Information
Management VLANs are designed to restrict management access to the switch to only those nodes connected to the Management VLAN. That is, only clients who are connected to ports who are members of the Management VLAN can be allowed to gain management access to the Aruba switch. This sharply limits the universe of devices that can attempt unauthorized access.
NOTE: Nessus has provided the target output to assist in reviewing the benchmark to ensure target compliance.
Solution
In this example, VLAN 200 is created, designated the Management VLAN, and assigned to port 24:
switch(config)# vlan 200 name "Management VLAN"s
witch(config)# management-vlan 200
switch(config)# vlan 200 untagged 24
Any VLAN can be assigned as the Management VLAN. Take care to ensure that the same VLAN is configured as Management VLAN on all devices that are to be members of the Management VLAN.
There are a few restrictions and guidelines on Management VLANs to keep in mind:
- Only one VLAN per switch can be designated as the Management VLAN.
- Traffic cannot be routed between the Management VLAN and other VLANs, even if routing is enabled on the switch.
- The Management VLAN will not acquire a DHCP IP address; only static IP addressing may be used.
- Only switch ports connected to authorized management stations, or those extending the VLAN to otherswitches, should be members of the Management VLAN.
- Internet Group Management Protocol (IGMP) is not supported on the Management VLAN.