Been there, done that on a network with 500+ devices.  You do want management vlans and an NMS when they get that big.  So that spawns the question oh how many nodes constitutes as a network that is big enough to need things like management vlans or NMS.

                       

                      As you say, plan, plan, plan or even better yet, design, design, design!

                      • 8. Re: Management VLAN
                        Scott Morris - CCDE/4xCCIE/2xJNCIE

                        Any network that makes you groan or curse out loud when you need to roll out a change to all devices is big enough to warrant some sort of management!  

                        • 9. Re: Management VLAN
                          Jared

                          Lol.  Awesome guideline!

                          • 10. Re: Management VLAN
                            tnewshott

                            Personally I think anything over about 50 devices needs an NMS - or you need to be rather skilled at scripting and know Linux, so you can push scripts from a stable platform. 

                             

                            At about 50 devices, I can run 5 SecureCRT windows and push scripts through the chat window.  Beyond that number and it becomes too tedious! LOL.

                            • 11. Re: Management VLAN
                              Jared

                              It really all comes down to cost.  But I have been in environments where it was suicide not to have an NMS.

                              • 12. Re: Management VLAN
                                tnewshott

                                That is the truth.  I could not fathom a 700+ device network not having a full blown NMS+Configuration management suite. 

                                • 13. Re: Management VLAN
                                  Jared

                                  Nor could I.  I have also been in environments with no management vlan... Again, not a fun place to be. 

                                  • 14. Re: Management VLAN
                                    Steven Williams

                                    Well we do have NCM. I do like it but my knowledge is about 1 inch deep and a mile long on it. I have thought about upgrading IOS versions but was kind of confused when all devices have different flavors and versions...how do you push changes with so many variables. I guess I could group by like IOS versions. How would I start seeing if a management vlan exists? For me i think it is hard to know when my knowledge of it is minimal. Not only that but I come from an organization that uses vlan 1 for all traffic. HA HA.... 

                                    1 2 3 4 Previous Next