Create a Network Management VLAN

Introduction      Requirements      VLAN Overview           Supported VLANs           The Network Management VLAN      Configure the Router           Enable the VLAN on the Router           Enable Security      Configure the Switch           Enable Network Management VLAN on the Root Switch           Enable the Network Management VLAN on a Non-Root Switch      Add Users           Add a Wired Guest User      Next Step      Troubleshoot the Procedure      Related Information

Download PDF   Create a Network Management VLAN

Introduction

This document provides instructions for how to create a virtual LAN (VLAN) for Network Management users on your network. A network management VLAN gives network management devices and internal servers a network that is separated from the Internet and has controlled access to machines on the local network.

Note: VLANs are not supported on Cisco 800 series and SB 100 series routers.

Back to Top

Requirements

• You must have completed these worksheets from the Site Survey:

  • LAN Addressing Worksheet

  • Internet Worksheet

  • Firewall Worksheet

• You must have completed the initial configuration of your router, switch, and access point. If you have not configured these devices, refer to the Site Survey.

Back to Top

VLAN Overview

This section provides an overview of the Management VLAN and how to use VLANs in your network.

Supported VLANs

The Site IP Addressing Plan includes subnets for up to four virtual LANs (VLANs) at each site. Each VLAN has a custom level of security for a specific type of computer on the network, and uses firewalls to control access between VLANs.

The site survey defines these VLANs:

1. Default VLAN (20)

2. Network Management VLAN (21)

3. Secure Server VLAN (22)

4. Guest VLAN (23)

The diagram gives an overview of each VLAN in the network. For more information on other VLANs, refer to the Configuration Overview page.

The Network Management VLAN

A network management VLAN gives network management devices and internal servers a network that is separated from the Internet and has controlled access to machines on the local network.

The Network Management VLAN provides these benefits:

• Network Management users can send traffic to the Default and Secure Server VLANs and receive valid responses

• Network Management users are separated from the Internet for security purposes

Back to Top

Configure the Router

Follow these steps to configure the Network Management VLAN on the router:

Enable the VLAN on the Router

To enable the Network Management VLAN on the router, follow these steps:

1. Follow these steps to create connect to the router with Telnet.

   1. Click Start > Run.

   2. In the Run dialog box, type cmd or command, and then click OK to open a command prompt window.

   3. At the command prompt, type telnet router-ip-address and press Enter. For router-ip-address , use the Router IP address that you entered in field L6A of the LAN Addressing Worksheet.

   4. Log into the router with the router password that you entered in field B11 of the Router Worksheet.

2. Type enable and press Enter to enter privileged mode. Enter the enable password that you entered in field B12 of the Router Worksheet and press Enter.

   Router> enable
   Password:
   Router#

3. Type configure terminal and press Enter to enter configuration mode.

   Router# configure terminal
   Router(config)#

4. Type interface ethernet-interface-name.21 and press Enter. For ethernet-interface-name , use the name of the first Ethernet interface that you entered in field B35 of the Router worksheet.

   Router(config)#interface FastEthernet0/0.21
   

5. Type description Network Management VLAN and press Enter.

   Router(config-if)#description Network Management VLAN
   

6. Type encapsulation dot1Q 21 and press Enter.

   Router(config-subif)#encapsulation dot1Q 21
   

7. Type ip address router-ip-address 255.255.255.0 and press Enter. For router-ip-address , use the Network Management VLAN router IP address that you entered in field L6B of the Management VLAN Addressing Worksheet.

   Router(config-subif)#ip address 192.168.11.1 255.255.255.0
   

8. Type no shutdown and press Enter.

   Router(config-if)#no shutdown
   

9. Type exit and press Enter.

   Router(config-if)#exit
   Router(config)#

Enable Security

To enable security for the Network Management VLAN, follow these steps:

1. Follow these steps to create firewall rules for the Management VLAN:

   1. Type no access-list 121 and press Enter.

      Router(config)#no access-list 121
      

   2. Type access-list 121 remark Traffic from Management VLAN and press Enter.

      Router(config)#access-list 121 remark Traffic from Management
      			 VLAN
      

   3. Type access-list 121 permit ip default-subnet 0.0.0.255 management-subnet 0.0.0.255. For default-subnet , use the subnet you entered in field L1A of the LAN Addressing Worksheet. For management-subnet , use the subnet that you entered in field L1B of the Management VLAN Addressing Worksheet.

      Router(config)#access-list 121 permit ip 192.168.10.0 0.0.0.255 192.168.11.0 0.0.0.255
      

   4. Type access-list 121 permit ip secure-server-subnet 0.0.0.255 management-subnet 0.0.0.255 and press Enter. For secure-server-subnet , use the subnet that you entered in field L1C of the Secure Server VLAN Addressing Worksheet. For managemenet-subnet , use the subnet that you entered in field L1B of the Management VLAN Addressing Worksheet.

      Router(config)#access-list 121 permit ip 192.168.12.0 0.0.0.255 192.168.11.0 0.0.0.255
      

   5. Type access-list 121 deny ip any any and press Enter.

      Router(config)#access-list 121 deny ip any any
      

2. Type interface ethernet-interface-name.21 and press Enter. For ethernet-interface-name , use the name of the first Ethernet interface that you entered in field B35 of the Router worksheet.

