Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
270
Views
0
Helpful
2
Replies

External / DMZ Monitoring

michaelwhiteley
Level 1
Level 1

‎03-24-2014 05:59 AM - edited ‎03-11-2019 08:59 PM

We currently have some Cisco 3560X switches that are internet facing and also some Cisco 3750X switches that are within our Corporate DMZ.

The external facing switches are just really operating at layer 2, have no IP address configuration and just forward all traffic to our firewall.

We currently have HP NNM on our internal LAN for monitoring.

I want to be able to monitor the switches both inside our corporate DMZ and also the external internet facing switches in case of hardware failure etc. However at the same time I obviously want to make sure that this is done as securely as possible without introducing any unnecessary risks.

I was thinking of using SNMPv3 to monitor the switches but in the case of the internet facing switches I would need to assign external IP addresses to them (hence using our valuable external pool of addresses available).

I’d be grateful for any advice on the best way to complete this.

 

thanks

Labels:
0 Helpful
2 Replies 2

Lee Valentin
Level 1
Level 1

‎03-24-2014 11:01 AM

As you know, there are several ways to do this. An easier way could be to use the managment port (next to the console port).

 

You can create a management VLAN on your internal network and put these management ports on that VLAN.

 

You can also, as you stated, make the external switches layer 3 and add ACLs on the SVIs and explicitly allow management traffic. Maybe use Control Plane Protection on these switches.

 

http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst3750x_3560x/software/release/15-0_1_se/release/notes/OL25302.html#wp1041191

 

If you decide to use anything other than the management interfaces, you will need to address your firewall rules to allow SNMPv3 traffic in/out.

 

Good luck.

 

0 Helpful

michaelwhiteley
Level 1
Level 1
In response to Lee Valentin

‎03-28-2014 01:12 AM

thanks Lee, I'm presuming that by using the managament interface and also putting an ACL on it then this would be the most secure ? This will also mean that I don't need to make our internet switches visible on the internet if i'm using the management interface.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card