Management VLAN for Catalyst 3524
Hi,
I'm currently using VLAN30 as my management VLAN (172.16.xxx.xxx) and would like to use VLAN20 for the management VLAN. After configuring VLAN20 as my management VLAN, the changes didn't get updated in the running-config. The IOS commands used are:
config t
int vlan 20
ip address 149.199.xxx.xxx 255.255.252.0
no shutdown
Hi Ankur,
This switch is in VTP client mode. When I did a show vlan, the output is as follows. VLAN 20 is already active.
VLAN Name Status
1 default active
20 core-network active
When I did a sh ip int brief, the output is as follows:
VLAN1 unassigned YES manual up
VLAN20 149.xx.xx.xx YES manual deleted
VLAN30 172.xx.xx.xx YES manual up
The VLAN 20 showed as deleted. I think this was because I issued the no int vlan 20 command as shown below:
config t
int vlan 20
ip address 149.xx.xx.xx.255.255.255.0 (For setting it as the management VLAN)
no int vlan 20
How do I set VLAN20 as the Management VLAN again?
What is the difference between the following:
i) int vlan 20
shutdown
ii) no int vlan 20
Similar Messages
-
Question in regard to management VLAN for each Context in ACE module
Dear Pros,
I know this will be a simple questions to answer, and I have searched the forum, but I am not able to find the answer I need.
1) Does the ACE module require an Management IP address for each Context? Should the same VLAN be applied to each context, with larger size subnet to supply host address?
2) If it does require that, what IP address should I used for default route in each context.
I will be utilizing "Bridge Mode" for my application to transition the current network from Foundry to ACE. I will later on apply the "Routed Mode" model.
Each ACE module will have 3 seperate Context, for a total of 4 including the Admin.
Any suggestions or if you can point me to location as always will be greatly apprecaited.
Thanks and best regards.
Raman AzizianHi,
you have several options to choose from.
1. Use Admin context for management
You can use the Admin context for management. Give it an IP address in your managment VLAN, default route to upstream router, and login and change to contexts from there.
+ Easy and straightforward
- snmp and syslog are using the ip from each individual context and not the management IP
2. Use a Large subnet and assign an IP address in each context for management.
You can configure 1 managment VLAN and assign an IP address to each context in this subnet. Create static routes to the management stations that need to access this management address.
+ each context has its own managment address
- static routes need to be added
3. Use your client-side ip address (or BVI) as management address.
You management traffic will be inline and use the same path as your data. Default route is already configured and also valid for the management.
+ no static routes needed
- inline management
Personally, I choose option 1. That is, if the people that need to manage the ACE is the same team.
If other teams (serverteam for context 1, other serverteam for context 2) need to manage the ACE, than I would choose option 3.
HTH,
Dario -
Configuring Management VLAN for standalone Nexus 5k
Hi All,
The architecture in the attachment doesnt require redundancy and hence has a single N5k with N2k as FEX. The setup is working fine except for the management vlan and mgmt 0 interface being down.
As of now, mgmt0 interface has no link connected to it. The VLAN for nexus management is also down as mgmt0 cant be assigned to vlans.. Configuring management IP to Loopback interface also doesnt allow adding the same to management vlan.
Is mgmt0 an RJ45 compatible port with N5596? and is there a way I can have out of band management for Nexus 5596? Is there a way I can assign a management IP to the FEX?
Thanks for the inputs.
Thanks,
Bala SHello Balachandhar,
Mgmt interface on N5K exists to provide out of band management to the device.
Mgmt interface belongs to management vrf. You can reach the N5K on mgmt interface once you configure IP to mgmt interface and connect it to upstream switch port belonging to mgmt vlan.
The FEX cannot be seperately managed. You need to connect to the parent N5K device and manage it.
HTH
Padma -
Wireless AP Management VLAN and BVIs
Hi All,
I've been looking around and I can't find a solution to what I am trying to achieve and I was hoping the community may have had more luck than I have.
