Management VLAN for Catalyst 3524

Hi,
I'm currently using VLAN30 as my management VLAN (172.16.xxx.xxx) and would like to use VLAN20 for the management VLAN. After configuring VLAN20 as my management VLAN, the changes didn't get updated in the running-config. The IOS commands used are:
config t
int vlan 20
ip address 149.199.xxx.xxx 255.255.252.0
no shutdown

Hi Ankur,
This switch is in VTP client mode. When I did a show vlan, the output is as follows. VLAN 20 is already active.
VLAN Name Status
1 default active
20 core-network active
When I did a sh ip int brief, the output is as follows:
VLAN1 unassigned YES manual up
VLAN20 149.xx.xx.xx YES manual deleted
VLAN30 172.xx.xx.xx YES manual up
The VLAN 20 showed as deleted. I think this was because I issued the no int vlan 20 command as shown below:
config t
int vlan 20
ip address 149.xx.xx.xx.255.255.255.0 (For setting it as the management VLAN)
no int vlan 20
How do I set VLAN20 as the Management VLAN again?
What is the difference between the following:
i) int vlan 20
shutdown
ii) no int vlan 20

Similar Messages

  • Question in regard to management VLAN for each Context in ACE module

    Dear Pros,
    I know this will be a simple questions to answer, and I have searched the forum, but I am not able to find the answer I need.
    1) Does the ACE module require an Management IP address for each Context? Should the same VLAN be applied to each context, with larger size subnet to supply host address?
    2) If it does require that, what IP address should I used for default route in each context.
    I will be utilizing "Bridge Mode" for my application to transition the current network from Foundry to ACE. I will later on apply the "Routed Mode" model.
    Each ACE module will have 3 seperate Context, for a total of 4 including the Admin.
    Any suggestions or if you can point me to location as always will be greatly apprecaited.
    Thanks and best regards.
    Raman Azizian

    Hi,
    you have several options to choose from.
    1. Use Admin context for management
    You can use the Admin context for management. Give it an IP address in your managment VLAN, default route to upstream router, and login and change to contexts from there.
    + Easy and straightforward
    - snmp and syslog are using the ip from each individual context and not the management IP
    2. Use a Large subnet and assign an IP address in each context for management.
    You can configure 1 managment VLAN and assign an IP address to each context in this subnet. Create static routes to the management stations that need to access this management address.
    + each context has its own managment address
    - static routes need to be added
    3. Use your client-side ip address (or BVI) as management address.
    You management traffic will be inline and use the same path as your data. Default route is already configured and also valid for the management.
    + no static routes needed
    - inline management
    Personally, I choose option 1. That is, if the people that need to manage the ACE is the same team.
    If other teams (serverteam for context 1, other serverteam for context 2) need to manage the ACE, than I would choose option 3.
    HTH,
    Dario

  • Configuring Management VLAN for standalone Nexus 5k

    Hi All,
    The architecture in the attachment doesnt require redundancy and hence has a single N5k with N2k as FEX. The setup is working fine except for the management vlan and mgmt 0 interface being down.
    As of now, mgmt0 interface has no link connected to it. The VLAN for nexus management is also down as mgmt0 cant be assigned to vlans.. Configuring management IP to Loopback interface also doesnt allow adding the same to management vlan.
    Is mgmt0 an RJ45 compatible port with N5596? and is there a way I can have out of band management for Nexus 5596? Is there a way I can assign a management IP to the FEX?
    Thanks for the inputs.
    Thanks,
    Bala S

    Hello Balachandhar,
    Mgmt interface on N5K exists to provide out of band management to the device.
    Mgmt interface belongs to management vrf. You can reach the N5K on mgmt interface once you configure IP to mgmt interface and connect it to upstream switch port belonging to mgmt vlan.
    The FEX cannot be seperately managed. You need to connect to the parent N5K device and manage it.
    HTH
    Padma

