Management VLAN Design and Implementation

Greetings, friends. I'm having trouble getting a clear picture of how a management VLAN ought to look. I just installed a Catalyst 6509-E as my core switch, and as soon as they arrive I'm going to be replacing all of our other (HP) switches with Catalyst 3560X switches. I understand the reasoning behind segregating traffic, not using VLAN1, etc., but I've never actually implemented a management VLAN--I've always just accessed the switches via the IPs assigned to them where all the client traffic flows (not VLAN1, by the way).
Is "management VLAN" simply what we as humans call a VLAN we dedicate to management activities, or is there something official in these switches to designate a "management VLAN?"
Is it best practice to include SNMP, netflow, syslog, and NTP as "management" traffic?
There's a lot of documentation talking -about- management and management VLANs, but unless I'm blind or not looking hard enough I can't seem to find any implementation whitepapers or best practices whitepapers that demonstrate setting one up on a campus LAN. Are you able to point me in the right direction to find such documentation? Is it perhaps buried in a manual somewhere that isn't explicitly labeled "Management VLAN Design and Implementation" or somesuch?
What is the best practice for accessing the management VLAN? Inter-VLAN routing + ACLs? Multi-homed PCs or servers? Additional PCs to be used as access stations?
Thank you for your wisdom, experience, and advice!
Kevin

1. Yes, you may want to keep this traffic separate of the other traffic limiting device management access to just this vlan, as this prevents eavesdropping.
2. Indeed all other housekeeping goes via this VLAN altough you could limit it to the interactive or session traffic.
3. On a campus you could think of one big VLAN spanning the campus, one a multi-site environment or where you use L3 to go to you datacenters you probably need multiple management lan's. I've seen implementations where the management traffic was kept separate and even didn't use the routing protocol in use. The whole management lan was statically routed and would work even if OSPF or BGP was down.
4. I feel a situation where the people providing support are connected on the lan giving access to the devices is probably best. A dual homed pc is a good solution I think, other customer feel the management lan should be treated as a DMZ accessible via a firewall, but the hardcore customer insist on a second pc connected to the management lan.
Points to consider are as always,
Find the single point of failure. Any device, L2 L3 firewall that could cut off management from accessing a part of the network.
Find the right balance between security, costs, easy of access for the business your in.
Cheers,
Michel

Similar Messages

Ask the Expert: Plan, Design, and Implement Mobile Remote Access, the Cisco Collaboration Edge Architecture

Welcome to the Cisco® Support Community Ask the Expert conversation. This is an opportunity to learn and ask questions about planning, designing, and implementing mobile remote access (Cisco Collaboration Edge Architecture) with Cisco subject matter experts Aashish Jolly and Abhijit Anand.
Cisco Collaboration Edge Architecture is an architecture that provides VPN-less access of Cisco Unified Communications resources to Cisco Jabber® users. This discussion is dedicated to addressing questions about design best practices while implementing mobile remote access.
For more information, refer to the Unified Communications Mobile and Remote Access via Cisco VCS deployment guide.
Aashish Jolly is a network consulting engineer who is currently serving as the Cisco Unified Communications consultant for the ExxonMobil Global account. Earlier at Cisco, he was part of the Cisco Technical Assistance Center (TAC), where he helped Cisco partners with installation, configuring, and troubleshooting Cisco Unified Communications products such as Cisco Unified Communications Manager and Manager Express, Cisco Unity® solutions, Cisco Unified Border Element, voice gateways and gatekeepers, and more. He has been associated with Cisco Unified Communications for more than seven years. He holds a bachelor of technology degree as well as Cisco CCIE® Voice (#18500), CCNP® Voice, and CCNA® certifications and VMware VCP5 and Red Hat RHCE certifications.
Abhijit Singh Anand is a network consulting engineer with the Cisco Advanced Services field delivery team in New Delhi. His current role involves designing, implementing, and optimizing large-scale collaboration solutions for enterprise and defense customers. He has also been an engineer at the Cisco TAC. Having worked on multiple technologies including wireless and LAN switching, he has been associated with Cisco Unified Communications technologies since 2006. He holds a master’s degree in computer applications and multiple certifications, including CCIE Voice (#19590), RHCE, and CWSP and CWNP.
Remember to use the rating system to let Aashish and Abhijit know if you have received an adequate response.
Because of the volume expected during this event, our experts might not be able to answer every question. Remember that you can continue the conversation on the Cisco Support Community Collaboration, Voice and Video page, in the Jabber Clients subcommunity, shortly after the event. This event lasts through June 20, 2014. Visit this forum often to view responses to your questions and the questions of other Cisco Support Community members.

