Understanding Management VLAN

justnet

Honorable
May 17, 2013
19
0
10,520
1
I’m trying to understand management VLAN. Here is what I know so far; let’s sat my management VLAN is VLAN 1 (10.1.x.x \16), and I have 50 switches on my network with a L3 switch as my core. I would make the IP of the core 10.1.x.x and do the same for all 50 switches. And then I would put all workstations in a different VLAN like VLAN 2 (10.2.x.x \16). Is that right?
 
yes but you normally have more than just 2 vlans. If both vlans cover the same switches then it is almost the same as running everything all on a single vlan. Normally you have a management vlans that has all switches on it but this is only a good idea because there is almost no traffic on the management vlan. The purpose of a vlan is to limit broadcast traffic to a smaller number of switches. Some people use a management vlan to in theory keep unauthorized people out of the management but it seldom really adds much security.

This used to be much more important but lately even cheap consumer switches are so powerful big flat network designs work ok. It is still recommended use many smaller networks but it is trade off since now the configuration get more complex.

 

justnet

Honorable
May 17, 2013
19
0
10,520
1


Okay, so currently our core is in VLAN 1, but our switches are not (I think). Our core has a 10.1.x.x\16 IP and our switches have a different IP. For example; five story building has six VLANs. Floor 1 is VLAN 2, Floor 2 is VLAN 3, etc… The switch on floor 1 has a 10.2.x.x\16 IP, the switch on floor 2 has a 10.3.x.x\16 and so forth. Would that mean that those switches are not in the management VLAN since they don't have a 10.1.x.x\16 IP? Each switch has two trunk ports and VLAN 1 is untagged on those ports, and VLANs 2-6 are tagged. Not sure if this makes sense, but that is how these switches are setup.
 
It is ok but you technically don't have a management vlan..... unless each switch also contains a address from the 10.1.x.x. Layer 2 switches generally can only have a single ip and it is only used to configure (ie manage the device). If it is in the 10.1.x.x vlan and vlan 1 is on all switch then you have a management vlan if not then you have multiple management vlans. It really makes no difference.

The so called optimum design would put the management ip in the 10.1.x.x vlan and all the switch end user ports in 10.?.x.x vlan. Each trunk port back to the core would only contain vlan 1 (normally untagged) and vlan ? tagged. You do not want vlans on the trunk that do not exist on the switch. The core switch will still forward broadcast traffic down these ports which the remote switch will discard. Cisco switches are smart enough to "prune" these for you but since you use the term "untagged" rather than "native" it sounds like you are the one that needs to remove these extra vlans by not defining them since you do not have cisco switches
 

ASK THE COMMUNITY