  • Wireless AP Management VLAN and BVIs

    Hi All,
    I've been looking around and I can't find a solution to what I am trying to achieve and I was hoping the community may have had more luck than I have.
    I'm looking to have my management VLAN for my AP setup as a tagged BVI but I'm struggling to get it setup. I can set it up fine using BVI1 and having it just accessed on the native VLAN but I see this as a security flaw, I don't really want direct access into my management network on the switch.
    Now there may be a better way of preventing this but I am, at least compared to many, still fairly new to Cisco and this seems to be the best approach. Please see below for my current config, hopefully you can let me know where I am going wrong.
    Also, as a note, at the moment I am mainly focusing on the management security of the AP before I check the wifi config, hence the radios still being shutdown so there may also be small errors in this. I have also removed some elements which are not relevant.
    version 15.3
    no service pad
    service timestamps debug datetime msec
    service timestamps log datetime msec
    service password-encryption
    hostname AP01
    no ip source-route
    no ip cef
    dot11 syslog
    dot11 ssid <Guest secure network SSID>
       vlan 30
       authentication open
       authentication key-management wpa version 2
       guest-mode
       wpa-psk ascii <key>
    dot11 ssid <Internal Secure SSID>
       vlan 10
       authentication open
       authentication key-management wpa version 2
       wpa-psk ascii <key>
    ip ssh version 2
    bridge irb
    interface Dot11Radio0
     no ip address
     no ip route-cache
     shutdown
     encryption vlan 10 mode ciphers aes-ccm tkip
     encryption vlan 30 mode ciphers aes-ccm tkip
     ssid <Guest secure network SSID>
     ssid <Internal Secure SSID>
     antenna gain 0
     packet retries 64 drop-packet
     channel 2437
     station-role root
     bridge-group 1
     bridge-group 1 subscriber-loop-control
     bridge-group 1 spanning-disabled
     bridge-group 1 port-protected
     bridge-group 1 block-unknown-source
     no bridge-group 1 source-learning
     no bridge-group 1 unicast-flooding
    interface Dot11Radio0.10
     encapsulation dot1Q 10
     no ip route-cache
     bridge-group 10
     bridge-group 10 subscriber-loop-control
     bridge-group 10 spanning-disabled
     bridge-group 10 block-unknown-source
     no bridge-group 10 source-learning
     no bridge-group 10 unicast-flooding
    interface Dot11Radio0.30
     encapsulation dot1Q 30
     no ip route-cache
     bridge-group 30
     bridge-group 30 subscriber-loop-control
     bridge-group 30 spanning-disabled
     bridge-group 30 block-unknown-source
     no bridge-group 30 source-learning
     no bridge-group 30 unicast-flooding
    interface Dot11Radio1
     no ip address
     no ip route-cache
     shutdown
     encryption vlan 10 mode ciphers aes-ccm tkip
     encryption vlan 30 mode ciphers aes-ccm tkip
     ssid <Guest secure network SSID>
     ssid <Internal Secure SSID>
     antenna gain 0
     peakdetect
     no dfs band block
     packet retries 64 drop-packet
     channel dfs
     station-role root
     bridge-group 1
     bridge-group 1 subscriber-loop-control
     bridge-group 1 spanning-disabled
     bridge-group 1 port-protected
     bridge-group 1 block-unknown-source
     no bridge-group 1 source-learning
     no bridge-group 1 unicast-flooding
    interface Dot11Radio1.10
     encapsulation dot1Q 10
     no ip route-cache
     bridge-group 10
     bridge-group 10 subscriber-loop-control
     bridge-group 10 spanning-disabled
     bridge-group 10 block-unknown-source
     no bridge-group 10 source-learning
     no bridge-group 10 unicast-flooding
    interface Dot11Radio1.30
     encapsulation dot1Q 30
     no ip route-cache
     bridge-group 30
     bridge-group 30 subscriber-loop-control
     bridge-group 30 spanning-disabled
     bridge-group 30 block-unknown-source
     no bridge-group 30 source-learning
     no bridge-group 30 unicast-flooding
    interface GigabitEthernet0
     no ip address
     no ip route-cache
     duplex auto
     speed auto
     no keepalive
    interface GigabitEthernet0.10
     encapsulation dot1Q 10
     no ip route-cache
     bridge-group 10
     bridge-group 10 spanning-disabled
     no bridge-group 10 source-learning
    interface GigabitEthernet0.30
     encapsulation dot1Q 30
     no ip route-cache
     bridge-group 30
     bridge-group 30 spanning-disabled
     no bridge-group 30 source-learning
    interface GigabitEthernet0.100
     encapsulation dot1Q 100
     no ip route-cache
     bridge-group 100
     bridge-group 100 spanning-disabled
     no bridge-group 100 source-learning
    interface GigabitEthernet0.101
     encapsulation dot1Q 999 native
     no ip route-cache
     bridge-group 1
     bridge-group 1 spanning-disabled
     no bridge-group 1 source-learning
    interface BVI1
     no ip address
     no ip route-cache
     shutdown
    interface BVI100
     mac-address <Actual ethernet address>
     ip address 10.33.100.101 255.255.255.0
     no ip route-cache
    ip default-gateway 10.33.100.254
    ip forward-protocol nd
    ip http server
    no ip http secure-server
    ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag
    bridge 1 route ip
    bridge 100 protocol ieee
    bridge 100 route ip
    line con 0
     logging synchronous
    line vty 0 4
     transport input ssh
    end
    As you can see I am using BVI100 as the management VLAN for the device and BVI1 is shutdown with vlan 999/int gi0/101 holding bridge group 1.
    With this setup I can't get any IP communication, send or receive but I can see the MAC address on the switch in the MAC address table on vlan100. There is also no entries in the ARP table of the AP.
    The switch is setup with vlan 999 untagged and vlans 10,30,100 as tagged.
    Hope you can help! Thanks for any advice in advanced.
    Many thanks,
    Martin.