I'm looking to have my management VLAN for my AP setup as a tagged BVI but I'm struggling to get it setup. I can set it up fine using BVI1 and having it just accessed on the native VLAN but I see this as a security flaw, I don't really want direct access into my management network on the switch.
Now there may be a better way of preventing this but I am, at least compared to many, still fairly new to Cisco and this seems to be the best approach. Please see below for my current config, hopefully you can let me know where I am going wrong.
Also, as a note, at the moment I am mainly focusing on the management security of the AP before I check the wifi config, hence the radios still being shutdown so there may also be small errors in this. I have also removed some elements which are not relevant.
version 15.3
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
hostname AP01
no ip source-route
no ip cef
dot11 syslog
dot11 ssid <Guest secure network SSID>
vlan 30
authentication open
authentication key-management wpa version 2
guest-mode
wpa-psk ascii <key>
dot11 ssid <Internal Secure SSID>
vlan 10
authentication open
authentication key-management wpa version 2
wpa-psk ascii <key>
ip ssh version 2
bridge irb
interface Dot11Radio0
no ip address
no ip route-cache
shutdown
encryption vlan 10 mode ciphers aes-ccm tkip
encryption vlan 30 mode ciphers aes-ccm tkip
ssid <Guest secure network SSID>
ssid <Internal Secure SSID>
antenna gain 0
packet retries 64 drop-packet
channel 2437
station-role root
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 spanning-disabled
bridge-group 1 port-protected
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
interface Dot11Radio0.10
encapsulation dot1Q 10
no ip route-cache
bridge-group 10
bridge-group 10 subscriber-loop-control
bridge-group 10 spanning-disabled
bridge-group 10 block-unknown-source
no bridge-group 10 source-learning
no bridge-group 10 unicast-flooding
interface Dot11Radio0.30
encapsulation dot1Q 30
no ip route-cache
bridge-group 30
bridge-group 30 subscriber-loop-control
bridge-group 30 spanning-disabled
bridge-group 30 block-unknown-source
no bridge-group 30 source-learning
no bridge-group 30 unicast-flooding
interface Dot11Radio1
no ip address
no ip route-cache
shutdown
encryption vlan 10 mode ciphers aes-ccm tkip
encryption vlan 30 mode ciphers aes-ccm tkip
ssid <Guest secure network SSID>
ssid <Internal Secure SSID>
antenna gain 0
peakdetect
no dfs band block
packet retries 64 drop-packet
channel dfs
station-role root
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 spanning-disabled
bridge-group 1 port-protected
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
interface Dot11Radio1.10
encapsulation dot1Q 10
no ip route-cache
bridge-group 10
bridge-group 10 subscriber-loop-control
bridge-group 10 spanning-disabled
bridge-group 10 block-unknown-source
no bridge-group 10 source-learning
no bridge-group 10 unicast-flooding
interface Dot11Radio1.30
encapsulation dot1Q 30
no ip route-cache
bridge-group 30
bridge-group 30 subscriber-loop-control
bridge-group 30 spanning-disabled
bridge-group 30 block-unknown-source
no bridge-group 30 source-learning
no bridge-group 30 unicast-flooding
interface GigabitEthernet0
no ip address
no ip route-cache
duplex auto
speed auto
no keepalive
interface GigabitEthernet0.10
encapsulation dot1Q 10
no ip route-cache
bridge-group 10
bridge-group 10 spanning-disabled
no bridge-group 10 source-learning
interface GigabitEthernet0.30
encapsulation dot1Q 30
no ip route-cache
bridge-group 30
bridge-group 30 spanning-disabled
no bridge-group 30 source-learning
interface GigabitEthernet0.100
encapsulation dot1Q 100
no ip route-cache
bridge-group 100
bridge-group 100 spanning-disabled
no bridge-group 100 source-learning
interface GigabitEthernet0.101
encapsulation dot1Q 999 native
no ip route-cache
bridge-group 1
bridge-group 1 spanning-disabled
no bridge-group 1 source-learning
interface BVI1
no ip address
no ip route-cache
shutdown
interface BVI100
mac-address <Actual ethernet address>
ip address 10.33.100.101 255.255.255.0
no ip route-cache
ip default-gateway 10.33.100.254
ip forward-protocol nd
ip http server
no ip http secure-server
ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag
bridge 1 route ip
bridge 100 protocol ieee
bridge 100 route ip
line con 0
logging synchronous
line vty 0 4
transport input ssh
end
As you can see I am using BVI100 as the management VLAN for the device and BVI1 is shutdown with vlan 999/int gi0/101 holding bridge group 1.
