Create a Network Management VLAN on an Integrated Services Router
Introduction      Requirements      VLAN Overview           Supported VLANs           The Network Management VLAN      Enable the Network Management VLAN           Enable the VLAN on the Router           Enable Security           Enable the VLAN on an Integrated Switch      Add Users           Add a Wired Guest User      Next Step      Troubleshoot the Procedure      Related Information	Download PDF   Create a Network Management VLAN on an Integrated Services Router

Introduction

This document provides instructions for how to create a virtual LAN (VLAN) for Network Management users on your network. A network management VLAN gives network management devices and internal servers a network that is separated from the Internet and has controlled access to machines on the local network.

Note: VLANs are not supported on Cisco 800 series and SB 100 series routers.

Back to Top

Requirements

• You must have completed these worksheets from the Site Survey:

  • LAN Addressing Worksheet

  • Internet Worksheet

  • Firewall Worksheet

• You must have completed the initial configuration of your router. If you have not configured your router, refer to the Site Survey.

Back to Top

VLAN Overview

This section provides an overview of the Management VLAN and how to use VLANs in your network.

Supported VLANs

The Site IP Addressing Plan includes subnets for up to four virtual LANs (VLANs) at each site. Each VLAN has a custom level of security for a specific type of computer on the network, and uses firewalls to control access between VLANs.

The site survey defines these VLANs:

1. Default VLAN (20)

2. Network Management VLAN (21)

3. Secure Server VLAN (22)

4. Guest VLAN (23)

The diagram gives an overview of each VLAN in the network. For more information on other VLANs, refer to the Configuration Overview page.

The Network Management VLAN

A network management VLAN gives network management devices and internal servers a network that is separated from the Internet and has controlled access to machines on the local network.

The Network Management VLAN provides these benefits:

• Network Management users can send traffic to the Default and Secure Server VLANs and receive valid responses

• Network Management users are separated from the Internet for security purposes

Back to Top

Enable the Network Management VLAN

Follow these steps to configure the Network Management VLAN on an Integrated Services Router:

Enable the VLAN on the Router

To enable the Network Management VLAN on the router, follow these steps:

1. Follow these steps to create connect to the router with Telnet.

   1. Click Start > Run.

   2. In the Run dialog box, type cmd or command, and then click OK to open a command prompt window.

   3. At the command prompt, type telnet router-ip-address and press Enter. For router-ip-address , use the Router IP address that you entered in field L6A of the LAN Addressing Worksheet.

   4. Log into the router with the router password that you entered in field B11 of the Integrated Services Router Worksheet. For more information about how to access the router, refer to Configure Your Router with Security Device Manager.

2. Type enable and press Enter to enter privileged mode. Enter the enable password that you entered in field B12 of the Integrated Services Router Worksheet.

   Router> enable
   Router#

3. Type configure terminal and press Enter to enter configuration mode.

   Router# configure terminal
   Router(config)#

4. Type interface vlan 21 and press Enter.

   Router(config)#interface vlan 21
   

5. Type description Network Management VLAN and press Enter.

   Router(config-if)#description Network Management VLAN
   

6. Type encapsulation dot1Q 21 and press Enter.

   Router(config-if)#encapsulation dot1Q 21
   

7. Type ip address router-ip-address 255.255.255.0 and press Enter. For router-ip-address , use the Network Management VLAN router IP address that you entered in field L6B of the Management VLAN Addressing Worksheet.

   Router(config-if)#ip address 192.168.11.1 255.255.255.0
   

8. Type no shutdown and press Enter.

   Router(config-if)#no shutdown
   

9. Type exit and press Enter.

   Router(config-if)#exit
   Router(config)#

Enable Security

To enable security for the Network Management VLAN, follow these steps:

1. Follow these steps to create firewall rules for the Management VLAN:

   1. Type no access-list 121 and press Enter.

      Router(config)#no access-list 121
      

   2. Type access-list 121 remark Traffic to Management VLAN and press Enter.

      Router(config)#access-list 121 remark Traffic from Management
      			 VLAN
      

   3. Type access-list 121 permit ip default-subnet 0.0.0.255 management-subnet 0.0.0.255. For default-subnet , use the subnet you entered in field L1A of the LAN Addressing Worksheet. For management-subnet , use the subnet that you entered in field L1B of the Management VLAN Addressing Worksheet.

