Separate VLAN for manag. only on wire?

Similar Messages

• VLAN for Management Traffic

  Hello Everyone,
  I'm still learning cisco and networks in general but I need to separate management traffic from the regular network.  The switch is a cisco catalyst 5406-E.  My question is do I need to create a new subnet for the VLAN and how would I do that? The commands I have to create a VLAN and add the switch ports are
  Switch(config)# vlan 15
  switch(config-vlan)# name Management
  switch(config)# interface GigabitEthernet2/6
  switch(config-if)# switchport access vlan 15
  Now this creates vlan 15 and adds the GE 2/6 interface to vlan 15.  How do I add it to a new subnet?  Am I going in the right direction?

  In general, if you want to use separated VLAN for management, you can create VLAN + SVI (routed interface of the VLAN) with IP address + some access list on SVI and VTY (“SSH/telnet lines”) for better security.
  Example:
  ==== C4500 – L3 SWITCH CONFIG ====
  //create VLAN 15
  vlan 15
  name MGMT
  //create access list with ip addresses, from which management of all switches with SVI 15 will be accessible
  //Note: this access list (ACL) does not control access to management of L3 switch/router where the ACL is applied on SVI, only to all other switches in VLAN 15 that have default gateway set to ip address 10.0.15.1 (see next step)
  ip access-list extended MGMT_SWITCH
  remark ====ICMP====
  permit icmp any 10.0.15.0 0.0.0.255
  remark ====ADMIN====
  permit ip 10.0.1.0 0.0.0.255 10.0.15.0 0.0.0.255
  remark ====MONIORING-SERVERS====
  permit ip 10.0.100.0 0.0.0.255 10.0.15.0 0.0.0.255
  remark ====NTB-SERVICE====
  permit ip 10.0.200.0 0.0.0.255 10.0.15.0 0.0.0.255
  //create SVI/interface of the VLAN 15, add IP address and assign access list
  //Note: DO NOT assign empty access list to interface, it can make your router inaccessible!
  interface Vlan15
  description MGMT
  ip address 10.0.15.1 255.255.255.0
  ip access-group MGMT_SWITCH out
  //create ACL for VTY line of L3 switch/router; this ACL controls access only to management of L3 switch, access to all other switches with SVI 15 is controlled by previous ACL
  ip access-list standard VTY
  remark ====ADMIN====
  permit 10.0.1.0 0.0.0.255
  remark ====MONIORING-SERVERS====
  permit 10.0.100.0 0.0.0.255
  remark ====NTB-SERVICE====
  permit 10.0.200.0 0.0.0.255
  //assign ACL to vty lines
  line vty 0 4
  access-class VTY in
  ==== OTHER L2-ONLY SWITCHES CONFIG ====
  //create VLAN 15
  vlan 15
  name MGMT
  //create SVI 15
  interface Vlan15
  description MGMT
  ip address 10.0.15.50 255.255.255.0
  //set default gateway/default route to SVI of c4500
  ip default-gateway 10.0.15.1
  //some higher-level switches require use of following CLI parameters instead:
  ip routing
  ip route 0.0.0.0 0.0.0.0 10.0.15.1
  This is just one of many ways to do the management separation.

• Separate vlan for wireless voice

  Hi all, I'm about to embark on reconfiguring my home lab, at present I have just 2 vlans which are for VoIP and data, I'm going to split my network so I have the following:
  Data VLAN for our home PC's
  Voice VLAN for phones
  1 wireless VLAN for home laptops
  1 wireless VLAN for games consoles
  1 wireless guest access so I don't have to give out my own ssid credentials
  1 Management VLAN
  My question is do I have a separate VLAN for wireless VOIP or do I just use the same Voice VLAN?
  Regards
  Martyn
  Sent from Cisco Technical Support iPad App

  Martyn:
  Both solutions are valid. You can use the current voice VLAN or create a new VLAN.
  If you create a new VLAN you need to apply needed QoS to wired side as well.
  If your current Voice VLAN is already configured for QoS then using it for wirelss voice is easier.
  So the preffered option is to use your current voice VLAN for wireless voice as well.
  HTH
  Amjad