With this setup I can't get any IP communication, send or receive but I can see the MAC address on the switch in the MAC address table on vlan100. There is also no entries in the ARP table of the AP.
The switch is setup with vlan 999 untagged and vlans 10,30,100 as tagged.
Hope you can help! Thanks for any advice in advanced.
Many thanks,
Martin.Yea that would work and I have set it up like this without issue but I'm trying to limit access to the management VLAN, I don't want someone to be able to plug directly into the switch and be on the same broadcast domain as alll of the other equipment.
There are otherways of achieving this but I felt like I was so close with the above config but I was just missing something. -
Boadcast control in management vlan
Hi...
I faced a problem where the management vlan was down due to exessive broadcast caused by some fiber uplink going bad.
I can use udld but not sure whether it can be used where the uplink is UTP.
I am thinkung of having several mamangement vlans, instead o keeping all my switches in a single one.
Is that a good practise? Any other ideas?
Thanks.You can enable UDLD with UTP. Creating multiple management VLANs depends on how much broadcast traffic is there within that vlan under normal circumstances, how many nodes are in the vlan, how many trunks are there, are there any hubs in use and a few other factors. It doesn't hurt to create another management vlan for management and the reason why many networks out there just have one management vlan is for simplification.
Pls. rate all helpful posts.
--Sundar -
Hi Everyone,
I m working with a leading ISP in India.The issue is that our engineering team has come up with the plan of migrating all management vlans for metro and other switches to vlan1.Presently we are using spearate vlans for management.Somethig like below.
Aggregation router#show runn inter gi0/2.137
Building configuration...
Current configuration : 250 bytes
interface GigabitEthernet0/2.137
description Connectivity for ABC
encapsulation dot1Q 137
ip address 203.154.26.97 255.255.255.240
ip policy route-map ABC
no cdp enable
end
Switch 1 end:(2950)
interface Vlan137
ip address 203.154.26.101 255.255.255.240
no ip route-cache
ip default-gateway 203.154.26.97
switch 2:(2950)
interface Vlan137
ip address 203.154.26.103 255.255.255.240
no ip route-cache
ip default-gateway 203.154.26.97
The router inter gi0/3 is connected to the trunk port on summit switch and a wireless device provides connectivity to the switch 1 and further another oen to switch 2.
The entire pasth is on layer 2.
Please suggest as to how can i migrate to mgmt vlan 1.
Can it be something like
inter gi0/2.1
encapsulation dot1q 1
ip addres
since 2950s dont support more thane one active mgmt vlan wat can be the best way of migration???This is a tricky proposition. Best way you mean without getting disconnected, right? Cause when you start to change the mgmt interface via telnet, you are risking of getting disconnected once the mgmt inteface is change. for example, you know that there can only be one active interface vlan on 2950 for mgmt purpose. If you are changing the interface vlan from vlan 237 to vlan 1, if they will have the same ip address, you'll have to shut down one of them. Let's say you are able to do that, then how will you bring up the other interface with getting disconnected? remember you are telneted in. the best way will be to console in when you make changes on the mgmt vlan. You'll probably have to walk to the switch anyway if you made the change via telnet. changing the mgmt vlan will not affect the switch's ability to switch packets.
