How can I make a specific port a management port on a Cisco switch for auditing


I was wondering if it is possible to create or indicate another port on a different VLAN to act as a management port and still keep the default management port on VLAN 1. I have created a 2nd VLAN to handle all network traffic and now I have a requierment to audit my switch's. I wanted to install the CNA software onto one of my servers connected to VALN 2 as well as GFI Events Manager to be able to pull audit info from that specific port. Also, I have multiple switchs connected in series and want to be able to pull thier info as well but I need to pull it from just the one switch. Setup is as follows:

VLAN1= Unclassified / Management
VLAN2= Classified
Port 23= server that would be used to pull auditing info from switches

I'm not sure if any of this is possible but would greatly appreciate any help.
Thank You
Who is Participating?
btanConnect With a Mentor Exec ConsultantCommented:
There are security risks associated with using any VLAN. VLAN1, although being the native VLAN on Cisco switches is just like any other VLAN. Using VLAN1 is actually "not" an issue, it is just like any other VLAN - other than it is there right out of the box. If you are worried about security, moving VLAN's is only going to help you a little.

This article has good reading that shift traffic from VLAN1 to another VLAN via bridging

But I still see if the CISCO device is harden, the VLAN control can still be secure. Pls see

E.g. Use of VLAN map to prevent hosts that are contained within the same VLAN from communicating with each other, Use of PACLs applied to the inbound direction on Layer 2 physical interfaces of a switch, etc.

Overall, I believe PVLAN may be for consideration to create the primary and secondary VLAN. Private VLANs (PVLANs) are a Layer 2 security feature that limits connectivity between workstations or servers within a VLAN. Without PVLANs all devices on a Layer 2 VLAN can communicate freely.

There are three types of Private VLANs: isolated VLANs, community VLANs, and primary VLANs. The configuration of PVLANs makes use of primary and secondary VLANs. The primary VLAN contains all promiscuous ports, which are described later, and includes one or more secondary VLANs, which can be either isolated or community VLANs.

When implementing PVLANs, it is important to ensure that the Layer 3 configuration in place supports the restrictions that are imposed by PVLANs and does not allow for the PVLAN configuration to be subverted. Layer 3 filtering using a Router ACL or firewall can prevent the subversion of the PVLAN configuration.

Overall the goal should be to isolate your higher security devices (management interfaces to infrastructure devices) to another segment (vlan) away from your users and VLAN 1. As mentioned, using VLAN 1 as your native VLAN is not a large security risk. It is just the default VLAN out of the box. Just that most of the time best practices dictate that you should use something else.

To minimise any risk whilst still "reusing" VLAN1, after considering also the a/m hardening guide and VLAN design, you can add in few pointer if that does not further complicate your objective:

1 Move all your unused ports to an unused VLAN. When you make a vacant port live, you just need to move it back into VLAN1 and away you go.

2 Shutdown all vacant ports.

3 Stop ports that are not trunks from being able to trunk.
e.g. All ports by default are setup to be able to trunk. Any LAN intruder could plug a switch in and then get a trunk to all your VLAN traffic. If the ports are connected to network hosts, ensure you have them in access mode by using < switchport mode access >.

4 Make sure that all the devices on your network are on and then apply < sticky port mode security > with a mac limit of 1 to the ports. Can be too restrictive though

5. Make sure your switches are located in locked cabinets in locked rooms if at all possible. Optional if physical security is of concern esp during the assessment period..
Craig BeckCommented:
Most newer Cisco Switches have a separate physical port which can be used for OOB management.
btanExec ConsultantCommented:
Also not forgetting, you cannot rename or delete VLAN 1.
A switch can only create VLANs if it is in VTP server mode or VTP transparent mode.
You can assign the ports of a Layer 2 Catalyst Switch to multiple VLANs, but the switch only supports one active management VLAN interface at a time

Creating Ethernet VLANs on Catalyst Switches

How To Add, Modify, and Remove VLANs on a Catalyst Using SNMP

Managing vlan.dat in Cisco Catalyst Switches Running Cisco IOS Software
Craig BeckCommented:
You can assign the ports of a Layer 2 Catalyst Switch to multiple VLANs, but the switch only supports one active management VLAN interface at a time
True, you can only have one management SVI, however if you use the OOB management port (if present) you can have one management address attached to a SVI as well as one management address configured on the dedicated management port...
btanExec ConsultantCommented:
thks ... and an SVI will not be active until it is associated with a physical port.
There is always one-to-one mapping between a VLAN and a SVI.  
Meaning only one SVI can be mapped to a VLAN.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.