Cisco Management VLAN

dtadmin
dtadmin used Ask the Experts™
on
currently I have a cisco 6509 layer 3 switch in my core. It also houses my vlan database. I have probably 8 to 10 vlans. currently I am using the default vlan1 to manage my switches from. I want to move away from this and build a management vlan. Is there anything special I need to do other than building another vlan and assigning an ip address to it? How do I deny telnet access into vlan 1 after I designate a management vlan?
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Don JohnstonInstructor
Top Expert 2015

Commented:
>Is there anything special I need to do other than building another vlan and assigning an ip address to it?

Nope.

>How do I deny telnet access into vlan 1 after I designate a management vlan?

If you don't have any devices in VLAN1, simply shutdown the VLAN1 interface.

Hi dtadmin,

you can assign a separate vlan on whatever port of your switch, and just use that as the management vlan, nothing particular has to be done. Other platforms have dedicated management  ports, but it's not the case for 6509. To secure the access you've to apply proper acl to the vtys, something like that:


line vty 0 4
 session-timeout 30
 access-class MANAGEMENT in
 exec-timeout 30 0
 password whatever
 transport input telnet ssh

where MANAGEMENT is the name of the ACL where you limit the traffic.

If you're using the switch as a L3 device, you can also use vrf, put the management interface in it's own vrf, thus making it unreachable from the global internet.

Cheers,
]\/[arco

Author

Commented:
I do have devices in vlan1 unfortunately....
Success in ‘20 With a Profitable Pricing Strategy

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden using our free interactive tool and use it to determine the right price for your IT services. Start calculating Now!

Instructor
Top Expert 2015
Commented:
Really?

I would get those devices out of VLAN1.

Beyond that, there's no reason to restrict telnet access to a particular VLAN interface, but if you want to, you can block it with an ACL.

access-list 101 deny tcp any host <VLAN1 interface address> eq 23
access-list 101 permit ip any any
int vlan 1
 ip access-group 101 in

Open in new window

Author

Commented:
is there any supporting documentation for not having devices in VLAN1? I understand, but my boss will want to see it.
Even with customer devices in vlan1, you can apply the acl to the vty interface, and make sure that others cannot connect to your switch. However, please, delete vlan 1 from all trunks, and don't use it. It's best practice to not use vlan1, since it's the default AND it's untagged. See for example here http://www.ciscopress.com/articles/article.asp?p=358549 for official word on it by Cisco Press.

Cheers,
]\/[arco
Don JohnstonInstructor
Top Expert 2015

Commented:
The reason behind not using VLAN1 for user traffic is that there are various types of administrative traffic on that VLAN (DTP, VTP, CDP, etc.).

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial