Moving VLAN 1 from management VLAN.

Hello,
as it may appear from the following question, I am still confused about configuring/securing  a L3 switch (such as a cisco 3650).
 I was told that (please confirm that) in a new cisco switch it is suggestible to remove all access ports  from VLAN 1 which is used as default management VLAN to avoid the risk that anyone connecting to any ports will have access to the network backbone. (correct?).
Now, if I make a management VLAN different from VLAN 1, let's say VLAN 50, I would have to assign an access port to it in order to bring the interface up (correct?) and the workstation connected to that port should be the only one able to access the management VLAN unless IP routing is configured in the L3 switch (InterVLAN) and other workstations connected to different VLANs can still connect to VLAN 50 (which is not what we want, right?). So what is the solution? Create and ACL and permit traffic to VLAN 50 only from a specific workstation?
About the case when a L2 switch (access switch) is configured also with a VLAN 50 as management and trunked to my 3650: do I have to assign an access port to VLAN 50 also and connect that port to my L3 VLAN 50 or I can just control the L2 switch from my L3 as VLAN 50 is propagated through the trunk connection? ...hope this is clear :))

thank you for your help

thank you
ggRM7865Asked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

jburgaardCommented:
I think all your assumptions are OK.
Vlan50 is carried through trunk without access port on L2-switch.
rgormanCommented:
If you are paranoid that someone on the regular LAN in the office may try and access your switches you can move the management IP over to a VLAN that they cannot route to as one option for helping to secure access to the switches.  If your management VLAN is not routable from the regular LAN, then only PC's that are connected to switch ports on that VLAN will be able to access that VLAN interface to manage the switch.

Another option would but to just create an access list with IP's of management PC's allowed to connect to the management interface and apply the access list to the VTY lines so that only specific IP's are able to telnet to the switch (or SSH if you enable that).  In this case you wouldn't need to worry so much about a dedicated management VLAN while still getting some enhanced security.

You can also enable username and password access to the router which adds yet another level of security.

I personally don't bother with management VLAN's unless I have a product that breaks out the management port completely from the switch ports.

VLAN interfaces do not come UP unless there is a switchport on that VLAN that has an active connection to it.

If you have a dedicated management VLAN and it is not routable through your network, and you want to get to it from a separate switch, you will need to make sure trunk the VLAN between the switches and assign the VLAN to the switch port your management PC is connected to.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Don JohnstonInstructorCommented:
I was told that (please confirm that) in a new cisco switch it is suggestible to remove all access ports  from VLAN 1 which is used as default management VLAN to avoid the risk that anyone connecting to any ports will have access to the network backbone. (correct?).
Well... not really.  There is no default management VLAN.  For that matter, there is no "management" VLAN.  You can manage the switch on any VLAN that has an IP address.
Now, if I make a management VLAN different from VLAN 1, let's say VLAN 50, I would have to assign an access port to it in order to bring the interface up (correct?)and the workstation connected to that port should be the only one able to access the management VLAN unless IP routing is configured in the L3 switch (InterVLAN) and other workstations connected to different VLANs can still connect to VLAN 50 (which is not what we want, right?).
If this is a layer 2 switch and there is no inter-VLAN routing being done anywhere, then yes. You would need a device connected to a VLAN50 port.  But there's almost always inter-VLAN routing being done somewhere.
So what is the solution? Create and ACL and permit traffic to VLAN 50 only from a specific workstation?
That would be one solution (and not a bad one). The other would be to assign a password to control access to the switch management.
About the case when a L2 switch (access switch) is configured also with a VLAN 50 as management and trunked to my 3650: do I have to assign an access port to VLAN 50 also and connect that port to my L3 VLAN 50 or I can just control the L2 switch from my L3 as VLAN 50 is propagated through the trunk connection?
You don't need a physical port assigned to VLAN50. You would manage the switch from any workstation on any VLAN (unless you're using an ACL to limit access from certain IP addresses).
Craig BeckCommented:
A 3650 has a dedicated management port which is totally segregated from the network.  You could connect a PC to the management port to manage the switch 'out-of-band', or you could connect the management port to a separate physical switch which is used only to connect the management ports from multiple switches together.

Of course, as Don said, any SVI on the switch can be used as the management interface, but that would be 'in-band', and would offer the opportunity for anyone to access the management interface unless you secure with ACLs (as you already said).
ggRM7865Author Commented:
Thank you all for sharing....
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Switches / Hubs

From novice to tech pro — start learning today.