      Router(config)#access-list 121 permit ip 192.168.10.0 0.0.0.255 192.168.11.0 0.0.0.255
      

   4. Type access-list 121 permit ip secure-server-subnet 0.0.0.255 management-subnet 0.0.0.255 and press Enter. For secure-server-subnet , use the subnet that you entered in field L1C of the Secure Server VLAN Addressing Worksheet. For managemenet-subnet , use the subnet that you entered in field L1B of the Management VLAN Addressing Worksheet.

      Router(config)#access-list 121 permit ip 192.168.12.0 0.0.0.255 192.168.11.0 0.0.0.255
      

   5. Type access-list 121 deny ip any any and press Enter.

      Router(config)#access-list 121 deny ip any any
      

2. Type interface vlan 21 and press Enter.

   Router(config)#interface vlan 21
   

3. Type ip access-group 121 out and press Enter.

   Router(config-if)#ip access-group 121 out
   

4. Type end and press Enter to exit configuration mode.

   Router(config-if)#end
   Router#

5. Type write memory and press Enter to save your configuration.

   Router#write memory
   

Enable the VLAN on an Integrated Switch

Follow these steps to enable the Network Management VLAN on an integrated switch:

1. Type enable and press Enter to enter privileged mode. Enter the enable password that you entered in field B12 of the Router Worksheet and press Enter.

   Router>enable
   Router#

2. Type vlan database and press Enter.

   Router#vlan database
   Router(vlan)#

3. Type vlan 21 name Management media ethernet state active and press Enter.

   Router(vlan)#vlan 21 name Management media ethernet state
   		  active
   

4. Type exit and press Enter.

   Router(vlan)#exit
   APPLY completed.
   Exiting....
   Router#
   

5. Type configure terminal and press Enter.

   Router#configure terminal
   Router(config)#

6. Type spanning-tree vlan 21 root primary and press Enter.

   Router(config-if)#spanning-tree vlan 21 root primary
    VLAN 21 bridge priority set to 8192
    VLAN 21 bridge max aging time unchanged at 20
    VLAN 21 bridge hello time unchanged at 2
    VLAN 21 bridge forward delay unchanged at 15

7. Type end and press Enter.

   Router(config-if)#end
   Router#

8. Type write memory and press Enter.

   Router#write memory
   

9. Type exit and press Enter to terminate the telnet session.

10. Record the device name in the first available field from fields L8-L35 of the Management VLAN Addressing Worksheet.

11. Configure the device with the IP address in the Management VLAN Addressing Worksheet. For example, the first device in the Management VLAN is configured with the IP address 192.168.11.2. For more information about how to configure an IP address on a PC, refer to Configure an IP Address on Your PC.

Back to Top

Add Users

To move users to the Network Management VLAN, follow these steps:

Add a Wired Guest User

Follow these steps to add a network management user connected directly to a switch port on the ISR:

1. Type configure terminal and press Enter.

   Router#configure terminal
   Router(config)#

2. Type interface FastEthernet interface-number and press Enter. For interface-number , use the number of the switch port that you want to assign to a Management user. The available switch ports are listed in field B36 of the Router Worksheet.

   Router(config)#interface FastEthernet0/2
   Router(config-if)#

3. Type description Management Switch Port and press Enter.

   Router(config-if)#description Management Switch Port
   

4. Type switchport access vlan 21 and press Enter.

   Router(config-if)#switchport access vlan 21
   

5. Type end and press Enter.

   Router(config-if)#end
   Router#

6. Type write memory and press Enter.

   Router#write memory
   

7. Configure the user machine with an IP address in the Network Management VLAN

Back to Top

Next Step

You have now set up a Network Management VLAN on your network.

To make further changes to your network, refer to the Configuration Overview page.

Back to Top

Troubleshoot the Procedure

This section provides information about common problems that you may encounter. If this information does not solve your problem, contact the SMB Technical Assistance Center (SMB TAC) for assistance.

Back to Top

Related Information

• Site Survey
• Create a HyperTerminal Connection
• Configure Your Router with Security Device Manager
• Move a LAN User Between Groups