-
Hello Everyone,
I'm still learning cisco and networks in general but I need to separate management traffic from the regular network. The switch is a cisco catalyst 5406-E. My question is do I need to create a new subnet for the VLAN and how would I do that? The commands I have to create a VLAN and add the switch ports are
Switch(config)# vlan 15
switch(config-vlan)# name Management
switch(config)# interface GigabitEthernet2/6
switch(config-if)# switchport access vlan 15
Now this creates vlan 15 and adds the GE 2/6 interface to vlan 15. How do I add it to a new subnet? Am I going in the right direction?In general, if you want to use separated VLAN for management, you can create VLAN + SVI (routed interface of the VLAN) with IP address + some access list on SVI and VTY (“SSH/telnet lines”) for better security.
Example:
==== C4500 – L3 SWITCH CONFIG ====
//create VLAN 15
vlan 15
name MGMT
//create access list with ip addresses, from which management of all switches with SVI 15 will be accessible
//Note: this access list (ACL) does not control access to management of L3 switch/router where the ACL is applied on SVI, only to all other switches in VLAN 15 that have default gateway set to ip address 10.0.15.1 (see next step)
ip access-list extended MGMT_SWITCH
remark ====ICMP====
permit icmp any 10.0.15.0 0.0.0.255
remark ====ADMIN====
permit ip 10.0.1.0 0.0.0.255 10.0.15.0 0.0.0.255
remark ====MONIORING-SERVERS====
permit ip 10.0.100.0 0.0.0.255 10.0.15.0 0.0.0.255
remark ====NTB-SERVICE====
permit ip 10.0.200.0 0.0.0.255 10.0.15.0 0.0.0.255
//create SVI/interface of the VLAN 15, add IP address and assign access list
//Note: DO NOT assign empty access list to interface, it can make your router inaccessible!
interface Vlan15
description MGMT
ip address 10.0.15.1 255.255.255.0
ip access-group MGMT_SWITCH out
//create ACL for VTY line of L3 switch/router; this ACL controls access only to management of L3 switch, access to all other switches with SVI 15 is controlled by previous ACL
ip access-list standard VTY
remark ====ADMIN====
permit 10.0.1.0 0.0.0.255
remark ====MONIORING-SERVERS====
permit 10.0.100.0 0.0.0.255
remark ====NTB-SERVICE====
permit 10.0.200.0 0.0.0.255
//assign ACL to vty lines
line vty 0 4
access-class VTY in
==== OTHER L2-ONLY SWITCHES CONFIG ====
//create VLAN 15
vlan 15
name MGMT
//create SVI 15
interface Vlan15
description MGMT
ip address 10.0.15.50 255.255.255.0
//set default gateway/default route to SVI of c4500
ip default-gateway 10.0.15.1
//some higher-level switches require use of following CLI parameters instead:
ip routing
ip route 0.0.0.0 0.0.0.0 10.0.15.1
This is just one of many ways to do the management separation. -
Is it possible to use management Vlan as FT Vlan for ACE4710?
Is it allowed to configure ACE4710 management vlan as a FT vlan between two appliances? If allowed, what's the consequence of not using a dedicated FT Vlan?
Thanks a lotYou should not have any other traffic on the dedicated FT vlan.
This is from the docs.
Note Do not use this dedicated VLAN for any other network traffic, including HSRP and data
http://www.cisco.com/en/US/docs/interfaces_modules/services_modules/ace/v3.00_A2/configuration/administration/guide/redundcy.html#wp999787
Having any other traffic on this vlan could cause a problem with FT heart beats being dropped, and both ACE could become active. Definitely use a dedicated FT Vlan.
Regards
Jim -
Separate VLAN for manag. only on wire?
I'm having hard time trying to understand how to configure Aironet 1200 in a way such that I have two VLANs (for example X and Y, both not 1) so that I have X for only management and management is not seen on wireless side at all, and Y for public traffic.
I went thru' all the old postings about this subject but found no complete example of running config to do it. If anyone has successfully completed doing this, please, can you post a example of IOS command listing how to do it.
