Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
409
Views
0
Helpful
1
Replies

Best pratices for securing and managing a switch on WAN network

vin2
Level 1
Level 1

‎07-10-2018 06:28 AM - edited ‎03-05-2019 10:45 AM

I currently have a requirement to install a cisco catalyst switch in front of my firewall to allow for firewall failover. I would like to be able to manage this switch and would like know what the best pratices are in this type of situation. 

 

The switch is required only for layer 2 traffic infront of the firewalls ( internet side ). in the past i have always left these switches unmanaged on the network side and connected a serial cable to a server for out of band management. However in this instants i cannot use this method and have a requirement for SSH management.

 

In order to manage the switch i could enable the dedicated management port with an ip for ssh and attach this to my internal network ( by passing my firewall ) my understanding is that this port doesn't participate in switching tasks like a normal switch port does. Would this type of configuration be considered secure ? has it been exploited ?  

 

Alternatively i could assign a public ip to the switch and enable ssh on the vlan attached to the WAN side and manage this via the public IP and secure the switch via ACL's to lock management down to a single IP address. 

 

What is the best practice for this sort of situation is there a best practice guide on how to configure security and maintain management of switches that on the WAN side of your lan ? 

 

Any recommendations or advise would be great. 

 

Labels:
0 Helpful
1 Reply 1

Seb Rupik
VIP Alumni
VIP Alumni

‎07-10-2018 06:47 AM - edited ‎07-10-2018 06:48 AM

Hi there,
In my travels I have seen all the topologies you have described, and of them, having a link which by-passes the firewall is my least favourite.

 

Two more options you could consider:
* Create a routed interface on your firewall for a outside management network. Configure a management IP on the switch and place it in a VRF on its own. But since it is primarily a Layer2 switch perhaps a VRF is overkill.

* Configure MPP on the switch to control on which interfaces packets can reach the management plane.

https://www.cisco.com/c/en/us/td/docs/ios/qos/configuration/guide/mgmt_plane_prot.html

 

cheers
Seb.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card