    Yea that would work and I have set it up like this without issue but I'm trying to limit access to the management VLAN, I don't want someone to be able to plug directly into the switch and be on the same broadcast domain as alll of the other equipment.
    There are otherways of achieving this but I felt like I was so close with the above config but I was just missing something.

  • Boadcast control in management vlan

    Hi...
    I faced a problem where the management vlan was down due to exessive broadcast caused by some fiber uplink going bad.
    I can use udld but not sure whether it can be used where the uplink is UTP.
    I am thinkung of having several mamangement vlans, instead o keeping all my switches in a single one.
    Is that a good practise? Any other ideas?
    Thanks.

    You can enable UDLD with UTP. Creating multiple management VLANs depends on how much broadcast traffic is there within that vlan under normal circumstances, how many nodes are in the vlan, how many trunks are there, are there any hubs in use and a few other factors. It doesn't hurt to create another management vlan for management and the reason why many networks out there just have one management vlan is for simplification.
    Pls. rate all helpful posts.
    --Sundar

  • Managment VLAN 1

    Hi Everyone,
    I m working with a leading ISP in India.The issue is that our engineering team has come up with the plan of migrating all management vlans for metro and other switches to vlan1.Presently we are using spearate vlans for management.Somethig like below.
    Aggregation router#show runn inter gi0/2.137
    Building configuration...
    Current configuration : 250 bytes
    interface GigabitEthernet0/2.137
    description Connectivity for ABC
    encapsulation dot1Q 137
    ip address 203.154.26.97 255.255.255.240
    ip policy route-map ABC
    no cdp enable
    end
    Switch 1 end:(2950)
    interface Vlan137
    ip address 203.154.26.101 255.255.255.240
    no ip route-cache
    ip default-gateway 203.154.26.97
    switch 2:(2950)
    interface Vlan137
    ip address 203.154.26.103 255.255.255.240
    no ip route-cache
    ip default-gateway 203.154.26.97
    The router inter gi0/3 is connected to the trunk port on summit switch and a wireless device provides connectivity to the switch 1 and further another oen to switch 2.
    The entire pasth is on layer 2.
    Please suggest as to how can i migrate to mgmt vlan 1.
    Can it be something like
    inter gi0/2.1
    encapsulation dot1q 1
    ip addres
    since 2950s dont support more thane one active mgmt vlan wat can be the best way of migration???