• Separate VLAN for CAPWAP

  Hello,
  I'm in the process of deploying a WLC2504 in an eviroment  which requires a private VLAN for access to file servers and other network resources, as well as a guest network for internet access. 
  As far as performance is concerned, will I get acceptable throughput on my WLANs with the CAPWAP tunnel flowing over the same subnet as the private network? I've seen some suggestions that recommend a separate VLAN dedicated to CAPWAP, but I don't know if this is just a suggestion for security. I understand that CAPWAP supports encryption of control messages, but not data transmissions without additional licensing. If this is just a suggestion for security, I don't think this is much of a concern. I don't see anyone on the private network intercepting guest transmissions. Could someone please advise me on this?

  Thanks for your clarification guys! I'm in the process of installing my fist CUWN. We are implementing 10 APs and have dealt with a few issues, namely throughput for laptops. I knew other factors could definitely come into play, but I wanted to rule topology out. Laptops are currently pulling very low internet speed tests results, whereas mobile devices seem to fare much better. I've tried testing with mostly 2.4 GHz connections from laptops, but even the 5GHz seem to struggle. I'm working with the Cisco TAC a bit on this one. Per their suggestion, I'm going to run Iperf to test internal performance before I involve network firewalls and Internet connectivity in the mix. 

• Separate VLAN for WPA - Cisco 1100

  Hello,
  Cisco 1100 :
  First config. : no vlan with WEP for access network
  But when you create a vlan for wpa-psk with simple config (no server manager, no radius, no eap), have you to modify the other peripherals networks (router...).
  For example to declare the vlan.
  I did not find this information in the documentation of the aironet 1100.
  Thank you for your help.
  Eddy

  There is a good document on Cisco.com which explains how to configure WPA-PSK. The document is available at
  http://cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a008054339e.shtml#pers
  If you are still having issues configuring wpa-psk, please post the configuration so that we can troubleshoot the issue.

• Separate vlan for Voice and Video

  I'm implementing a Polycom HDX9002 video conf codec into my network (point to point). What is the prefered method, do I segregate the traffic with another VLAN or use the existing Voice VLAN at both sites.
  Thanks
  Paul

  Voice vlan is fine. What really matters, is QoS in the WAN.

• About the Native Vlan and Management Vlan.

  I wanted to know that Management vlan and Native vlan can be different vlan id or  both should be same vlan id. Why should not be native vlan 1.

  The use of a native VLAN is generally frowned upon now as there are some well known security exploits that leverage this untagged VLAN. Cisco often recommends setting the Native VLAN to an unused VLAN in your infrastructure in order to render it useless for attacks.
  It is also recommended that you create a separate VLAN for your Management traffic and that this VLAN be tagged (therefore not a Native VLAN).
  Native Vlan is the vlan which will be sent untagged even in Trunk links. Consider a Trunk link configured between two switches SWA and SWB, if a system in vlan1 of SWA is sending a frame via SWB, then this frame will be received as untagged by SWB, then switch B decides that the untagged frame is from native vlan 1 and handles accordingly. By default native vlan is 1, this can also be changed as per requirement.
  Example: In the below figure if a IP phone and system are connected toa switch port as below, the the Phones will  send its frames tagged with vlan 10 where as the frames sent by system will be untagged. So here the the corresponding switch port should be configured as native vlan 20. So that it can recognise and handle the frames from system and IP phone properly.
  a
  Management vlan is different, it means that this vlan will be used for management purposes like Logging into the switch for management, Monitoring the switch,collecting Syslog ans SNMP traps, etc will be done by management vlan IP. This also by default vlan 1 in cisco. So as Antony said the it is always a Best practice and security measure to not use the default vlan and use custom vlans.
  Hope this helps !