Regards,
Pauli BorodulinHere is a working config that I have. I have two wireless vlans (186, 187) and a third ethernet only vlan (101) which is the management vlan.
interface Dot11Radio0
no ip address
no ip route-cache
encryption vlan 186 key 1 size 128bit 7 xxxxxxxxxxxxxxxxxxxx
encryption vlan 186 key 2 size 128bit 7 xxxxxxxxxxxxxxxxxxxx
encryption vlan 186 key 3 size 128bit 7 xxxxxxxxxxxxxxxxxxxx transmit-key
encryption vlan 186 key 4 size 128bit 7 xxxxxxxxxxxxxxxxxxxx
encryption vlan 186 mode wep mandatory
encryption vlan 187 key 1 size 128bit 7 xxxxxxxxxxxxxxxxxxxx transmit-key
encryption vlan 187 mode wep mandatory
ssid weponly
vlan 186
authentication open
ssid wepeap
vlan 187
authentication open eap eap_methods
authentication network-eap eap_methods
speed basic-1.0 basic-2.0 basic-5.5 basic-11.0
rts threshold 2312
channel 2412
station-role root
no cdp enable
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
interface Dot11Radio0.186
encapsulation dot1Q 186
no ip route-cache
no cdp enable
bridge-group 186
bridge-group 186 subscriber-loop-control
bridge-group 186 block-unknown-source
no bridge-group 186 source-learning
no bridge-group 186 unicast-flooding
bridge-group 186 spanning-disabled
interface Dot11Radio0.187
encapsulation dot1Q 187
no ip route-cache
no cdp enable
bridge-group 187
bridge-group 187 subscriber-loop-control
bridge-group 187 block-unknown-source
no bridge-group 187 source-learning
no bridge-group 187 unicast-flooding
bridge-group 187 spanning-disabled
interface FastEthernet0
no ip address
no ip route-cache
duplex auto
speed auto
ntp broadcast client
interface FastEthernet0.101
encapsulation dot1Q 101 native
no ip route-cache
bridge-group 1
no bridge-group 1 source-learning
bridge-group 1 spanning-disabled
interface FastEthernet0.186
encapsulation dot1Q 186
no ip route-cache
bridge-group 186
no bridge-group 186 source-learning
bridge-group 186 spanning-disabled
interface FastEthernet0.187
encapsulation dot1Q 187
no ip route-cache
bridge-group 187
no bridge-group 187 source-learning
bridge-group 187 spanning-disabled
interface BVI1
ip address 172.25.101.17 255.255.255.0
no ip route-cache
ip default-gateway 172.25.101.1 -
Best Practices for management VLAN
Hi guys,
I have a client with a data center where they have lots of VLANs running off a 3750 (main switch) and then they have a 3550 and a 2950 running off from this main 3750.
They have lots of VLANs configured and I see that Vlan1 is not being used. Currently, all the IPs of the switches and routers belong to one of the customer Vlan's.
I've read that this is bad practice and that a management VLAN should be created. But I think I've also read that when it comes to management Vlans, one needs to stay away from Vlan1
So I am not sure how to tackle this.
any help?
thanksHere is a very good discussion which should answer all your questions.
http://forum.cisco.com/eforum/servlet/NetProf?page=netprof&forum=Network%20Infrastructure&topic=LAN%2C%20Switching%20and%20Routing&topicID=.ee71a04&fromOutline=true&CommCmd=MB%3Fcmd%3Ddisplay_location%26location%3D.2cc12936/14
http://www.cisco.com/warp/public/cc/pd/si/casi/ca6000/prodlit/vlnwp_wp.htm#wp39009 -
Can I use non-native VLAN for AP management (BVI100 vs. BVI1)
Owning AIR-AP1121G-E-K9 and AIR-AP1131AG-E-K9, with IOS 12.3.8JA2, want to migrate AP (wired) management from native VLAN1 to tagged VLAN100.
Management VLAN must not be accessed by WiFi devices.
Tried to configure fa0.100, bridge 100 and BVI 100 instead of fa0.1, bridge 0.1 and BVI1, reloaded and AP is working, but doesn't respond to management.
Tried to use simple L3 fa0.1, but int is not reachable from outside.