    This is a tricky proposition. Best way you mean without getting disconnected, right? Cause when you start to change the mgmt interface via telnet, you are risking of getting disconnected once the mgmt inteface is change. for example, you know that there can only be one active interface vlan on 2950 for mgmt purpose. If you are changing the interface vlan from vlan 237 to vlan 1, if they will have the same ip address, you'll have to shut down one of them. Let's say you are able to do that, then how will you bring up the other interface with getting disconnected? remember you are telneted in. the best way will be to console in when you make changes on the mgmt vlan. You'll probably have to walk to the switch anyway if you made the change via telnet. changing the mgmt vlan will not affect the switch's ability to switch packets.

  • VLAN for Management Traffic

    Hello Everyone,
    I'm still learning cisco and networks in general but I need to separate management traffic from the regular network.  The switch is a cisco catalyst 5406-E.  My question is do I need to create a new subnet for the VLAN and how would I do that? The commands I have to create a VLAN and add the switch ports are
    Switch(config)# vlan 15
    switch(config-vlan)# name Management
    switch(config)# interface GigabitEthernet2/6
    switch(config-if)# switchport access vlan 15
    Now this creates vlan 15 and adds the GE 2/6 interface to vlan 15.  How do I add it to a new subnet?  Am I going in the right direction?

    In general, if you want to use separated VLAN for management, you can create VLAN + SVI (routed interface of the VLAN) with IP address + some access list on SVI and VTY (“SSH/telnet lines”) for better security.
    Example:
    ==== C4500 – L3 SWITCH CONFIG ====
    //create VLAN 15
    vlan 15
    name MGMT
    //create access list with ip addresses, from which management of all switches with SVI 15 will be accessible
    //Note: this access list (ACL) does not control access to management of L3 switch/router where the ACL is applied on SVI, only to all other switches in VLAN 15 that have default gateway set to ip address 10.0.15.1 (see next step)
    ip access-list extended MGMT_SWITCH
    remark ====ICMP====
    permit icmp any 10.0.15.0 0.0.0.255
    remark ====ADMIN====
    permit ip 10.0.1.0 0.0.0.255 10.0.15.0 0.0.0.255
    remark ====MONIORING-SERVERS====
    permit ip 10.0.100.0 0.0.0.255 10.0.15.0 0.0.0.255
    remark ====NTB-SERVICE====
    permit ip 10.0.200.0 0.0.0.255 10.0.15.0 0.0.0.255
    //create SVI/interface of the VLAN 15, add IP address and assign access list
    //Note: DO NOT assign empty access list to interface, it can make your router inaccessible!
    interface Vlan15
    description MGMT
    ip address 10.0.15.1 255.255.255.0
    ip access-group MGMT_SWITCH out
    //create ACL for VTY line of L3 switch/router; this ACL controls access only to management of L3 switch, access to all other switches with SVI 15 is controlled by previous ACL
    ip access-list standard VTY
    remark ====ADMIN====
    permit 10.0.1.0 0.0.0.255
    remark ====MONIORING-SERVERS====
    permit 10.0.100.0 0.0.0.255
    remark ====NTB-SERVICE====
    permit 10.0.200.0 0.0.0.255
    //assign ACL to vty lines
    line vty 0 4
    access-class VTY in
    ==== OTHER L2-ONLY SWITCHES CONFIG ====
    //create VLAN 15
    vlan 15
    name MGMT
    //create SVI 15
    interface Vlan15
    description MGMT
    ip address 10.0.15.50 255.255.255.0
    //set default gateway/default route to SVI of c4500
    ip default-gateway 10.0.15.1
    //some higher-level switches require use of following CLI parameters instead:
    ip routing
    ip route 0.0.0.0 0.0.0.0 10.0.15.1
    This is just one of many ways to do the management separation.

  • Is it possible to use management Vlan as FT Vlan for ACE4710?

    Is it allowed to configure ACE4710 management vlan as a FT vlan between two appliances? If allowed, what's the consequence of not using a dedicated FT Vlan?
    Thanks a lot

    You should not have any other traffic on the dedicated FT vlan.
    This is from the docs.
    Note Do not use this dedicated VLAN for any other network traffic, including HSRP and data
    http://www.cisco.com/en/US/docs/interfaces_modules/services_modules/ace/v3.00_A2/configuration/administration/guide/redundcy.html#wp999787
    Having any other traffic on this vlan could cause a problem with FT heart beats being dropped, and both ACE could become active. Definitely use a dedicated FT Vlan.
    Regards
    Jim

  • Separate VLAN for manag. only on wire?

