Okay, folks... this is actually a multi-part question, but I'll try to keep it brief:

1) Why do we really have a management VLAN? Yes, I've heard the mantra that it's for managing VLANs, but how would we ever use it to do that? Would we Telnet or SSH into the IP address we set for its logical interface? I've just never seen it actually used. And what specifically would we set if we did?

2) Why, again, can't we set ip addresses for the switch interfaces, like we can for the router interfaces? And, if we actually, can, why don't we? Would it provide us with any benefit?

Please help... I'm as clueless as a Frenchman in a bathtub.

Switches don't care about layer 3 information. They already reference their ports by MAC addresses, so they don't need to use higher layer functions to perform their job. Imagine how many IP addresses would be wasted by setting addresses on every switch port - we would have run out years ago!

As for management VLAN, you can set an IP address for a VLAN so that you can manage your switches remotely. VLAN1 by default, allows you to set an IP address for the switch itself so you can Telnet or SSH into it as you said. It's not for managing VLANs, it's for managing switches.

So what about the switch would you manage, then? And how could you target different switches for management with just one management IP address to cover the entire set of them?

I still don't get it.

what me mean by managing the switch, is access the CLI so you can run commands.

I belive in the CCNA world (layer 2 world) each switch can only have 1 managment VLAN.. therefore you could, preferrebly SSH, (never use telnet in production environments.) into the device.

you could also for remote purposes, have an access controller like the 2511 and remote destop to the PC that is connected to the access control, and then from the access controller you can reverse telenet into every device via the console cable.

hope this help

So what about the switch would you manage, then? And how could you target different switches for management with just one management IP address to cover the entire set of them?

I still don't get it.

Telnetting into the router is like connecting to the console port. Each switch has a different IP address assigned to the management VLAN, kind of like a virtual interface. You do not assign one address to the entire switch domain, but to each switch individually.

e.g.

SwitchA(config)#int vlan1
SwitchA(config-if)#ip address 192.168.0.254 255.255.255.0

...

SwitchB(config)#int vlan1
SwitchB(config-if)#ip add 192.168.0.253 255.255.255.0
^Z
SwitchB#telnet 192.168.0.254
SwitchA>

And, so, are you saying that with those configurations on the switches you can reconfigure ports and trunking and so on?

...If so, that seems pretty useful and important. You know, it doesn't seem like the Cisco academy sequence showed us that, which I think is a pretty important omission.

By the way, thank you both for sticking with me and giving me those explanations... and a special thanks to you, Fuzz, for posting the specific sort of CLI commands that do the job.

Thanks for this informative post. I have a follow-up question.

Is this the same for vlans other than 1 ?

example, say you have

SW1, vlan1, 192.168.1.3
SW2, vlan1, 192.168.1.4
SW3, vlan1, 192.168.1.5

that part makes sense, but for vlan2 would you also need a separate IP address for each switch?

SW1, vlan2, 192.168.2.3
SW2, vlan2, 192.168.2.4
SW3, vlan2, 192.168.2.5

I know that all hosts on vlan2, in this example, need to be in the 2.0 subnet (using /24), but I'm unsure why the switch itself would need an IP address for any vlan other than 1.

Thanks, Robert

Hi Robert,

No need for the scond part.

SW1, vlan2, 192.168.2.3
SW2, vlan2, 192.168.2.4
SW3, vlan2, 192.168.2.5


Once you have configured VLAN1, you can managed the whole running of the switch, including other VLAN's.

Vlan 1 is known as the management vlan, and is used to place your switches in to manage them. They essentially act as hosts themselves in this way; they 'belong' to vlan 1. Therefore there is no need to add the switch in any other vlan. This would use up all your address space without even addressing any hosts!

Of course, you can use any vlan you like as the management vlan, and it's a good idea to do this for security.

Thank you both. That might explain why I couldn't find anything on that from a search engine.