Any suggestions?
Thank you very much
Flavio Molinelli
[email protected]The management VLAN must be the Native VLAN ... it doesn't have to be VLAN 1, but whichever VLAN you declare as Native will be the Management VLAN (at least as far as the AP is concerned) ...
Some switches / routers permit the management and Native VLANs to be different ... verify that both are configured and matching on both ends (AP and switch / router).
Good Luck
Scott -
Management VLAN Design and Implementation
Greetings, friends. I'm having trouble getting a clear picture of how a management VLAN ought to look. I just installed a Catalyst 6509-E as my core switch, and as soon as they arrive I'm going to be replacing all of our other (HP) switches with Catalyst 3560X switches. I understand the reasoning behind segregating traffic, not using VLAN1, etc., but I've never actually implemented a management VLAN--I've always just accessed the switches via the IPs assigned to them where all the client traffic flows (not VLAN1, by the way).
Is "management VLAN" simply what we as humans call a VLAN we dedicate to management activities, or is there something official in these switches to designate a "management VLAN?"
Is it best practice to include SNMP, netflow, syslog, and NTP as "management" traffic?
There's a lot of documentation talking -about- management and management VLANs, but unless I'm blind or not looking hard enough I can't seem to find any implementation whitepapers or best practices whitepapers that demonstrate setting one up on a campus LAN. Are you able to point me in the right direction to find such documentation? Is it perhaps buried in a manual somewhere that isn't explicitly labeled "Management VLAN Design and Implementation" or somesuch?
What is the best practice for accessing the management VLAN? Inter-VLAN routing + ACLs? Multi-homed PCs or servers? Additional PCs to be used as access stations?
Thank you for your wisdom, experience, and advice!
Kevin1. Yes, you may want to keep this traffic separate of the other traffic limiting device management access to just this vlan, as this prevents eavesdropping.
2. Indeed all other housekeeping goes via this VLAN altough you could limit it to the interactive or session traffic.
3. On a campus you could think of one big VLAN spanning the campus, one a multi-site environment or where you use L3 to go to you datacenters you probably need multiple management lan's. I've seen implementations where the management traffic was kept separate and even didn't use the routing protocol in use. The whole management lan was statically routed and would work even if OSPF or BGP was down.
4. I feel a situation where the people providing support are connected on the lan giving access to the devices is probably best. A dual homed pc is a good solution I think, other customer feel the management lan should be treated as a DMZ accessible via a firewall, but the hardcore customer insist on a second pc connected to the management lan.
Points to consider are as always,
Find the single point of failure. Any device, L2 L3 firewall that could cut off management from accessing a part of the network.
Find the right balance between security, costs, easy of access for the business your in.
Cheers,
Michel -
Catalyst 3524 - Capturing fragmented packets
Greetings,
I have run into an interesting issue with a trunked connection to my ASA.
Scenario: ASA-5510 connected to a Catalyst 3524 switch via a dot1q trunk. There are approximately 12 vlans configured and passing traffic.
The ASA interface shows no errors; the Catalyst switch is incrementing runts fairly rapidly.
From what I have read this typically is a cabling or hardware issue. We changed ports and cables on the Catalyst switch to rule out that side. Both ASA and Switch are set to Full Duplex/ Speed 100.
From a troubleshooting perspective, I am limited on my packet captures due to the switch and/or my NIC hardware discarding 'bad' packets. I don't have access to a hardware packet capturing device or a NIC with that capability.
To anyone's knowledge, is there a way to capture the packets being dropped at the switch port? I have a port monitor set up and have disabled "checksum offloading" on my NIC; so far that is the best I have come up with.
It looks like the switch will increment the runts counter, but not log any of that info.
I am eliminating any other port issues I see on the switch, but that hasn't made a difference so far.
My apologies for the long post, but I do appreciate your patience and expertise!
Thanks for your time!Thanks for the info - I will be able to use that for future troubleshooting!
I have resolved the incrementing runts issue with an IOS upgrade on the switch (to current level for the Cat 3524).
