cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
890
Views
0
Helpful
9
Replies
Highlighted
Beginner

Management port

Hello experts,

I have a network topology as attached file.

I determined that in our network still not security and i want to remove the management line, is this possible or not?

If i remove the management line what is the condition i have to setup on Firewall to management network device again?

Any help is appreciated,

Best regards,

1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted
Hall of Fame Guru

Trung,

Trung,

Looking at your configurations, I see you are using VLAN 100 with subnet 10.126.125.0/28 for management. the VLAN 100 address is the only IP address on the switches and the non-management VLANs 10 and 20 do not have and IP address on the switches. So if you were to remove the management line from the switches' Gi0/1 interface, you would have no way to manage them (except via console port).

Since VLAN100 is a private IP address it is not routable to the public Internet so that is good. I would thus leave it as is connectivity-wise given what you have. If you had a newer switch model that had a dedicated management interface with its own routing table (VRF) then I would use that instead.

I have some doubt over VLAN 10 and 20. Do you have the switch on both the inside and outside interfaces of the firewalls? That's what the config file shows but not what the topology diagram shows.

I would disable the ip http server and ip http secure-server lines. Those are unnecessary services (unless you're using CNA and CCP to manage the switches and router). I would also lock down the line vty interfaces on the switches permitting only ssh input and even an access-list on the vty lines for good measure.

Overall one should review and follow the Cisco IOS hardening Guide as much as possible - especially for Internet facing devices.

http://www.cisco.com/c/en/us/support/docs/ip/access-lists/13608-21.html

View solution in original post

9 REPLIES 9
Highlighted
Beginner

Hello,

Hello,

Any one can help me out this?

Best regards,

Highlighted
Hall of Fame Guru

Is this a real network or a

Is this a real network or a school assignment?

If it's a real network, you have not provided any details on what type of devices you have, their configuration or how you are using the management port.

Highlighted
Beginner

Hello Marvin,

Hello Marvin,

Router is 2800 model,

Switches is 2960 model.

Each line connect from each network device is internet line.

Management line is same vlan, subnet mask with BB. Then, from internal i can managed network device via BB. But it is less secure if some one from outside attack and know the IP management of network device.

So, now i want to know is it possible to remove all line management, then after that only management network devices via Firewall.

Any help is appreciated,

Best regards,

Highlighted
Hall of Fame Guru

Well the most secure method

Well the most secure method is to not allow ANY direct management from the outside.

Use a VPN into the firewall and then use that for remote management.

That way the management addresses are never exposed to any Internet-based access by port scanners, brute force, denial of service etc. attacks.

Highlighted
Beginner

Dear Marvin,

Dear Marvin,

It's mean that i can remove Line management from network devices and managed them via Firewall again?

Any affected to the devices after i remove line management?

Best regards,

Highlighted
Hall of Fame Guru

Without knowing their

Without knowing their configuration or how you are using the management port one cannot say for sure.

This looks an awful lot like a class assignment.

Highlighted
Beginner

Dear Marvin,

Dear Marvin,

I send with the configuration files attached.

Any help is very appreciated,

Highlighted
Hall of Fame Guru

Trung,

Trung,

Looking at your configurations, I see you are using VLAN 100 with subnet 10.126.125.0/28 for management. the VLAN 100 address is the only IP address on the switches and the non-management VLANs 10 and 20 do not have and IP address on the switches. So if you were to remove the management line from the switches' Gi0/1 interface, you would have no way to manage them (except via console port).

Since VLAN100 is a private IP address it is not routable to the public Internet so that is good. I would thus leave it as is connectivity-wise given what you have. If you had a newer switch model that had a dedicated management interface with its own routing table (VRF) then I would use that instead.

I have some doubt over VLAN 10 and 20. Do you have the switch on both the inside and outside interfaces of the firewalls? That's what the config file shows but not what the topology diagram shows.

I would disable the ip http server and ip http secure-server lines. Those are unnecessary services (unless you're using CNA and CCP to manage the switches and router). I would also lock down the line vty interfaces on the switches permitting only ssh input and even an access-list on the vty lines for good measure.

Overall one should review and follow the Cisco IOS hardening Guide as much as possible - especially for Internet facing devices.

http://www.cisco.com/c/en/us/support/docs/ip/access-lists/13608-21.html

View solution in original post

Highlighted
Beginner

Hello Marvin,

Hello Marvin,

Thank you for sharing experience.

This is the real topology that i already applied on my company.

The Vlan10 and 20 is only to distinguished 2 ISPs on switch.

So, base on current topology what is the points i need to improve to more secure, smoothly... except you suggested on above.

Best regards,

CreatePlease to create content
Content for Community-Ad
July's Community Spotlight Awards