Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
593
Views
5
Helpful
2
Replies

VRF-MGMT Security

Not applicable

‎10-27-2015 01:34 PM

 

How secure is vrf-mgmt interface on the 3850 switches and 4300 routers?  I plan to use vrf-mgmt interface for management on DMZ, and Public switches and Internet routers.  My concern is if someone break in the Internet router, does vrf-mgmt will provide the patch to corporate internal network?

Thanks,

 

Eric

1 person had this problem
Labels:
0 Helpful
2 Replies 2

Peter Koltl
Level 7
Level 7

‎03-15-2016 05:48 AM

Connecting the management port of a switch to the internal network is secure as long as the switch has no layer3 interface (e.g. SVI) in the exposed zone. I don't think it can be taken over by an attacker without an IP address to connect to. (Assuming there is no factory backdoor with L3 access). (Of course, a DoS resulting in traffic block or device reload is possible but the device is not taken over.)

However, should a layer3 switch or router be cracked the attacker may have CLI access and he/she can attack the management network via the management vrf. So you'd better create a management DMZ for those devices.

Marvin Rhoads
Hall of Fame
Hall of Fame

‎03-15-2016 05:51 AM

I agree with Peter - there's no reason for a Layer 3 SVI on the Internet VLAN(s).

Make the only layer 3 on the switch be the management port and there's no management plane exposure to the Internet.

0 Helpful
Customers Also Viewed These Support Documents