Switches don't care about layer 3 information. They already reference their ports by MAC addresses, so they don't need to use higher layer functions to perform their job. Imagine how many IP addresses would be wasted by setting addresses on every switch port - we would have run out years ago!

As for management VLAN, you can set an IP address for a VLAN so that you can manage your switches remotely. VLAN1 by default, allows you to set an IP address for the switch itself so you can Telnet or SSH into it as you said. It's not for managing VLANs, it's for managing switches.

Hello Fuzz,

Thanks for your reply but I didnot understand what do you mean by saying that "They already reference their ports by Mac addresses"?

My other question is that how can it be possible that so many IP addresses will be waisted if we assign them to each port of a switch
because each computer in a network has a single IP address?

I hope you understand my questions.

Hello Fuzz,

Thanks for your reply but I didnot understand what do you mean by saying that "They already reference their ports by Mac addresses"?

My other question is that how can it be possible that so many IP addresses will be waisted if we assign them to each port of a switch
because each computer in a network has a single IP address?

I hope you understand my questions.

What Fuzz was saying is:

Switches are Layer 2 devices. They perform their duties usnig MAC address of devices attached to them, be it a router, another switch, a PC/server, or a printer. IP addresses are a Layer 3 function. The only purpose an IP Address on a switch serves is to provide a means of remote access to be able to control the operation of the switch.

So, If you think about your question from this standpoint, IP addresses on individual ports on a switch serve no purpose. IP addresses are for Hosts, devices we may need to communicate with, not thru. We typically communicate with another device thru a switch. Therefore, there is no need to have an IP address on ANY of a switch's ports. We are communicating with devices connected to other ports on the switch, not the ports themselves.

When we want to communicate with a switch, we either connect directly to its console port, or we telnet to it using the Management VLAN IP address we assign to it.

Hello Fuzz,

Thanks for your reply,I understand that switches actually use mac address and communicate with the host connected to it through their
mac addresses but I was just confused with the IP address question.

So it means that inorder to access a managed switch remotely,you need to assign it an IP address.

Can we also assign a public IP address to a switch so that we can access
it from externally(WAN)?

Pls correct me if I am wrong, so we can connect our computer to a console port of a switch using a straight ethernet cable?

I hope my question is clear

You wouldn't assign a switch a global IP address, think of the security issues around that, and how costly it would be for each switch (global address space is almost exhausted, they are not cheap!). What you would do is create a VPN tunnel to your network, and connect to it externally. You can then work on your network as if you were physically connected.

Thanks Fuzz,

I understand the security concerns on a private network,so correct me
If I am wrong ,I can use dial up vpn to access a Server in my private network and from that Server I can remotely access the switch using
telnet command if that switch has an IP address?

That is correct Frank, yes.

To answer the earlier question about why address space would be exhausted faster if each switch port had it's own IP address, consider this.

Each switch port would have it's own address, meaning it would be a routed interface. Each device would have it's own address, on the same subnet as the interface it connects to, creating a point-to-point routed link. Now what do we know about this type of link? It uses a /30 mask to save address space. Each switch port would become a separate subnet, so think about how many subnets you would need to supply a large organisation. With each /30 mask using up four addresses (one subnet, two host, one broadcast) you are wasting so much address space. You can fit four /30 subnets into a /28 subnet. The /28 subnet can give you 13 end device address (14 - 1 for the default gateway); the same block size split into 4 /30 addresses allow for only 4 hosts in total, as each subnet uses one of the available two addresses for the gateway.

In a private organisation, it might be doable, but consider an ISP allocating a global address to every switch port - that's why IPv4 address space would have been used up already.

In a private organisation, it might be doable, but consider an ISP allocating a global address to every switch port - that's why IPv4 address space would have been used up already.

Let put it this way, someone asked me for a /27 last night (due to their lack of wanting to doing any NAT/PAT). There is no way they would have got it. In the end they had to make do with a /29.