2960x
2960x
(OP)
Quick questions I have 5 cisco 2960 x switches in a stack why does each switch show as having 50 ports plus 2 x 10gb ports when only 48 ports ?
Also going to setup Vlans as below
2 user Vlan
30 factory vlan
60 management vlan
I was the going to give the switch a 192.168.60 address in vlan 60 and configure an access list to vlan 60 to allow only a select number of users to this vlan I.e it admins is this how u would set it up ?
Also going to setup Vlans as below
2 user Vlan
30 factory vlan
60 management vlan
I was the going to give the switch a 192.168.60 address in vlan 60 and configure an access list to vlan 60 to allow only a select number of users to this vlan I.e it admins is this how u would set it up ?
RE: 2960x
You can use your AD with RADIUS to authenticate switch managers.
Is there a particular reason you want to fiddle with access lists? How does this help people who *do* need access to manage the switch? Are you going to have to fiddle with their IP addresses to make them static? All a bit fiddly, don't you think?
As far as the ports go, do a show interface brief or a show ip int to get a full list, you should be able to tell from the interface name what it is. You can have many many interfaces that aren't related to the interfaces you can see on the outside - port-channels, SVIs, Loopbacks being some of them.
RE: 2960x
RE: 2960x
That is ok. We can't design your network for you, but we can help you to get there.
Cisco makes a set of very good design guides which will give you the general idea's,
and specifics on how to get things done. Take a look at this link
RE: 2960x
RE: 2960x
Expect the uplink to the switch which needs to be a trunk to allow all vlans back to the router which is subinterfaced with all vlans ?
RE: 2960x
setup radius server - and since you mentioned you are running VMs it shouldn't be too hard to spin it up .
create a group in radius server that are allowed access to your switches.
setup authentication, authorization and accounting on your switches so that only the correct people can login to it.
in general, management vlan should not be pushed through the same network/devices as the rest of your networks.
i usually use a 3750x stack for the 'core' of the MGT network, and then plugin to the MGT port of all my switches, routers, etc..
this way there is one way to get into the rest of my MGT network and that is through a routed network where i control via access-lists.
again since you have virtualization you could create a couple of workstations that have static addresses. your IT staff would RDP into those workstations and from there access the MGT network. Radius would be used to log and allow access to each individual device. and a proper syslog service would be up and running to keep track of who did what...
**excuse bad spelling/ grammer i haven't slept for awhile.
We must go always forward, not backward
always up, not down and always twirling twirling towards infinity.
RE: 2960x
RE: 2960x
Dumb ACLs are not so good. They are a very blunt weapon that create extra work for you without giving you much control.
Every device on your network should have its access locked down via policies managed by a central directory, ie, AD. That includes workstations, servers and network infrastructure.
Your Windows server has Radius already built into it, you just need to turn it on, create some groups, etc...
Imbadatthis describes a management network that is actually airgapped on dedicated infrastructure - you don't need a separate PC for this, your air-gapped management network is just another "Zone" (like DMZ, LAN, GUEST, etc...) which you connect to your gateway for security (which consists of much more than ACLs).
This option is for the larger environment.