Hi Marcelo,
Yes, there are some requirements for certificates in Expressway.
Expressway Core (Exp-C)
- Can be signed by either External or Internal CA
- Better to use a cluster name even if you start with 1 peer in Exp-C cluster. In the future, if more peers are added, changes would be minimal.
- Better to use FQDN of cluster as CN of certificate, this way the traversal zone configuration on Expressway-E won't require any change even if new peers are added to Exp-C cluster.
- If CUCM is mixed mode, include security profile names (in FQDN format) as Subject Alternate Names
- The Chat Node Aliases that are configured on the IM and Presence servers. They will be required only for Unified Communications XMPP federation deployments that intend to use both TLS and group chat. (Note that Unified Communications XMPP federation will be supported in a future Expressway release). The Expressway-C automatically includes the chat node aliases in the CSR, providing it has discovered a set of IM&P servers.
- For TLS b/w CUCM, IM-P & Exp-C
+ If using self-signed certificates on CUCM, IM/P. Load Cisco Tomcat, cup, cup-xmpp certificates from IM-P on Exp-C. Load callmanager, Cisco Tomcat certificates from CUCM on Exp-C.
+ If using Internal CA signed certificates on CUCM, IM/P. Load Root CA certificates on Exp-C.
+ Load CA certificate under tomcat-trust, cup-trust, cup-xmpp-trust on IM-P.
+ Load CA certificate under tomcat-trust, callmanager-trust on CUCM.
Expressway Edge (Exp-E)
- Signed by External CA
- Configured Unified Communications domain as Subject Alternate Name
- If using a cluster, select FQDN of this peer as CN and FQDN of Cluster + this peer as Subject Alternate Name.
- If XMPP federation is being deployed, enter the same Chat Node Aliases as entered in Exp-C.
For more details, please refer to the Certificate Creation Guide for Cisco Expressway x8.1.1
http://www.cisco.com/c/dam/en/us/td/docs/voice_ip_comm/expressway/config_guide/X8-1/Cisco-Expressway-Certificate-Creation-and-Use-Deployment-Guide-X8-1.pdf
- Aashish

How to design and implement an application that reads a string from the ...

How to design and implement an application that reads a string from the user and prints it one character per line???

This is so trivial that it barely deserves the words "design" or "application".
You can use java.util.Scanner to get user input from the command line.
You can use String.getChars to convert a String into an array of characters.
You can use a loop to get all the characters individually.
You can use System.out.println to print data on its own line.
Good luck on your homework.

Question on figure 3-4 of SNASw Design and Implementation guide

Hello,
on figure 3-4 on page 3-7 of the SNASw Design and Implementation guide there is an example code of SNASw port and links for Upstream Hosts.
There is one port statement and two link statements, one for each host.
However, assume I have one host with two OSA interfaces, can I use the same coding (two links, one for each OSA), as a redundancy mechanism of the OSAs? How can I choose the primary link?
Or if I do this configuration I will achieve also load-balancing? (both links active)
Regards, Apostolos.

HPR is built on top of APPN with respect to path determination. In APPN the session path is determined by the Topology and Routing Services (TRS) component in the Network Node serving the device originating the session. TRS calculates this path by looking at the characteristics associated with each possible Transmission Group (TG a.k.a. link) that can be used for the session. In the case you are talking about where you have parallel TGs (two or more links) between two nodes, and unless you do some customizing of the TG profiles, they will have equal weight (desireability). This means that over time (and with enough sessions) you would see the load balanced over the two links. If you customize the TG profile (on snaswitch you use the tgp keyword), you can achieve the result of all sessions on a primary link and no sessions on a backup link until the primary link fails. - Ray

CIC filter design and implementation

I need a CIC (cascaded integrator-comb) filter - see here
How can I design and implement it in CVI?
Thanks
Vix
In claris non fit interpretatio
Using LV 2013 SP1 on Win 7 64bit
Using LV 8.2.1 on WinXP SP3
Using CVI 2012 SP1 on Win 7 64bit, WinXP and WinXP Embedded
Using CVI 6.0 on Win2k, WinXP and WinXP Embedded