    I'm having hard time trying to understand how to configure Aironet 1200 in a way such that I have two VLANs (for example X and Y, both not 1) so that I have X for only management and management is not seen on wireless side at all, and Y for public traffic.
    I went thru' all the old postings about this subject but found no complete example of running config to do it. If anyone has successfully completed doing this, please, can you post a example of IOS command listing how to do it.
    Regards,
    Pauli Borodulin

    Here is a working config that I have. I have two wireless vlans (186, 187) and a third ethernet only vlan (101) which is the management vlan.
    interface Dot11Radio0
    no ip address
    no ip route-cache
    encryption vlan 186 key 1 size 128bit 7 xxxxxxxxxxxxxxxxxxxx
    encryption vlan 186 key 2 size 128bit 7 xxxxxxxxxxxxxxxxxxxx
    encryption vlan 186 key 3 size 128bit 7 xxxxxxxxxxxxxxxxxxxx transmit-key
    encryption vlan 186 key 4 size 128bit 7 xxxxxxxxxxxxxxxxxxxx
    encryption vlan 186 mode wep mandatory
    encryption vlan 187 key 1 size 128bit 7 xxxxxxxxxxxxxxxxxxxx transmit-key
    encryption vlan 187 mode wep mandatory
    ssid weponly
    vlan 186
    authentication open
    ssid wepeap
    vlan 187
    authentication open eap eap_methods
    authentication network-eap eap_methods
    speed basic-1.0 basic-2.0 basic-5.5 basic-11.0
    rts threshold 2312
    channel 2412
    station-role root
    no cdp enable
    bridge-group 1
    bridge-group 1 subscriber-loop-control
    bridge-group 1 block-unknown-source
    no bridge-group 1 source-learning
    no bridge-group 1 unicast-flooding
    interface Dot11Radio0.186
    encapsulation dot1Q 186
    no ip route-cache
    no cdp enable
    bridge-group 186
    bridge-group 186 subscriber-loop-control
    bridge-group 186 block-unknown-source
    no bridge-group 186 source-learning
    no bridge-group 186 unicast-flooding
    bridge-group 186 spanning-disabled
    interface Dot11Radio0.187
    encapsulation dot1Q 187
    no ip route-cache
    no cdp enable
    bridge-group 187
    bridge-group 187 subscriber-loop-control
    bridge-group 187 block-unknown-source
    no bridge-group 187 source-learning
    no bridge-group 187 unicast-flooding
    bridge-group 187 spanning-disabled
    interface FastEthernet0
    no ip address
    no ip route-cache
    duplex auto
    speed auto
    ntp broadcast client
    interface FastEthernet0.101
    encapsulation dot1Q 101 native
    no ip route-cache
    bridge-group 1
    no bridge-group 1 source-learning
    bridge-group 1 spanning-disabled
    interface FastEthernet0.186
    encapsulation dot1Q 186
    no ip route-cache
    bridge-group 186
    no bridge-group 186 source-learning
    bridge-group 186 spanning-disabled
    interface FastEthernet0.187
    encapsulation dot1Q 187
    no ip route-cache
    bridge-group 187
    no bridge-group 187 source-learning
    bridge-group 187 spanning-disabled
    interface BVI1
    ip address 172.25.101.17 255.255.255.0
    no ip route-cache
    ip default-gateway 172.25.101.1

  • Best Practices for management VLAN

    Hi guys,
    I have a client with a data center where they have lots of VLANs running off a 3750 (main switch) and then they have a 3550 and a 2950 running off from this main 3750.
    They have lots of VLANs configured and I see that Vlan1 is not being used. Currently, all the IPs of the switches and routers belong to one of the customer Vlan's.
    I've read that this is bad practice and that a management VLAN should be created. But I think I've also read that when it comes to management Vlans, one needs to stay away from Vlan1
    So I am not sure how to tackle this.
    any help?
    thanks

