Re: Native VLAN mismatch on Cisco 2950
- From: KDawg44 <KDawg44@xxxxxxxxx>
- Date: Mon, 13 Aug 2007 14:00:32 -0000
On Aug 13, 9:07 am, "Scott Perry" <scottperry@aciscocompany> wrote:
fugettaboutit - Thank you for the correction. I read the article that you
linked.
KDawg44 - Perhaps on such a small network there would not be as much
benefit, but the concept is to put the management IP addresses of switches
in a LAN on a seperate VLAN. This would keep users from having their
connected switch IP addresses in an accessible IP address range or
accessible VLAN. The router connecting to these switches would have a trunk
connection which would have a seperate IP address in both VLANs - the
management VLAN and the user VLAN.
Maybe your setup does not need it, but the idea is to keep networks more
secure by later allowing through access-lists that only certian IP addresses
or IP address subnets can connect to the administrative IP address ranges
used for the management IP addresses on the switches and routers. It is
better than giving the switches a management IP address in the same VLAN and
IP subnet as all of the users who could attempt to access it.
--
===========
Scott Perry
===========
Indianapolis, Indiana
________________________________________"KDawg44" <KDaw...@xxxxxxxxx> wrote in message
news:1186765092.934705.194290@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
On Aug 10, 11:38 am, fugettaboutit <n...@xxxxxxx> wrote:
This is a bad idea. It's also a bad practice on a number of fronts
ranging from security, node trust, and inband vs. out of band management:
http://www.cisco.com/en/US/products/hw/switches/ps708/products_white_...
In particular, from a security perspective, not addressing the native
VLAN 1 issue opens you up to a VLAN hopping attack.
Change your native VLAN to something other than 1 (as it's the default
on all Cisco devices), prune it, and don't assign ANY hosts to it...
Scott Perry wrote:
<bav...@xxxxxxxxx> wrote in message
news:1186698608.352502.202130@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
1. Any benefit/reason in using VLAN 1 for management and create
another VLAN for users compare to using VLAN 1 for users and create
another VLAN for management?
There is a benefit: what is the one VLAN that you cannot delete or
remove
and will therefore always be there? VLAN1
The books and prudence suggest manking VLAN 1 the management VLAN and
to put
your network device management IP addresses on there. Laziness says
that it
is easier to leave all switchports VLAN 1 for the users and
workstations and
to just move the management IP address ports to the other VLAN.
If you are going to seperate them, make VLAN 1 for your network
administration and move the users to another VLAN.
When you say separate management traffic, what traffic do you refer to
exactly? We are in a small network that has one firewall, one network
switch, and a couple servers. How would this benefit this particular
network and what traffic should I segregate?
Thanks.
Scott - Thanks very much for the response. Makes perfect sense to me
now.
.
- Follow-Ups:
- Re: Native VLAN mismatch on Cisco 2950
- From: bavien
- Re: Native VLAN mismatch on Cisco 2950
- References:
- Native VLAN mismatch on Cisco 2950
- From: bavien
- Re: Native VLAN mismatch on Cisco 2950
- From: Scott Perry
- Re: Native VLAN mismatch on Cisco 2950
- From: fugettaboutit
- Re: Native VLAN mismatch on Cisco 2950
- From: KDawg44
- Re: Native VLAN mismatch on Cisco 2950
- From: Scott Perry
- Native VLAN mismatch on Cisco 2950
- Prev by Date: Re: Routing Question
- Next by Date: Re: Native VLAN mismatch on Cisco 2950
- Previous by thread: Re: Native VLAN mismatch on Cisco 2950
- Next by thread: Re: Native VLAN mismatch on Cisco 2950
- Index(es):
Relevant Pages
|
