Ethernet Switches & Routers

Reply
New Member
Posts: 1
Registered: ‎06-17-2014

Confused on Management VLAN and Management Port

[ Edited ]

Hello All,

 

I am currently configuring an ICX 6450-24 Switch. Since I am new to Brocade, I am doing a bit of practise with the device to understand the configuration fully.

 

When I create a "management-vlan" and add only a few ports in that vlan, then I am not able to access switch from any other port as it should be the case (with all the other ports on default vlan ID).

 

But when I am assigning IP to the Management Port, then I am able to access the switch from other ports, as the IP assignment to the switch is done globally and not for Management Interface.

 

If that is the case, how will I be able to configure Out-of-Band network configuration using only management ports. Moreover, it is not possible to add those ports on any VLANs. Not even on default VLAN. It seems that the Management Port becomes a part of Default VLAN

 

This also means that if someone connects a system to a default VLAN port, then they have the ability to issue, for example, "telnet", even though they may not have telnet access permissions through acl or user ID/pass. Doesn't this pose a security risk?

 

I know, some people may say that I should keep the unused ports "disabled". But, what if I don't want to do that?

Brocadian
Posts: 44
Registered: ‎01-05-2012

Re: Confused on Management VLAN and Management Port

some of the rules on Management port:

   - A management port is not part of any VLAN

 ...

 - Creating a management VLAN disables the management port on the device.

 

 

 

For switches, any in-band port may be used for management purposes. A router sends Layer 3

 

packets using the MAC address of the port as the source MAC address.

 

Designated VLAN for Telnet management sessions to a Layer 2 Switch

 

All Brocade FastIron devices support the creation of management VLANs. By default, the

management IP address you configure on a Layer 2 Switch applies globally to all the ports on the

device. This is true even if you divide the device ports into multiple port-based VLANs.

 

If you want to restrict the IP management address to a specific port-based VLAN, you can make

that VLAN the designated management VLAN for the device. When you configure a VLAN to be the

designated management VLAN, the management IP address you configure on the device is

associated only with the ports in the designated VLAN.

To establish a Telnet management session with the device, a user must access the device through one of the ports in the designated management VLAN.

 

Regular Visitor
Posts: 1
Registered: ‎07-24-2014

Re: Confused on Management VLAN and Management Port

...so the key phrase here is "designated management vlan".

That's the phrase which will unlock all the useful info buried somewhere in the manuals.

In the config it will look something like:

 

.

.

vlan 100 name data by port

  management-vlan

.

.

 

So now the IP Addr you globally configured for the switch-code (6430 ?) now resides in vlan 100.

YMMV

Contributor
Posts: 40
Registered: ‎01-28-2013

Re: Confused on Management VLAN and Management Port

My problem is that on my CER, it has a dedicated management port that can't be used to send sflow data through. So If I create a new vlan for management, I can't designate it as the management vlan!! (I have CER 2024C running Ironware Version 5.4.0dT183).

How can I configure a regular unused ethernet port as a management port?

 

vlan 130 name Switch_Management 

 untagged ethe 1/12 

 router-interface ve 130

!

interface ethernet 1/12

 enable

!

!

interface ve 130

 ip address 192.167.10.76/21

!

 

 

Brocadian
Posts: 152
Registered: ‎10-05-2010

Re: Confused on Management VLAN and Management Port

Did you try this?

 

Enabling sFlow forwarding (from config guide)


To enable sFlow forwarding, enter commands such as the following.


Brocade(config)# sflow enable
Brocade(config)# interface ethernet 1/1 to 1/8
Brocade(config-mif-1/1-1/8)# sflow forwarding


These commands globally enable sFlow, then enable sFlow forwarding on Ethernet ports 1/1
through 1/8.

Join the Community

Get quick and easy access to valuable resource designed to help you manage your Brocade Network.