    Here is a very good discussion which should answer all your questions.
    http://forum.cisco.com/eforum/servlet/NetProf?page=netprof&forum=Network%20Infrastructure&topic=LAN%2C%20Switching%20and%20Routing&topicID=.ee71a04&fromOutline=true&CommCmd=MB%3Fcmd%3Ddisplay_location%26location%3D.2cc12936/14
    http://www.cisco.com/warp/public/cc/pd/si/casi/ca6000/prodlit/vlnwp_wp.htm#wp39009

  • Can I use non-native VLAN for AP management (BVI100 vs. BVI1)

    Owning AIR-AP1121G-E-K9 and AIR-AP1131AG-E-K9, with IOS 12.3.8JA2, want to migrate AP (wired) management from native VLAN1 to tagged VLAN100.
    Management VLAN must not be accessed by WiFi devices.
    Tried to configure fa0.100, bridge 100 and BVI 100 instead of fa0.1, bridge 0.1 and BVI1, reloaded and AP is working, but doesn't respond to management.
    Tried to use simple L3 fa0.1, but int is not reachable from outside.
    Any suggestions?
    Thank you very much
    Flavio Molinelli
    [email protected]

    The management VLAN must be the Native VLAN ... it doesn't have to be VLAN 1, but whichever VLAN you declare as Native will be the Management VLAN (at least as far as the AP is concerned) ...
    Some switches / routers permit the management and Native VLANs to be different ... verify that both are configured and matching on both ends (AP and switch / router).
    Good Luck
    Scott

  • Management VLAN Design and Implementation

    Greetings, friends.  I'm having trouble getting a clear picture of how a management VLAN ought to look.  I just installed a Catalyst 6509-E as my core switch, and as soon as they arrive I'm going to be replacing all of our other (HP) switches with Catalyst 3560X switches.  I understand the reasoning behind segregating traffic, not using VLAN1, etc., but I've never actually implemented a management VLAN--I've always just accessed the switches via the IPs assigned to them where all the client traffic flows (not VLAN1, by the way).
    Is "management VLAN" simply what we as humans call a VLAN we dedicate to management activities, or is there something official in these switches to designate a "management VLAN?"
    Is it best practice to include SNMP, netflow, syslog, and NTP as "management" traffic?
    There's a lot of documentation talking -about- management and management VLANs, but unless I'm blind or not looking hard enough I can't seem to find any implementation whitepapers or best practices whitepapers that demonstrate setting one up on a campus LAN.  Are you able to point me in the right direction to find such documentation?  Is it perhaps buried in a manual somewhere that isn't explicitly labeled "Management VLAN Design and Implementation" or somesuch?
    What is the best practice for accessing the management VLAN?  Inter-VLAN routing + ACLs?  Multi-homed PCs or servers?  Additional PCs to be used as access stations?
    Thank you for your wisdom, experience, and advice!
    Kevin

    1. Yes, you may want to keep this traffic separate of the other traffic limiting device management access to just this vlan, as this prevents eavesdropping.
    2. Indeed all other housekeeping goes via this VLAN altough you could limit it to the interactive or session traffic.
    3. On a campus you could think of one big VLAN spanning the campus, one a multi-site environment or where you use L3 to go to you datacenters you probably need multiple management lan's. I've seen implementations where the management traffic was kept separate and even didn't use the routing protocol in use. The whole management lan was statically routed and would work even if OSPF or BGP was down.
    4. I feel a situation where the people providing support are connected on the lan giving access to the devices is probably best. A dual homed pc is a good solution I think, other customer feel the management lan should be treated as a DMZ accessible via a firewall,  but the hardcore customer insist on a second pc connected to the management lan.
    Points to consider are as always,
    Find the single point of failure. Any device, L2 L3 firewall that could cut off management from accessing a part of the network.
    Find the right balance between security, costs, easy of access for the business your in.
    Cheers,
    Michel