• How can I sum up raws? the sum function seems to work for columns only and right now I have to create a separate formula for each raw

  How can I sum up raws? the Sum function seems to work only on columns. Right now I have to create a separate formula for each raw

  Hi dah,
  "Thanks, but can I do one formula for all present and future raws? as raws are being added, I have to do the sum function again and again"
  You do need a separate formula for each group of values to be summed.
  If the values are in columns, you need a copy of the formula for each column.
  If the values are in rows, you need a copy of the formula for for each row.
  If you set up your formulas as SGIII did in his example (shown below), where every non-header row has the same formula, Numbers will automtically add the formula to new rows as you add them.
  "Same formula" in this context means exactly the same as all the formulas above, with one exception: the row reference in each formula is incremented (by Numbers) to match the row containing the formula.
  Here the formula looks like this in the three rows shown.
  B2: =SUM(2)
  B3: =SUM(3)
  B4: =SUM(4)
  That pattern will continue as rows are added to the table.
  Also, because the row token (2) references all of the non-header cells in row 2, the formula will automatically include new columns as they are added to the table.
  Regards,
  Barry

• First sync with desktop manager for mac: only 300 contacts synced instead of the 1100

  I have a Curve 8310. version 4
   I have a brand new mac with NO CONTACTS or calendar.
   I have preciously very successfully synced with my windows computer for 2 years.
  I have just tried for the first time to sync with desktop manager,.only 315 contacts synced of the 1100.
  The apple  people recommend using Mark/Space" missing Sync" but I am reluctant to do this as the reviews are mixed.
  Help?

  Hi there.
  Have been using my BB Pearl 8100 on and off since Oct 08.
  I have successfully synced with a Vaio (XP Pro) using BBDM (up to version 4.6) as well as iMac OS 10.5.8 using PocketMac for BB v4.1 and now BBDM for Mac. Have synced with iCal, Mail, Contacts (albeit 647)
  PocketMac can be a little temperamental, but not that much of a prob as when i downloaded it was free (shareware) and the only alternative was Missing Sync.
  This posting is provided as is and implies no warranties

• MAI for managed systems residing in separate network

  Hello!
  We are considering to implement the new Monitoring and Alerting Infrastructure (MAI) with Diagnostics Agents for our SAP systems. 
  The most of our SAP managed systems reside in separate network (differ from SOLMAN network).
  In order to retrieve CCMS-data from these systems we must use RFC connections within SAP router string.
  Has someone already successfully set up MAI for managed systems that reside in separate network?
  Of great interest are the information about
  1) Integration of these systems into DBACOCKPIT of SOLMAN
  2) Installation of Diagnostic Agent on remote host
  Many thanks for your information.

  Hello SAP-SDN,
  as for your initial question:
  Has someone already successfully set up MAI for managed systems that reside in separate network?
  Of great interest are the information about
  1) Integration of these systems into DBACOCKPIT of SOLMAN
  2) Installation of Diagnostic Agent on remote host
  1.- actually on process, but still don0t found any problem to do on remote network trought sapruter.
  2.- actually working and running, the unique limitation is the connection between willy hostagent and wily EM.
  as for your next question:
  1a) database related data in your Alerting (e.g. tablespaces)
  1b) database related data in your IT Performance Reporting/Interactive Reporting (e.g. growth of database)
  1c) DBACOCKPIT connection for the remote SAP system
  1a) for ewa ABAP you can get that information from a remote netwaork managed system without any problem
  1b) for ewa ABAP you can get that information from a remote netwaork managed system without any problem
  1c) still on process, but i think that can be possible as well is possible to connect the remote SMD diagnostic agent trought one or more saprouters.

• Question in regard to management VLAN for each Context in ACE module

  Dear Pros,
  I know this will be a simple questions to answer, and I have searched the forum, but I am not able to find the answer I need.
  1) Does the ACE module require an Management IP address for each Context? Should the same VLAN be applied to each context, with larger size subnet to supply host address?
  2) If it does require that, what IP address should I used for default route in each context.
  I will be utilizing "Bridge Mode" for my application to transition the current network from Foundry to ACE. I will later on apply the "Routed Mode" model.
  Each ACE module will have 3 seperate Context, for a total of 4 including the Admin.
  Any suggestions or if you can point me to location as always will be greatly apprecaited.
  Thanks and best regards.
  Raman Azizian

