dtadmin
asked on
Cisco Management VLAN
currently I have a cisco 6509 layer 3 switch in my core. It also houses my vlan database. I have probably 8 to 10 vlans. currently I am using the default vlan1 to manage my switches from. I want to move away from this and build a management vlan. Is there anything special I need to do other than building another vlan and assigning an ip address to it? How do I deny telnet access into vlan 1 after I designate a management vlan?
Hi dtadmin,
you can assign a separate vlan on whatever port of your switch, and just use that as the management vlan, nothing particular has to be done. Other platforms have dedicated management ports, but it's not the case for 6509. To secure the access you've to apply proper acl to the vtys, something like that:
line vty 0 4
session-timeout 30
access-class MANAGEMENT in
exec-timeout 30 0
password whatever
transport input telnet ssh
where MANAGEMENT is the name of the ACL where you limit the traffic.
If you're using the switch as a L3 device, you can also use vrf, put the management interface in it's own vrf, thus making it unreachable from the global internet.
Cheers,
]\/[arco
you can assign a separate vlan on whatever port of your switch, and just use that as the management vlan, nothing particular has to be done. Other platforms have dedicated management ports, but it's not the case for 6509. To secure the access you've to apply proper acl to the vtys, something like that:
line vty 0 4
session-timeout 30
access-class MANAGEMENT in
exec-timeout 30 0
password whatever
transport input telnet ssh
where MANAGEMENT is the name of the ACL where you limit the traffic.
If you're using the switch as a L3 device, you can also use vrf, put the management interface in it's own vrf, thus making it unreachable from the global internet.
Cheers,
]\/[arco
ASKER
I do have devices in vlan1 unfortunately....
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
is there any supporting documentation for not having devices in VLAN1? I understand, but my boss will want to see it.
Even with customer devices in vlan1, you can apply the acl to the vty interface, and make sure that others cannot connect to your switch. However, please, delete vlan 1 from all trunks, and don't use it. It's best practice to not use vlan1, since it's the default AND it's untagged. See for example here http://www.ciscopress.com/articles/article.asp?p=358549 for official word on it by Cisco Press.
Cheers,
]\/[arco
Cheers,
]\/[arco
The reason behind not using VLAN1 for user traffic is that there are various types of administrative traffic on that VLAN (DTP, VTP, CDP, etc.).
Nope.
>How do I deny telnet access into vlan 1 after I designate a management vlan?
If you don't have any devices in VLAN1, simply shutdown the VLAN1 interface.