VLAN1 for Management Question
tman
will have a few hosts on it. They do not communicate outside their
VLANs i.e., to hosts on the other VLANS.
I want to have VLAN1 configured with and IP address and put it on the
company network so I can manage it. I put an IP address on VLAN1 then
I added an ip default-gateway, which gets configured on the switch.
Now the plan is to connect the switch to the company network via one
of the ports in VLAN1 to be able to mange it on any subnet in the
company, hence the ip default-gateway.
I wanted to check to see if this is correct. One thing gave me pause:
if I connect two laptops that has IP addresses that are on the same
subnet as VLAN1 to two of the ports in one of the VLANs other than
VLAN1, the ports goes down. What causes this? I thought that the
VLANs other than VLAN1, which has an IP address, did not care about
what IP address attached hosts have.
Thanks
headsetadapter.com
It's possible, and a lot of people use it. However, according to "best
practices", VLAN 1 is used for inter-switch communication for Spanning Tree,
BPDUs, VTP, etc., and it's better to create another "management VLAN" just
for sake of security. There are some hacking techniques, which may screw up?
for example, your VTP domain by sending a malformed packets. If you have
just single switch, it's not a case, but if you want to be "at the best
practices", you may change it.
Good luck,
Mike
CCNP, CCDP, CCSP, Cisco Voice, MCSE W2K, MCSE+I, Security+, etc.
CCIE R&S (in progress), CCIE Voice (in progress)
------
Headset Adapters for Cisco IP Phones
www.ciscoheadsetadapter.com
www.headsetadapter.com
"tman" <nave...@gmail.com> wrote in message
news:0c2f5e2e-8d5c-4d60...@q65g2000hsd.googlegroups.com...
tman
> Tom,
>
> It's possible, and a lot of people use it. However, according to "best
> practices", VLAN 1 is used for inter-switch communication for Spanning Tree,
> BPDUs, VTP, etc., and it's better to create another "management VLAN" just
> for sake of security. There are some hacking techniques, which may screw up?
> for example, your VTP domain by sending a malformed packets. If you have
> just single switch, it's not a case, but if you want to be "at the best
> practices", you may change it.
>
> Good luck,
>
> Mike
> CCNP, CCDP, CCSP, Cisco Voice, MCSE W2K, MCSE+I, Security+, etc.
> CCIE R&S (in progress), CCIE Voice (in progress)
> ------
> Headset Adapters for Cisco IP Phoneswww.ciscoheadsetadapter.comwww.headsetadapter.com
>
>
> news:0c2f5e2e-8d5c-4d60...@q65g2000hsd.googlegroups.com...
>
>
>
> >I am configuring a Cisco 2950 switch to have 5 vlans. Each of these
> > will have a few hosts on it. They do not communicate outside their
> > VLANs i.e., to hosts on the other VLANS.
>
> > I want to have VLAN1 configured with and IP address and put it on the
> > company network so I can manage it. I put an IP address on VLAN1 then
> > I added an ip default-gateway, which gets configured on the switch.
> > Now the plan is to connect the switch to the company network via one
> > of the ports in VLAN1 to be able to mange it on any subnet in the
> > company, hence the ip default-gateway.
>
> > I wanted to check to see if this is correct. One thing gave me pause:
> > if I connect two laptops that has IP addresses that are on the same
> > subnet as VLAN1 to two of the ports in one of the VLANs other than
> > VLAN1, the ports goes down. What causes this? I thought that the
> > VLANs other than VLAN1, which has an IP address, did not care about
> > what IP address attached hosts have.
>
>
> - Show quoted text -
Mike,
Thanks for the heads up on VLAN1.
Your reply raised another question regarding the use of the switch I
am configuring and its security.
Currently we have several small unmanageable switches to connect
routers and and hosts on our public
network. I was considering replacing all the small unmanageable
switches with one manageable switch and
dedicating a VLAN for each segment on the public network plus one vlan
for management that would be on my
private network. My thinking was that each VLAN will be isolated from
the other and thus secure. Based
on what you said and my limited knowledge, it looks like this is not
necessarily true.
Is there a way to do this securely? Or is it best to have the
individual switches on the public network.
Thanks.