  Hi,
  you have several options to choose from.
  1. Use Admin context for management
  You can use the Admin context for management. Give it an IP address in your managment VLAN, default route to upstream router, and login and change to contexts from there.
  + Easy and straightforward
  - snmp and syslog are using the ip from each individual context and not the management IP
  2. Use a Large subnet and assign an IP address in each context for management.
  You can configure 1 managment VLAN and assign an IP address to each context in this subnet. Create static routes to the management stations that need to access this management address.
  + each context has its own managment address
  - static routes need to be added
  3. Use your client-side ip address (or BVI) as management address.
  You management traffic will be inline and use the same path as your data. Default route is already configured and also valid for the management.
  + no static routes needed
  - inline management
  Personally, I choose option 1. That is, if the people that need to manage the ACE is the same team.
  If other teams (serverteam for context 1, other serverteam for context 2) need to manage the ACE, than I would choose option 3.
  HTH,
  Dario

• Is it possible to use management Vlan as FT Vlan for ACE4710?

  Is it allowed to configure ACE4710 management vlan as a FT vlan between two appliances? If allowed, what's the consequence of not using a dedicated FT Vlan?
  Thanks a lot

  You should not have any other traffic on the dedicated FT vlan.
  This is from the docs.
  Note Do not use this dedicated VLAN for any other network traffic, including HSRP and data
  http://www.cisco.com/en/US/docs/interfaces_modules/services_modules/ace/v3.00_A2/configuration/administration/guide/redundcy.html#wp999787
  Having any other traffic on this vlan could cause a problem with FT heart beats being dropped, and both ACE could become active. Definitely use a dedicated FT Vlan.
  Regards
  Jim

• Configuring Management VLAN for standalone Nexus 5k

  Hi All,
  The architecture in the attachment doesnt require redundancy and hence has a single N5k with N2k as FEX. The setup is working fine except for the management vlan and mgmt 0 interface being down.
  As of now, mgmt0 interface has no link connected to it. The VLAN for nexus management is also down as mgmt0 cant be assigned to vlans.. Configuring management IP to Loopback interface also doesnt allow adding the same to management vlan.
  Is mgmt0 an RJ45 compatible port with N5596? and is there a way I can have out of band management for Nexus 5596? Is there a way I can assign a management IP to the FEX?
  Thanks for the inputs.
  Thanks,
  Bala S

  Hello Balachandhar,
  Mgmt interface on N5K exists to provide out of band management to the device.
  Mgmt interface belongs to management vrf. You can reach the N5K on mgmt interface once you configure IP to mgmt interface and connect it to upstream switch port belonging to mgmt vlan.
  The FEX cannot be seperately managed. You need to connect to the parent N5K device and manage it.
  HTH
  Padma

• I have an iPad, iPod touch, iPod classic. I tried using one account for allow only not being able to sign on with my touch. Do I  need separate accounts for each?

  Do I need separate accounts for each?
  I have an iPad, iPod classic and an iPod touch.
  Can not sign on to App Store with the touch.
  So how can I set up a new account?

  Error message -can not sign into App Store
  Same message for iTunes
  I use my iPad most of the time but would like to ad app to the touch

• VLAN trunking, native vlan and management vlan

  Hello all,
  In our situation, we have 3 separate vlans: 100 for management vlan and 101 for data and 102 for voice.
  We have an uplink which is trunked using .1Q. Our access ports has the data vlan as the native. Based on our design, what should be the native vlan for this uplink trunk? Should it be the management vlan or the data vlan? Thanks for your help.

  To answer this question you must remember what the native vlan is. Native is where untagged packets are sent, i.e. packets without a dot1Q tag. It is there mainly for compatibility. On an access port it has no function while normal traffic is not tagged and sent to the vlan that is configured for the port. Traffic for the voice vlan is an exception to this general rule.
  Native vlan setting only plays a role on trunk links where most of the traffic carries a tag. As explained, it is then used as the vlan for untagged traffic.
  When you do not consider this a security breach, you may configure the data-vlan as native. Use another vlan (why not vlan1?) in the case where you want to isolate this traffic.
  I find it good design practice to use the same native vlan throughout the network. This keeps things clear and it's better for anyone who is not completely obsessed with security. The latter kind of people can always find a reason to mess things up, both for themselves and for others;-)
  Regards,
  Leo