Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
?
Solved

VLAN ip for Cisco switch

Posted on 2016-09-27
11
Medium Priority
?
127 Views
Last Modified: 2016-10-12
I have a question about the following configuration that was previously configured and hoping someone could help to give me some idea why the switch (C3750X) was not configured interface Valn1 with an IP address.

Most of catalyst switches were configured with VLAN as example 1
Example 1
interface Vlan1
 ip address 10.10.100.1 255.255.0.0
 no ip route-cache cef
 no ip route-cache

But one of the switch (C3750X) was somehow configured different as below:
interface FastEthernet0
 description connectToC4948-10G (Gi1/47,48)
 ip address 10.10.200.1 255.255.0.0
 no ip route-cache
.
.
.
interface Vlan1
 no ip address
 shutdown
0
Comment
Question by:techy98
  • 5
  • 3
  • 2
  • +1
11 Comments
 
LVL 25

Expert Comment

by:Cyclops3590
ID: 41817902
that's because 3750X is a layer 2/3 switch.  so it can have IPs assigned to interfaces.  layer 2 generally only have SVI (switch virtual interfaces) attached to vlan logical interfaces and typically only a single one for mgmt purposes
0
 
LVL 32

Expert Comment

by:Predrag
ID: 41817991
On many Cisco devices, including 3750, Fa0 is routable (L3) interface and you can configure IP address on that one without issuing no switchport command under interface. Typical usage of that port is out of band management.
0
 
LVL 14

Expert Comment

by:SIM50
ID: 41818005
some idea why the switch (C3750X) was not configured interface Valn1 with an IP address

Basically, it a security measure and according to Cisco best practices VLAN 1 should be disabled. VLAN 1 was never intended to carry data traffic. It was designed to carry management and control traffic thus it can't be deleted. So you have a VLAN that spans your whole network if not pruned and it also can potentially give unauthorized access to the management network.

The link to Cisco guide: http://www.cisco.com/c/en/us/support/docs/ip/access-lists/13608-21.html
0
Evaluating UTMs? Here's what you need to know!

Evaluating a UTM appliance and vendor can prove to be an overwhelming exercise.  How can you make sure that you're getting the security that your organization needs without breaking the bank? Check out our UTM Buyer's Guide for more information on what you should be looking for!

 
LVL 25

Expert Comment

by:Cyclops3590
ID: 41818040
you are not limited to just fa0 to assign ports.  its a layer 3 switch meaning you can have it do routing (as has been mentioned already).  also, by definition fa0 is not out of band; its inband as its part of the network.  out of band is going to involve an avocent or some other device you dial into and then use to console into the switch via the console on the 3750x.

sim50 is correct that vlan1 is typically kept as the native vlan and its use is discouraged for security reasons however you'll still typically see it round (again as mentioned) because its default.

simply, its a layer 3 switch.  nothing more complicated than that.
0
 
LVL 32

Assisted Solution

by:Predrag
Predrag earned 600 total points
ID: 41818058
0
 
LVL 25

Expert Comment

by:Cyclops3590
ID: 41818097
@predrag.  i guess it boils down to personal preference then.  personally, and others as well, would not consider that to be oob mgmt.  oob mgmt needs to be completely separate from the data ports (and the hardware associated with them) that are on the inband side of the device.  again, just personally, i would not recommend using fa0 as the oob mgmt port.  great for setup, but has some limitations and can fail you on edge case failure scenarios (yes, i've seen them).  just saying, use the real console port for oob. i'll leave it at that as it'd just get too far from what author is asking.

however, i'm not disputing that is pry why the config is the way it is since that is how cisco docs show thing as to how to configure "oob" mgmt on these switches.  the reason i stand by the layer 3 answer is because layer 2 switches won't do IPs at interface level.  layer 3 will though.
0
 
LVL 32

Expert Comment

by:Predrag
ID: 41818178
2960-X is somehow of both worlds, but typically is used as L2 switch (IP base can have 16 static routes and still have fa0 interface, also LAN base image switches have usable Fa0 port). Also 2960-X and 3560-X 8 port poe models do not have fa0 interface, so not all L2 devices lack routed port and not all L3 device have it. :)
0
 
LVL 25

Expert Comment

by:Cyclops3590
ID: 41818183
you missed my point.  but as i said, i'm leaving it there.

there is enough here that the author's question has been answered
0
 

Author Comment

by:techy98
ID: 41833658
Thanks so much for both of your input. The reason I asked was most of L2 switch (2050/2960) were configured an IP on interface vlan 1 and those switches could be telnet directly but not the switch 3750X. I have to telnet through the core switch.
would it be related to any security reason that it would be allowed to telnet directly? I'd appreciated if you could share more insight
0
 
LVL 25

Accepted Solution

by:
Cyclops3590 earned 1400 total points
ID: 41836938
well i don't want to speak as to the intent of the person that originally set it up.  however, as predrag pointed out, in this case the ethernet port is being used as an OOB mgmt port.  out of band means its separate from the rest of the network.  In this case, due to code imposed limitations, not physically separate limitations as console ports and such are.

In order to log into the 3750X or the L2 switches you must be able to reach them from a layer 3 perspective.  Since the port on the 3750X is logically separated out from the rest of your network, you must, in your case, force the path thru the core switch to get to it.  You don't have to with the L2 switches because the vlan1 interface is a virtual interface available via any port on the switch.

Personally, they way I always do mgmt ports, is a oob connection via the console port via a dial in connection (clearly that is not feasible for everyone) and then do a vlan/SVI port for the in band mgmt address.  And ensure all mgmt ports are on a separate vlan that is ACL controlled or at least controlled in some manner.  But the point is that the 3750X has its ethernet port in oob mode and as such can't be reached via normal in-band routes; at least from what you're describing.  Maybe a static route would help you or just take that port out of oob configuration and move the IP to a virtual interface like you're used to seeing on L2 switches
0
 

Author Closing Comment

by:techy98
ID: 41840143
Thanks for further explanation that helps for understanding.
0

Featured Post

Who's Defending Your Organization from Threats?

Protecting against advanced threats requires an IT dream team – a well-oiled machine of people and solutions working together to defend your organization. Download our resource kit today to learn more about the tools you need to build you IT Dream Team!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

During and after that shift to cloud, one area that still poses a struggle for many organizations is what to do with their department file shares.
Powerful tools can do wonders, but only in the right hands.  Nowhere is this more obvious than with the cloud.
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…
In this video we outline the Physical Segments view of NetCrunch network monitor. By following this brief how-to video, you will be able to learn how NetCrunch visualizes your network, how granular is the information collected, as well as where to f…
Suggested Courses

577 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question