as it may appear from the following question, I am still confused about configuring/securing a L3 switch (such as a cisco 3650).
I was told that (please confirm that) in a new cisco switch it is suggestible to remove all access ports from VLAN 1 which is used as default management VLAN to avoid the risk that anyone connecting to any ports will have access to the network backbone. (correct?).
Now, if I make a management VLAN different from VLAN 1, let's say VLAN 50, I would have to assign an access port to it in order to bring the interface up (correct?) and the workstation connected to that port should be the only one able to access the management VLAN unless IP routing is configured in the L3 switch (InterVLAN) and other workstations connected to different VLANs can still connect to VLAN 50 (which is not what we want, right?). So what is the solution? Create and ACL and permit traffic to VLAN 50 only from a specific workstation?
About the case when a L2 switch (access switch) is configured also with a VLAN 50 as management and trunked to my 3650: do I have to assign an access port to VLAN 50 also and connect that port to my L3 VLAN 50 or I can just control the L2 switch from my L3 as VLAN 50 is propagated through the trunk connection? ...hope this is clear :))
thank you for your help