After the upgrade, the counters no longer increment. I was hoping this would be the case; we were just waiting for a maintenance window to complete the upgrade.
Thanks again! -
Management VLAN -- New to Cisco
I've been working on configuring VLANs for my network and I came across something that confuses me. Under practical tips in this docuemnt http://www.cisco.com/warp/public/473/189.html#tips it states:
Separate the management VLAN from the user or server VLAN, as in this diagram. The management VLAN is different from the user or server VLAN. With this separation, any broadcast/packet storm that occurs in the user or server VLAN does not affect the management of switches.
Do not use VLAN 1 for management. All ports in Catalyst switches default to VLAN 1, and any devices that connect to nonconfigured ports are in VLAN 1. The use of VLAN 1 for management can cause potential issues for the management of switches, as the first tip explains.
I understand the concept, and i've made my managment VLAN 10. However, when I connect a computer to the switch it doesn't default to VLAN1 it defaults to VLAN10 which puts the computer by default in the management VLAN.
What's the point of creating a different VLAN ID for management if the workstations are going to default to it anyhow? I understand once I configure the ports it will take them out of the management VLAN, I'm just wondering why I couldn't use VLAN1 as the management domain.
Regards,
DavidTo support an inband management VLAN, you'll have to configure trunking (802.1Q) between switch uplinks allowing your management vlan (VLAN 10) traffic to traverse the trunk in addition to the user vlan (lets say vlan 20). To trunk, you must utilize a unique VLANs per subnet. I like to force trunking (switchport encap dot1q, switchport mode trunk, switchport nonnegotiate) so as not to utilize DTP (dynamic trunking protocol).
For user access, you need to configure the vlan on the switch and enable switchport mode access along with switchport access vlan 20 (user vlan).
Keep in mind, inband management works well for user access; however, for data center server access trunking is not recommended.
With all that said, you still may have to use VLAN 1 in certain scenarios. For instance, an IBM Blade center management module required the use of vlan 1 to manage the blade center. -
Cisco 3560 cg (change management vlan)
Good Day guys ,
i've purchased some of the new 3560 cg catalyst switches. Am looking for some guidance/assistance into the procedure to change the default (vlan 1) to my management vlan (x). I have been successful in the addition of all my vlans inclusive of the management to the switch using the following command "switchport access vlan x" via the command line.
Currently I have CE 500's in my environment which allows you to change the management vlan from the GUI. Any recommendations/ assistance as to how this is now done on the newer model switches via command line or GUI would be greatly appreciated.
Regards,
Christian.conf t
vlan <BLAH>
name Management
exit
default interface vlan 1
interface vlan 1
shutdown
interface vlan <BLAH>
description YIPEE
ip address 1.2.3.4 255.255.255.0
no shutdown
Maybe you are looking for
-
Is there a way to create a pan and zoom effect in a lightroom slideshow?
Is there a way to create a pan and zoom effect in a lightroom slideshow?
-
Just double-checking - a question re. right configuration
Hi all, I would like to ask the experts whether my following network setup is configured correctly (or ideally for that matter). We have a flat with a lot of walls between the rooms, so one router is not enough to ensure wifi reception in every room.
-
Not my fault! came up only once until now, but i�d rather be sure... Exception thrown from Carbon event handler: java.lang.NullPointerException at com.apple.buckyball.app.MouseEventHandler.handleEvent(MouseEventHandler.java:85) at com.apple
-
Why doesn't Roboform work in Firefox
I start Firefox from the Firefox Icon.My home page is YAHOO. I go to my YAHOO Mail and I need to sign in. I go to my ROBOFORM Fill and Submit which I have been using for years and it fills the boxes with the correct Username and Password but the sign
-
Most efficient way to extract the amplitude of a signal and display on an intensity graph
Hi All, I am having difficulty to display the amplitude of an voltage signal (voltage picked up by NI DAQ card). what I am trying: Voltage signal (Dynamic data type)--> 2D array of dynamic data type (using 2 nested for loops) --> normal 2D array with