  • Catalyst 3524 - Capturing fragmented packets

    Greetings,
    I have run into an interesting issue with a trunked connection to my ASA.
    Scenario: ASA-5510 connected to a Catalyst 3524 switch via a dot1q trunk. There are approximately 12 vlans configured and passing traffic.
    The ASA interface shows no errors; the Catalyst switch is incrementing runts fairly rapidly.
    From what I have read this typically is a cabling or hardware issue. We changed ports and cables on the Catalyst switch to rule out that side. Both ASA and Switch are set to Full Duplex/ Speed 100.
    From a troubleshooting perspective, I am limited on my packet captures due to the switch and/or my NIC hardware discarding 'bad' packets. I don't have access to a hardware packet capturing device or a NIC with that capability.
    To anyone's knowledge, is there a way to capture the packets being dropped at the switch port? I have a port monitor set up and have disabled "checksum offloading" on my NIC; so far that is the best I have come up with.
    It looks like the switch will increment the runts counter, but not log any of that info.
    I am eliminating any other port issues I see on the switch, but that hasn't made a difference so far.
    My apologies for the long post, but I do appreciate your patience and expertise!
    Thanks for your time!

    Thanks for the info - I will be able to use that for future troubleshooting!
    I have resolved the incrementing runts issue with an IOS upgrade on the switch (to current level for the Cat 3524).
    After the upgrade, the counters no longer increment. I was hoping this would be the case; we were just waiting for a maintenance window to complete the upgrade.
    Thanks again!

  • Management VLAN -- New to Cisco

    I've been working on configuring VLANs for my network and I came across something that confuses me. Under practical tips in this docuemnt http://www.cisco.com/warp/public/473/189.html#tips it states:
    Separate the management VLAN from the user or server VLAN, as in this diagram. The management VLAN is different from the user or server VLAN. With this separation, any broadcast/packet storm that occurs in the user or server VLAN does not affect the management of switches.
    Do not use VLAN 1 for management. All ports in Catalyst switches default to VLAN 1, and any devices that connect to nonconfigured ports are in VLAN 1. The use of VLAN 1 for management can cause potential issues for the management of switches, as the first tip explains.
    I understand the concept, and i've made my managment VLAN 10. However, when I connect a computer to the switch it doesn't default to VLAN1 it defaults to VLAN10 which puts the computer by default in the management VLAN.
    What's the point of creating a different VLAN ID for management if the workstations are going to default to it anyhow? I understand once I configure the ports it will take them out of the management VLAN, I'm just wondering why I couldn't use VLAN1 as the management domain.
    Regards,
    David

    To support an inband management VLAN, you'll have to configure trunking (802.1Q) between switch uplinks allowing your management vlan (VLAN 10) traffic to traverse the trunk in addition to the user vlan (lets say vlan 20). To trunk, you must utilize a unique VLANs per subnet. I like to force trunking (switchport encap dot1q, switchport mode trunk, switchport nonnegotiate) so as not to utilize DTP (dynamic trunking protocol).
    For user access, you need to configure the vlan on the switch and enable switchport mode access along with switchport access vlan 20 (user vlan).
    Keep in mind, inband management works well for user access; however, for data center server access trunking is not recommended.
    With all that said, you still may have to use VLAN 1 in certain scenarios. For instance, an IBM Blade center management module required the use of vlan 1 to manage the blade center.

  • Cisco 3560 cg (change management vlan)

    Good Day guys ,
    i've purchased some of the new 3560 cg catalyst switches. Am looking for some guidance/assistance into the procedure to change the default (vlan 1) to my management vlan (x). I have been successful in the addition of all my  vlans inclusive of the management to the switch using the following command "switchport access vlan x" via the command line. 
    Currently I have CE 500's in my environment which allows you to change the management vlan from the GUI. Any recommendations/ assistance as to how this is now done on the newer model switches via command line or GUI would be greatly appreciated.
    Regards,
    Christian. 

    conf t
    vlan <BLAH>
    name Management
    exit
    default interface vlan 1
    interface vlan 1 
    shutdown
    interface vlan <BLAH>
    description YIPEE
    ip address 1.2.3.4 255.255.255.0
    no shutdown

Maybe you are looking for