Switch management access with colocation


New Member
Oct 23, 2020
This might be a little outside the normal scope of this forum, but I figure people here might have some answers.

So I will have two switches in a colocation cabinet (both Cisco SG350-52). One is for LAN connections, and one is to share colocation internet, which comes in over a single 1G ethernet cable.

How do I get access to the management interface of the internet switch without leaving it publicly accessible? If I just plug it into the LAN switch, that lets any traffic cross between switches, causing a number of issues.

I thought VLANs would be the answer, but my experimentation at home with them (using a new SG350 switch) has not been very fruitful. When I create a new VLAN and assign a port to it, that port loses its connection to my LAN, which has nothing but dumb switches, which presumably default to VLAN 1.

So if I create a VLAN for only internet traffic, won't that prevent my uplink port at the data center from seeing those ports? Or are they likely to have the uplink configured as a member of all VLAN ID's?

Going the opposite route and creating a VLAN for all LAN connections seems to be a chicken and egg problem, as I'll eventually run into the situation where I move a port I'm using into the VLAN and lose access to the management interface.

Needless to say, my experience with this side of networking is limited.

Am I missing something simple?


Well-Known Member
Oct 26, 2015
You're likely tagging all traffic with VLANs when you just need to specify which VLAN on a port level and keep traffic untagged. You only want tagged traffic going to devices that are also VLAN aware/configured.

Blinky 42

Active Member
Aug 6, 2015
I would recommend that you have at least 3 vlans in your setup there:
- public internet
- mgmt / ipmi ports
- "internal" stuff
For ipmi and mgmt ports on devices, make them untagged members of the mgmt vlan only.
For the colo upliink make it untagged member of the public internet vlan
Depending on how many ports you have on your servers, you can dedicate ports to the itnernet connection and at least one server / router have access to the mgmt vlan, or present them as tagged vlans to the server(s).

Then setup one or more devices with an interface that is on the public internet, and the mgmt vlan. You can use it as a jump box/bastion host or set it up as a vpn server that when you connect ot the vpn you have access to the mgmt vlan at the colo.
I will typically use a vm forthat purpose, or a dedicated older 1u server for router / misc duties, or something simple & cheap like a $50 EdgeRoiuter-X https://www.servethehome.com/ubiquiti-er-x-review-getting-into-the-edgerouter-x/ Ubiquiti - EdgeRouter™ X which will let you do the VPN and is a mini Linux box you can log into and then ssh into other stuff from. It can also run dhcp and dns caching for your internal vlans, and provide NAT services if needed for devices on the internal vlan to get access out to the internet w/o giving them all individual public IPs.

Same principle applies if you have one or multiple switches. Generally I will assign VLAN id's using consistent numbers across switches and across sites, so when I go check on things I know that 20 is public internet from the main provider, 21 is from the 2nd provider if there, 13 is mgmt etc. And when you look at a port fo rthe vlans presented to it, many o fthe switch OSs only show the #s and not the names so if you keep it consistent you don't have to fight to look up the mappings all the time.
Last edited:
  • Like
Reactions: Amrhn