Skip navigation
Login   |   Register
Cisco Learning Home > Certifications > Routing & Switching (CCNP) > Discussions

_Communities

This Question is Answered
41874 Views 57 Replies Latest reply: Jan 31, 2011 7:54 PM by Jared RSS 1 2 3 4 Previous Next

Currently Being Moderated

Management VLAN

Dec 30, 2010 12:47 PM

Steven Williams 3,565 posts since
Jan 26, 2009

Where is the topics of Management VLAN covered? I really would like to learn more about it because it confuses me till this day. I often reference to my question of, If I have a management VLAN which only the people who need access to switches reside, do I really need to use SSH or can we use telnet?

  • Keith Barker - CCIE RS/Security, CISSP 5,327 posts since
    Jul 3, 2009
    Currently Being Moderated
    1. Dec 30, 2010 12:57 PM (in response to Steven Williams)
    Re: Management VLAN

    Hollywood0728 wrote:

     

    Where is the topics of Management VLAN covered? I really would like to learn more about it because it confuses me till this day. I often reference to my question of, If I have a management VLAN which only the people who need access to switches reside, do I really need to use SSH or can we use telnet?

     

    The management VLAN corresponds to the IP subnet that your network devices have an IP address in (which is used for remote management of those devices).   It is also good practice, to only put users in other VLANs (other than the management VLAN).

     

    Regardless, telnet is still plain text, and shouldn't be used (unless inside of an encrypted transport such as IPSec), even if we feel that our management VLAN is completely isolated from users.

     

    Keith

     

    Here is a good discussion regarding the Management VLAN:

     

    https://supportforums.cisco.com/thread/2015714

    Join this discussion now: Login / Register
  • Jared 5,551 posts since
    Jul 27, 2008
    Currently Being Moderated
    3. Dec 30, 2010 1:04 PM (in response to Steven Williams)
    Re: Management VLAN

    Keith pretty much summed this up.  In my network, I keep the IP addresses of my switches on a different subnet (vlan) than normal end user traffic to isolate the broadcast domain of the switches and users.  I have also put other devices in this management vlan that deal with functional systems of the buildings, such as  HVAC controls, Keyfob systems and such.  These are systems that end users have no reason to interface with via IP.

     

    As far as using telnet, I would only use it when absolutely necessary.  If the device supports SSH, then I would stick with that.  It isn't hard to set up and sure makes it nice to help protect against attacks that exploit clear text transports.

    Join this discussion now: Login / Register
  • Jared 5,551 posts since
    Jul 27, 2008
    Currently Being Moderated
    5. Dec 30, 2010 1:13 PM (in response to Steven Williams)
    Re: Management VLAN

    ooohhhh.... Well, if you are using VTP, it wouldn't be bad.  If you have an NMS like Ciscoworks or solarwinds, it wouldn't be too bad either.  You could just create a template and push it out to your 700 devices.

    Join this discussion now: Login / Register
  • Scott Morris - CCDE/4xCCIE/2xJNCIE 8,429 posts since
    Oct 7, 2008
    Currently Being Moderated
    6. Dec 31, 2010 6:45 AM (in response to Jared)
    Re: Management VLAN

    Yeah, by the time to get to 700 switches you should have some centralized management program in place to make your life easier.

     

    That being said...  if it has not been done, or a separate management VLAN has not been configured then I'd say life is going to be miserable for a little while until you DO get it set up!  

     

    Planning, planning, planning!

     

    Have fun!

     

    Scott

    Join this discussion now: Login / Register
  • Jared 5,551 posts since
    Jul 27, 2008
    Currently Being Moderated
    Re: Management VLAN

    Been there, done that on a network with 500+ devices.  You do want management vlans and an NMS when they get that big.  So that spawns the question oh how many nodes constitutes as a network that is big enough to need things like management vlans or NMS.

     

    As you say, plan, plan, plan or even better yet, design, design, design!

    Join this discussion now: Login / Register
  • Scott Morris - CCDE/4xCCIE/2xJNCIE 8,429 posts since
    Oct 7, 2008
    Currently Being Moderated
    8. Dec 31, 2010 7:12 AM (in response to Jared)
    Re: Management VLAN

    Any network that makes you groan or curse out loud when you need to roll out a change to all devices is big enough to warrant some sort of management!  

    Join this discussion now: Login / Register
  • Jared 5,551 posts since
    Jul 27, 2008
    Currently Being Moderated
    Re: Management VLAN

    Lol.  Awesome guideline!

    Join this discussion now: Login / Register
  • Currently Being Moderated
    10. Dec 31, 2010 7:48 AM (in response to Jared)
    Re: Management VLAN

    Personally I think anything over about 50 devices needs an NMS - or you need to be rather skilled at scripting and know Linux, so you can push scripts from a stable platform. 

     

    At about 50 devices, I can run 5 SecureCRT windows and push scripts through the chat window.  Beyond that number and it becomes too tedious! LOL.

    Join this discussion now: Login / Register
  • Jared 5,551 posts since
    Jul 27, 2008
    Currently Being Moderated
    11. Dec 31, 2010 7:53 AM (in response to tnewshott)
    Re: Management VLAN

    It really all comes down to cost.  But I have been in environments where it was suicide not to have an NMS.

    Join this discussion now: Login / Register
  • Currently Being Moderated
    12. Dec 31, 2010 7:57 AM (in response to Jared)
    Re: Management VLAN

    That is the truth.  I could not fathom a 700+ device network not having a full blown NMS+Configuration management suite. 

    Join this discussion now: Login / Register
  • Jared 5,551 posts since
    Jul 27, 2008
    Currently Being Moderated
    13. Dec 31, 2010 8:04 AM (in response to tnewshott)
    Re: Management VLAN

    Nor could I.  I have also been in environments with no management vlan... Again, not a fun place to be. 

    Join this discussion now: Login / Register

Actions

More Like This

  • Retrieving data ...

Bookmarked By (2)