Thanks, Your switchs look like "Access layer switch" (based on switch "location" on network topolory, cisco define Access,Distribution and Core layer switch). Back to my previous question, if every vlan can assign a ip addr. (l3 support) Does it mean that all attached hosts can config that switch or there are some solutions to prohibit some host to do it? No managenment concept here?
TIA, st
You protect management services with ACLs.
e.g.:
access-list 1 remark Network Management Stations access-list 1 permit 192.168.20.8 0.0.0.7 log access-list 1 deny any log
ip http server ip http access-class 1
line vty 0 4 access-class 1 in exec-timeout 9 0 transport input ssh note: could also use an extended ACL to specify a protocol restriction.
... SNMP, and others.
Best Regards, News Reader
The management IP is accessible anywhere you make it accessible. If you want to lock it down, you have a multitude of choices. ACLs to block specific IPs or ranges (or block everything and only allow specific IPs/ranges), as well as AAA for authentication and authorization (and yes the final A is accounting). You could also lock it down so only console or terminal servers can do configuration changes, and block via telnet or ssh. In short, this type of constraint or requirement is way above layer 2 at that point, and onto layer 3 and above.
As Trendkill pointed out, there are many opportunities for limiting administrative access/control to/of your devices.
The access-list examples provided are a first line of defense that help you limit from "where" access can be gained, and in some instances via "which" protocol. Doesn't address the "who" though.
The Cisco devices support a local AAA user database which can support authentication and limited authorization of users, but it doesn't scale well.
With a RADIUS access control server you can control "who" has access, from "where", "what" resources/services they are authorized to access, and as Trendkill mentioned, create accounting records. TACACS+ provides the additional benefit of defining sets of commands that an authenticated and authorized administrator may execute from the device's command line interface once logged in.
Perhaps you are well aware of these protocols.
Best Regards, News Reader
Let me add some background points to this discussion.
1) Avaya have a very comprehensive tutorial on VLAN technologies on their web site - have a look at . Start at about slide 21 if you already know LAN basics.2) The terminology can get very confusing, partly because a lot of it predates standards. Cisco talk about native VLAN; the 802.1Q standard about PVID (port VLAN ID). These are separate from which VLANs are tagged on any particular port.
3) According to Avaya (I've not read the standard) 802.1Q defines three types of port: access ports where frames are not tagged; trunk ports where *all* frames are tagged and hybrid ports where frames may be tagged or not tagged. Cisco trunk ports are hybrid ports according 802.1Q.4) The usual Cisco behaviour on a trunk (hybrid) port is to send all frames tagged except for the native VLAN (PVID); all untagged frames received are noted[1] as belonging to the native VLAN, as are frames tagged for the native VLAN; other tagged frames are noted for their correct VLAN.
5) Just as a side note, 802.1Q inserts tags into frames to provide the VLAN information. Cisco ISL encapsulates the original frame with a new header containing the VLAN id.HTH
Sam
[1] I use the word "noted" to mean that the switch internally keeps track of which VLAN a frame belongs to. How it does that - with tagging, encapsulation, a field in a data table or whatever - is up to its designer and is actually irrelevant to us poor users since we can't see inside the switch.Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.