   Router(config)#interface FastEthernet0/0.21
   Router(config-subif)#

3. Type ip access-group 121 out and press Enter.

   Router(config-subif)#ip access-group 121 out
   

4. Type end and press Enter to exit configuration mode.

   Router(config-subif)#end
   Router#

5. Type write memory and press Enter to save your configuration.

   Router#write memory
   

6. Type exit and press Enter to exit the Telnet session.

   Router#exit
   

Back to Top

Configure the Switch

Follow these steps to modify your root switch to support the Network Management VLAN:

Enable Network Management VLAN on the Root Switch

If you have an external root switch, follow these steps to enable the Network Management VLAN on the switch:

Note: This procedure assumes that your router is connected to port 2 of the root switch.

1. Follow these steps to create connect to the switch with Telnet.

   1. Click Start > Run.

   2. In the Run dialog box, type cmd or command, and then click OK to open a command prompt window.

   3. At the command prompt, type telnet switch-IP-address and press Enter. For switch-IP-address , use the switch IP address that you entered in field L8 of the LAN Addressing Worksheet.

   4. Log into the switch with the password you entered in field S5 of the Switch Port Assignments Worksheet.

2. Type enable and press Enter. Enter the enable password that you entered in field S5 of the Switch Port Assignments Worksheet and press Enter.

   switch>enable
   switch#

3. Type configure terminal and press Enter.

   switch#configure terminal
   switch(config)#

4. Type vlan 21 and press Enter.

   switch(config)#vlan 21
   

5. Type state active and press Enter.

   switch(config-vlan)#state active
   

6. Type name management and press Enter.

   switch(config-vlan)#name management
   

7. Type interface FastEthernet0/2 and press Enter.

   Note: For the Catalyst 4500, the slot number of the switch module determines the interface number. For example, if the first switch module is installed in slot 2 of the switch, the correct interface is FastEthernet2/2.

   switch(config-vlan)#interface FastEthernet0/2
   switch(config-if)#

8. Type description Internal router port and press Enter.

   switch(config-if)#description Internal router port
   

9. Type switchport trunk allowed vlan add 21 and press Enter.

   switch(config-if)#switchport trunk allowed vlan add
   		  21
   

10. Type exit and press Enter.

    switch(config-if)#exit
    switch(config)#

11. Type spanning-tree vlan 21 root primary and press Enter.

    switch(config)#spanning-tree vlan 21 root primary
    

12. Type end and press Enter.

    switch(config)#end
    switch#

13. Type write memory and press Enter.

    switch#write memory
    

14. Type exit and press Enter.

    switch#exit
    

Enable the Network Management VLAN on a Non-Root Switch

Follow these steps to enable the Network Management VLAN on a non-root switch. Repeat these steps for each non-root switch in your network that uses the Network Management VLAN.

Note: This procedure assumes that port 1 of the non-root switch is connected to the root switch.

1. Follow these steps to create connect to the switch with Telnet.

   1. Click Start > Run.

   2. In the Run dialog box, type cmd or command, and then click OK to open a command prompt window.

   3. At the command prompt, type telnet switch-IP-address and press Enter. For switch-IP-address , use the switch IP address that you entered in field L9-L12 of the LAN Addressing Worksheet.

   4. Log into the switch with the password you entered in field S64 of the Switch Port Assignments Worksheet.

2. Type enable and press Enter. Enter the enable password that you entered in field S64 of the Switch Port Assignments Worksheet and press Enter.

   switch>enable
   switch#

3. Type configure terminal and press Enter.

   switch#configure terminal
   switch(config)#

4. Type vlan 21 and press Enter.

   switch(config)#vlan 21
   

5. Type state active and press Enter.

   switch(config-vlan)#state active
   

6. Type name network-management and press Enter.

   switch(config-vlan)#name network-management
   

7. Type interface FastEthernet0/1 and press Enter.

   Note: For the Catalyst 4500, the slot number of the switch module determines the interface number. For example, if the first switch module is installed in slot 2 of the switch, the correct interface is FastEthernet2/1.

   switch(config-vlan)#interface FastEthernet0/1
   switch(config-if)#

8. Type switchport trunk allowed vlan add 21 and press Enter.

   switch(config-if)#switchport trunk allowed vlan add
   		  21
   

9. Type exit and press Enter.

   switch(config-if)#exit
   switch(config)#

10. Type spanning-tree vlan 21 and press Enter.

    switch(config)#spanning-tree vlan 21
    

11. Type end and press Enter.

    switch(config)#end
    switch#

12. Type write memory and press Enter.

    switch#write memory
    

13. Type exit and press Enter.

    switch#exit
    

Back to Top

Add Users

To move users from the Default VLAN to the Management VLAN, follow these steps:

Add a Wired Guest User

Follow these steps to add a wired user to the Management VLAN:

1. Record the device name in the first available field from fields L8-L35 of the Management VLAN Addressing Worksheet.

2. Configure the device with the IP address in the Management VLAN Addressing Worksheet. For example, the first device in the Management VLAN is configured with the IP address 192.168.11.2. For more information about how to configure an IP address on a PC, refer to Configure an IP Address on Your PC.

3. Refer to Move a LAN User Between Groups and follow the instructions to move the user switch port to the Management VLAN.

Back to Top

Next Step

You have now set up a Management VLAN on your network.

To make further changes to your network, refer to the Configuration Overview page.

Back to Top

Troubleshoot the Procedure

This section provides information about common problems that you may encounter. If this information does not solve your problem, contact the SMB Technical Assistance Center (SMB TAC) for assistance.

Back to Top

Related Information

• Site Survey
• Create a HyperTerminal Connection
• Configure Your Router with Security Device Manager
• Configure the Catalyst Switch with Cisco Network Assistant
• Move a LAN User Between Groups