Hi,
Although there is a specific toolkit named Digital Filter Design Toolkit in LabVIEW, there isn't a specific toolkit for CVI.
You can see these document for more info:
http://www.ni.com/white-paper/52336/en/
http://www.ni.com/white-paper/14784/en/
http://www.ni.com/white-paper/2859/en/
http://zone.ni.com/reference/en-XX/help/371988F-01/lvdfdtconcepts/cic_filters/

Firewall/Switching/VLAN Design and Security considerations

Hi,
Consider the following:
/SW3---|
External--S1--FW---/ |Subnet 1
| \ \ |
| \__\SW4---|
| /\
| / /SW5--|
External--S2--FW-/ |Subnet 2
\ |
\SW6--|
Requirements:
Router/Switch/Firewall/NIC resiliency. We can pretty much cover this with HSRP/redundant links(STP)/HA between firewalls/ and (HP) NIC Teaming.
Question:
Is it unreasonable to have SW3-SW6 physically on the one switch due to lack of available ports?
I take it this wouldn't be the securtiy purists choice of implementation?
If it is reasonable/doable, what are the features on IOS on switches eg. 2950's to implement this?
Any help appreciated.
Thanks
Mark

You can configure network security by using ACLs by either using the Cluster Management Suite (CMS) or through the command-line interface (CLI). You can also use the security wizard to filter inbound traffic on the Catalyst 2950 switches. Filtering can be based on network addresses or TCP/UDP applications. You can choose whether to drop or forward packets that meet the filtering criteria. To use this wizard, you must know how the network is designed and how interfaces are used on the filtering device. For more information refer to following url:
http://www.cisco.com/en/US/products/hw/switches/ps628/products_configuration_guide_chapter09186a008007e8ed.html#36127

Design and implementation

We have below scenario.
We have Stage Database
With details like
Car_Table
Car manufacturer
CAR cost center
Car Registration Date
Car Registration End Date
Care Agreement Renevation
Car Type
LocationDetails
Room Details
From these we need to design below report
                             #Number of Cars          # CAr Type
#Number of Adds #Number of Deletes
Location Details              500                      100
50          10
    CAR cost center           100                      20
5           5
    Room Details                50
40                10           4
* Note : in above Case Single CARID can move from one location/cost center/Room details to another.
Also #Number of Adds means, Car Registration Date is not null and Car Registration End Date is null
Also #Number of Delete means, Car Registration End Date is not null.
Row Data is like given below
Car
Agreement
Location
REgistartion_Start_Date
Registration_End_Date
A1
ABC
Site 1
1-Jan-13
31-Jan-13
A1
DEF
Site 1
5-Jan-13
28-Feb-13
A1
GHI
Site 2
1-Mar-13
31-Mar-13
A1
JHL
Site 2
15-Feb-13
10-Mar-13
I convert this into below format
Asset
Site
Date
Type
A1
Site 1
1-Jan-13
Add
A1
Site 1
5-Jan-13
Add
A1
Site 1
31-Jan-13
Delete
A1
Site 1
28-Feb-13
Delete
A1
Site 2
15-Feb-13
Add
A1
Site 2
1-Mar-13
Add
A1
Site 2
10-Mar-13
Delete
A1
Site 2
31-Mar-13
Delete

Hi sandip satale,
According to your description, you can use T-SQL statement and get the results from the row data table, the results of “Location Details”
includes the following column: Number of Cars, CAr Type,
Number of Adds and Number of Deletes.
Use Test;
create table rowdata
( carid int , cartype varchar(10), Agreement varchar (10), Location varchar(10),
REgistartion_Start_Date varchar (20), Registration_End_Date varchar(20));
insert into rowdata
values
(1,'A1', 'ABC', 'Site1', '1-Jan-13', '31-Jan-13'),
(2,'A1', 'DEF', 'Site1', '5-Jan-13', '28-Feb-13' ),
(3,'A1', 'GHI', 'Site2', '1-Mar-13', '31-Mar-13') ,
(4,'A1', 'JHL', 'Site2', '15-Feb-13','10-Mar-13') ,
(5,'A2', 'ABC', 'Site1', '1-Jan-13', '31-Jan-13' ),
(6,'A2', 'DEF', 'Site1', '5-Jan-13', '28-Feb-13'),
(7,'A3', 'GHI', 'Site2', '1-Mar-13', '31-Mar-13') ,
(8,'A4', 'JHL', 'Site2', '15-Feb-13','10-Mar-13' ),
(9,'A1', 'ABC', 'Site1', '1-May-13', '12-May-13'),
(10,'A1', 'DEF', 'Site1', '5-MAr-13', '' ),
(11,'A1', 'ABC', 'Site2', '', '11-Mar-13')
select * from rowdata
select COUNT(distinct cartype)as numbercars ,COUNT ( distinct Location)as cartype,
(select count(REgistartion_Start_Date) from rowdata WHERE REgistartion_Start_Date!= '') as addnumber,
(select count(Registration_End_Date) from rowdata WHERE Registration_End_Date!= '') as deletenumber
from rowdata
As other post, if you want to get a report about number details of location, car cost center, room, you can post the issue on SQL Server reporting Service Forums,(
http://social.technet.microsoft.com/Forums/sqlserver/en-US/home?forum=sqlreportingservices). It is appropriate and more experts will assist you.
Regards,
Sofiya Li
Sofiya Li
TechNet Community Support

