[unisog] Who is using Management VLANs?

Frank Sweetser fs at WPI.EDU
Fri Apr 2 14:31:23 GMT 2004

On Mon, Mar 29, 2004 at 06:05:10PM -0500, Clarke Morledge wrote:
> Are there many folks on the list using Management-only VLANs?

We tried that for a while, but had the problem that any real network failures
took down the management network as well.  A management only vlan doesn't help
much when (for example) you accidentally partition the uplink port on a switch
from remote (*ahem* not that I've ever done that, of course...).

> In a perfect world, I'd just run a separate physical network to each
> infrastructure device instead of a VLAN.  But to think of it that way, in
> a perfect world, I would not be putting so much effort into network
> security :-(

We actually did this here, with excellent results.  We grabbed an old switch,
loaded it up with 10f blades, and ran it to netgear en108 hubs with fiber
transcievers in each closet (well, not all of them, but the more important
buildings).  For extra points, we then put out an old pentium 100 or so class
machine in each closet that netbooted a ramdisk linux, and plugged the serial
ports into the consols of the switches (except for the core, we have a most
two switches per building).

It saved a lot of legwork time when sql slammer creeped in.  We only had 3 or 4
hosts infected, but it was enough to completely cripple all throughput.  I was
able to go over our management network, serial in to the offending switch, and
start shutting down ports until the problem went away =)

Frank Sweetser fs at wpi.edu
WPI Network Engineer
GPG fingerprint = 6174 1257 129E 0D21 D8D4  E8A3 8E39 29E3 E2E8 8CEC

More information about the unisog mailing list