To use a remote network management system (NMS) to centrally manage devices, configure a management IP address on the switch. You can then log in to the switch through STelnet and manage the switch using the management IP address. The management IP address can be configured on a management interface or VLANIF interface. If a user-side interface is added to the VLAN, users connected to the interface can also log in to the switch, posing security risks to the switch.
To avoid such risks, configure a VLAN as a management VLAN and prevent access interfaces or Dot1q tunnel interfaces (both of which are often connected to users) from being added to that VLAN. (The VLANs not specified as the management VLAN are service VLANs.) This, in turn, prevents users connected to the interfaces from logging in to the device, improving device security.