Can the same IP scheme be implemented to a new VLAN design?

p { margin-bottom: 0.1in; line-height: 120%; }
Hello,
I have a one broadcast domain using, for example the 192.168.0.0/20 network. If a VLAN design is implemented, can the same IP scheme 192.168.0.0/20 be used or would it be something like 192.168.0.0/24 for the servers, 192.168.1.0/24 for the users, etc....?
Also, what determines the use of VLANS? For example, I've read that if the broadcast traffic is 20% or more then a VLAN design should be implemented. Or is it best practice to implement VLANS regardless of broadcast traffic?
Thank you,
Alex

Alex,
Usually the best practice is to use vlans and keep the broadcast domain small. A common practice is to use a /24 subnet per vlan.
192.168.0.0/24 vlan 10
192.168.1.0/24 vlan 11
192.168.2.0/24 vlan 12
and so on.
HTH

Design and configuration tips & suggestions

This is the current configuration of switches I have setup on our network. Its about 150 miles long(east-west) and about 20 miles wide(north-south). All of the locations are connected via a wireless bridges(trango, tranzeo, smartbridges) or via an ISP private vlan. Currently I have the 3550's connecting to each other via ospf and they are all doing inter vlan routing. The 3550 at location 20(3550-20) is I guess one of the main switches. Its located at the data center and it has the most connections to other wirelessly connected buildings. I have it configured to do pbr to 4 different DSL connections and it also has the switches from the data center connected to it. The small to medium sized locations have 2950's or 2960's.
To give you an idea of what is all going on now:
18 Wireless Bridges
1200 Workstations
30 Servers
3000 Users
21 Mbit of internet access
200 Gig's of Data being Backed up over night
1 Local server at each location
We are planning on implementing a video conferencing system soon as well as voice services in the future.
What I would like to know is what is the best configuration for these switches to prepare them for video conferencing, data connections and maybe voice?
Vlan Configurations?
Trunking?
Routing?
QOS?
Any ideas or suggestions on configurations would be great. I want to make sure I go about this the right way the first time so I'm not reconfiguring when we want to setup the video or voice services.
Thanks,
Dan.

Hi,
when designing and implementing a video and voip network there are many things to consider. So I will not try to list some of them but would recommend you to read through
1) "IP Videoconferencing Solution Reference Network Design (SRND)"
http://www.cisco.com/application/pdf/en/us/guest/netsol/ns280/c649/ccmigration_09186a00800d67f6.pdf
2) "Enterprise QoS Solution Reference Network Design Guide Version 3.3"
http://www.cisco.com/application/pdf/en/us/guest/netsol/ns432/c649/ccmigration_09186a008049b062.pdf
3) "Campus Network Multilayer Architecture and Design Guidelines"
http://www.cisco.com/application/pdf/en/us/guest/netsol/ns656/c649/cdccont_0900aecd804ab67d.pdf
QoS will be needed in any case and there are separate chapters regarding your different Catalyst switches.
Generally VoIP will be transported in separate Voice VLANs interconnected through IP routing. So you should also have a look into your overall LAN design. 3) gives you a guidance to a robust modern switching design.
Hope this helps!
Regards, Martin

