HPE Community
Switches, Hubs, and Modems
1756148 Members
3386 Online
108842 Solutions
New Discussion юеВ

VLAN off management/monitoring traffic

 
Tony Barrett_2
Frequent Advisor

тАО06-08-2009 05:11 AM

тАО06-08-2009 05:11 AM

VLAN off management/monitoring traffic

Our current LAN is primarily a mix of L3 5300xl switches and L2 26xx switches, with some 28xx and 18xx procurves thrown in. All the management traffic is kept on a specific subnet, but it is broadcast across the same network as normal data traffic. I have a router between the two subnets, but effectively it's a box with two interfaces in the same L2 switch.

I'm very keen the VLAN off the management traffic, to isolate this from normal data. Can anyone recommend the best way of doing this. What type of VLAN's would be best? The management stations have interfaces on the 'main' network as well as the 'management' network, so these would also need to continue working as normal.


0 Kudos
4 REPLIES 4
cenk sasmaztin
Honored Contributor

тАО06-08-2009 05:42 AM

тАО06-08-2009 05:42 AM

Re: VLAN off management/monitoring traffic

hi Tony
you can use different vlan for managemet

with managemet vlan command
best way (for security) management traffic must diffrent and isolate vlan

create any other vlan on network device
and write managemet vlan command on switch
managemet vlan unable routing all other vlan
therefore your managemet server for example PCM server or managemet pc must be member this vlan




cenk

0 Kudos
Tony Barrett_2
Frequent Advisor

тАО06-08-2009 06:16 AM

тАО06-08-2009 06:16 AM

Re: VLAN off management/monitoring traffic

Thanks. I guess HP have half done this with the inbuilt 'management VLAN' option, but would it be best to 'tag' this vlan to further isolate traffic? Would this mean that all management stations would need to support 802.1Q tagging as well?

I guess I would then leave the DEFAULT_VLAN (i.e. normal traffic) as untagged, but Management VLAN traffic as tagged. No routing would take place on the switches themselves (this is handled elsewhere).

So, to re-iterate, if I tag the packets on the management VLAN, would ALL PC's that need to be on the VLAN have to support tagging as well?
0 Kudos
cenk sasmaztin
Honored Contributor

тАО06-08-2009 06:54 AM

тАО06-08-2009 06:54 AM

Re: VLAN off management/monitoring traffic

managemet vlan term for network device management
network switch, access point and router not for network server and pc

management vlan must be connect on untag port managemet tool (PCM+ server or any application)

no need taging port on managemet vlan

for example

all uplink port bettween switch to switch :managemet vlan 1 untag member and all other vlan tag member on this ports



cenk

0 Kudos
cenk sasmaztin
Honored Contributor

тАО06-08-2009 07:07 AM

тАО06-08-2009 07:07 AM

Re: VLAN off management/monitoring traffic

example config for you

hostname "swcore"
snmp-server community "public" Unrestricted
vlan 1
name "DEFAULT_VLAN"
untagged 1,26-----port 1 connect managemet tool server/port26 uplink port
ip address 10.0.10.1 255.255.255.0
no untagged 2-25
exit
vlan 2
name "VLAN2"
untagged 2-25 -----all network pc reside vlan 2
tagged 26
exit
management-vlan 1----with this command unable routing other vlan between managemet vlan


****************************************************
hostname "swedge"
snmp-server community "public" Unrestricted
vlan 1
name "DEFAULT_VLAN"
untagged 26------/port26 uplink port
ip address 10.0.10.2 255.255.255.0
no untagged 1-25
exit
vlan 2
name "VLAN2"
untagged 1-25 -----all netwrok pc reside vlan 2
tagged 26
exit
management-vlan 1
cenk

0 Kudos
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.