Todd,

Cisco has updated their objectives since first announcing the 640-802 exam.

OLD:
Implement basic switch security (including: port security, unassigned ports, trunk access, etc.)

NEW:
Implement basic switch security (including: port security, trunk access, management vlan other than vlan1, etc.)

On the title page of chapter 9 you do have the latest version of the objective listed (where Cisco expands on "Implement basic switch security" with the addition of "management vlan other than vlan1") but I do not see this specific objective covered in your book with how to implement a management VLAN other than vlan1 for security purposes.

Can you please provide a sample configuration with the way Cisco would expect it to be implemented in context with the CCNA exam?

Various sources show a few different ways to accomplish this and I'm not sure which one is the "Cisco answer".

Also, what about changing the native VLAN to a non-user VLAN for the CDP/VTP/DTP/etc. traffic?

bump .

Brandon:

I believe that the easiest way to accomplish this change of management VLAN from VLAN 1 is to remove the IP address from VLAN1 (int vlan 1) and assign it to another VLAN (e.g., int vlan 4).

But don't do this while you're telnetted into the switch. :)

The key word here is "management." You can change the default VLAN using the "switchport trunk native vlan VLAN-ID" command. But that's not the same thing as the management VLAN (i.e., the one with the IP address assigned).

Peace,

Dave

Brandon, FarmerDave is right!

If you assign an ip address to Interface VLAN 10 on a layer 2 switch, then the new management vlan is something other that VLAN 1... Simple as that.

The thing to remember though is that all switchports will still be assigned to VLAN 1. Changing the Management VLAN does not automatically change vlan assignments on a switchport.

Try it. Login to a switch.... a non production one that is, and assign an IP address to interface vlan1, then do a no shut. If you get into interface configuration mode for vlan10 and assing an IP address on it and do a no shut, then interface vlan1 will go down. Only one management vlan interface can be up and active on layer 2 devices.

Oh, and if you need some real equipment to work on remember we have hundreds of routers and switches you can access. To take advantage of our racks send me an email.

ciao,
D. Aguilera

Brandon:

But don't do this while you're telnetted into the switch. :)

Dave

Quite right, since you'd be telnetted in via VLAN1. As soon as you remove the IP address from VLAN1 (running config) you'd lose your connection.

However, here's a trick and tip to overcome this:

tip: issue command "reload in [number of seconds] to restore the original config if you mess up.

Trick: type the commands into a text editor (notepad) and save them as a file, e.g.

interface vlan 1
no ip address
interface vlan 2
ip address ... etc.

Once done, start a tftp server on your local machine (you could use 3Cserver for this), then telnet into the device and issue the command:
copy tftp server [ip address] [filename] running-config

You can then connect to vlan 2 (new mgmt vlan) and write to memory (wr mem or copy run start) then cancel the reload.