Ask the Expert: Enterprise Design and Deployment of Multicast

Welcome to this Cisco Support Community Ask the Expert conversation. This is an opportunity to learn and ask questions about Cisco enterprise design and deployment of multicast solutions.
The enterprise world is evolving to be overcome with large throughput capacity and record numbers of users connecting to the network. Mechanisms such as multicast, which allows for a minimization of throughput for multiple users subscribing to the same stream, are a welcome addition. Applications such as enterprise all-hands video streaming, trading applications, mass operating system deployment, and custom implementations can put a strain on the network if done via unicast. Multicast can minimize this strain by replicating a single stream for subscription by multiple parties who would like to receive the same information. For this Ask the Expert event, Patrick Lloyd, CCIE R&S no. 39750 and a network consulting engineer with Cisco’s Enterprise Advanced Services Delivery Team, will answer questions about multicast design and implementation based on best practices and prior experience with large enterprise deployments.
Patrick Lloyd is a network consulting engineer for Cisco’s Enterprise East Advanced Services team, working to support and lend his expertise to a number of financial, insurance, healthcare, and consulting customers. In his four years of experience, he has lent design expertise to multicast networks ranging from 500 Cisco devices and 20K users to upward of 4500 Cisco devices and 50K users. Patrick is certified with his Cisco Certified Internetworking Expert no. 39750 in the Routing and Switching track and also has achieved certification in CCNA Security and Securing Cisco Routers and Switches as part of the CCNP Security track. Patrick received his MS degree in networking and systems administration from Rochester Institute of Technology in Rochester, NY, and his BS degree in computer science from Eastern Connecticut State University. He frequently gives customer-based knowledge transfers.
Remember to use the rating system to let Patrick know if you have received an adequate response.
Because of the volume expected during this event, Patrick might not be able to answer every question. Remember that you can continue the conversation in Network Infrastructure under the subcommunity WAN, Routing & Switching shortly after the event. This event lasts through September 12, 2014. Visit this forum often to view responses to your questions and the questions of other Cisco Support Community members.

Thanks for the question! This is actually a good one that I've encountered with a couple customers in the past, the tradeoff between a flood and prune type design, as opposed to the shared tree -> shortest path tree sequence. As per Cisco best practice, we are actively trying to get customers to implement sparse mode, going so far as to not support PIM dense mode in our data center products. And for good reason! The last thing you want is a chatty protocol within the data center which is flooding traffic out to receivers who may or may not be interested in it every 3 minutes. Instead, you're much better off having interested receivers join a stream, have your RP connect the interested senders and receivers, and then transition to the shortest path between source and destination.
That being said, if you're studying for CCIE or looking to get experience in how multicast works, dense mode should at least be a lab exercise!
Links for reference as to the difference in PIM modes:
Dense Mode Operation:
http://www.cisco.com/en/US/docs/ios/ipmulti/configuration/guide/imc_pim_dense_rfrsh.pdf
Pim Modes and explanation of each:
http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst3750x_3560x/software/release/12-2_53_se/configuration/guide/3750xscg/swmcast.html#wp1077051
A great slide deck to learn the operation of multicast:
https://www.ciscolive.com/online/connect/sessionDetail.ww?SESSION_ID=6633&backBtn=true
Troubleshooting Multicast:
https://www.ciscolive.com/online/connect/sessionDetail.ww?SESSION_ID=78578&backBtn=true
Let me know if this is the answer you're looking for!

Design and Architect SSGD...

Hi All,
I work for a Sun Partner and am having the hardest time finding a strong Architect with solid SSGD experience. We are looking to hire someone that can help in the pre-sales process with Sun and also Architect, Design and Implement the product for Sun clients. If anyone out there knows anyone that might be interested please let me know. This position is full-time.
Thanks!
Pedro
[email protected]

質問したばかりで申し訳ありません。
win update とjava 等のアップデートを完了させると、表示されたようです。
大変お騒がせいたしました。

Logical Database design and physical database implementation

Hi
I am an ORACLE DBA basically and we started a proactive server dashboard portal ,which basically reports all aspects of our infrastructure (Dev,QA and Prod,performance,capacity,number of servers,No of CPU,decomissioned date,OS level,Database patch level) etc..
This has to be done entirely by our DBA team as this is not externally funded project.Now i was asked to do " Logical Database design and physical Database
implementation"
Even though i know roughly what's that mean(like designing whole set of tables in star schema format) ,i have never done this before.
In my mind i have a rough set of tables that can be used but again i think there is lot of engineering involved in this area to make sure that we do it properly.
I am wondering you guys might be having some recommendations for me in the sense where to start?are there any documents online , are there any book on this topic?Are there any documents which explain this phenomena with examples ?
Also exactly what is the difference between logical database design vs physical database implementation
Thanks and Regards

Logical database design is the process of taking a business or conceptual data model (often described in the form of an Entity-Relationship Diagram) and transforming that into a logical representation of that model using the specific semantics of the database management system. In the case of an RDBMS such as Oracle, this representation would be in the form of definitions of relational tables, primary, unique and foreign key constraints and the appropriate column data types supported by the RDBMS.
Physical database implementation is the process of taking the logical database design and translating that into the actual DDL statements supported by the target RDBMS that will create the database objects in a target RDBMS database. This will generally include specific physical implementation details such as the specification of tablespaces, use of specialised indexing (bitmap, clustered etc), partitioning, compression and anything else that relates to how data will actually be physically stored inside the database.
It sounds like you already have a physical implementation? If so, you can reverse engineer this implementation into a design tool such as SQL Developer Data Modeller. This will create a logical design by examining the contents of the Oracle data dictionary. Even if you don't have an existing database, Data Modeller is a good tool to use as a starting point for logical and even conceptual/business models.
If you want to read anything about logical design, "An Introduction to Database Systems" by Date is always a good starting point. "Database Systems - A Practical Approach to Design, Implementation and Management" by Connolly & Begg is also an excellent reference.

Q4_How to manage software material and BOM in SAP_High-tech Industry PLM Implementation Issues

Hello,
We are implementing SAP PLM for a high-tech company which designs and manufactures mobile phones (ODM). Since we are new in PLM consulting and we are facing with some implementation difficulties, we are looking for some solutions here.
Question 4: How to manage software material and BOM in SAP?
Currently, software are not managed as material in the BOM. How to manage software material in PLM, can anyone help us with some suggestions.
Question 5: PADS integration with PLM.
Currently, customer is using Pro/E and PADS to design their product. SAP has already provided standard interface for Pro/E integration. But for PADS, there is no such interface. Because of the specialization of electrical components managed in PADS, different from structural parts in Pro/E, how to transfer them between PLM system and manage them in the PLM system has become an difficulty. We will appreciate a lot if anyone can share us with some successful solutions.

Hi,
software, typically a released version of software, is typically managed as a normal material master, and a related document with the code as a package (e.g. ZIP), if really needed.
Software in development is managed typically with a dedicated Software Configuration Management tool like Rational ClearCase, Subversion, MKS Integrity, ....
Regards, Ulf

Trunking and the management VLAN

I have gotten my 5010's up and can get to them from mgmt0. The ip address for mgmt0 resides in VLAN 2 for me. I am getting ready to trunk my 5010's back to my 6500's. Do I need to make sure that VLAN 2 cannot be seen through the trunk ports since it resides on mgmt0?

I don't think this is technically right- the MGMT and the data-path aren't actually connected. The MgmT 0 port doesn't have any concept that it's on "vlan 2"- it's just an access port.
Similarly, if VLAN 2 is on the trunk port, the IP address you assigned to MGMT0 isn't going to respond.
If you configured "feature interface vlan" and then put an IP address on VLAN 2, you could mange this box that way- on two separate IP addresses, via the two separate connections.
With the current lack of ability to wrap ACLs around the Interface VLANs, I'm more comfortable NOT using interface-vlan commands, and using a single uplink to mgmt0. Loss of the mgmt0 port is now only loss of the ability to manage the switch, not a data-path impacting event. (unless you need to configure the switch to correct an data-path issue, in which case you've got problems.)
The shift to out-of-band is a nice feature, but it's going to require a big shift in thinking from an implementation standpoint.

VLAN trunking, native vlan and management vlan

Hello all,
In our situation, we have 3 separate vlans: 100 for management vlan and 101 for data and 102 for voice.
We have an uplink which is trunked using .1Q. Our access ports has the data vlan as the native. Based on our design, what should be the native vlan for this uplink trunk? Should it be the management vlan or the data vlan? Thanks for your help.

To answer this question you must remember what the native vlan is. Native is where untagged packets are sent, i.e. packets without a dot1Q tag. It is there mainly for compatibility. On an access port it has no function while normal traffic is not tagged and sent to the vlan that is configured for the port. Traffic for the voice vlan is an exception to this general rule.
Native vlan setting only plays a role on trunk links where most of the traffic carries a tag. As explained, it is then used as the vlan for untagged traffic.
When you do not consider this a security breach, you may configure the data-vlan as native. Use another vlan (why not vlan1?) in the case where you want to isolate this traffic.
I find it good design practice to use the same native vlan throughout the network. This keeps things clear and it's better for anyone who is not completely obsessed with security. The latter kind of people can always find a reason to mess things up, both for themselves and for others;-)
Regards,
Leo

Management VLAN Design and Implementation

Similar Messages

Maybe you are looking for