Re: Core Switch MGMT Traffic

mspdog22 · ‎11-23-2024

Hello

I have a cisco layer 3 switch set up as a core switch with layer 3 routing. I have also set up a mgmt vlan and facing some issues. I am trying to set the switch up for all switch level traffic the SVI for interface vlan 500 should be used. We do not want the switch mgmt traffic to flow over the default route on the switch. We have this tied back to a firewall to control traffic for security. I am thinking i need to add the below commands to get the switch to use the SVI of of vlan 500 for all internet traffic for the switch itself.

vlan 500
name Management
exit
interface Vlan500
ip address 172.165.100.1 255.255.255.0
no shutdown

ip ssh source-interface Vlan500
ip http client source-interface Vlan500
ip snmp source-interface Vlan500
ip tacacs source-interface Vlan500
ip radius source-interface Vlan500

ip source-interface Vlan500

Richard Burts · ‎11-23-2024

I see that you are trying to define vlan 500 for management traffic. Are there any ports on the switch assigned to vlan 500? (it is difficult for a vlan to work if there are not any ports assigned to the vlan)

I do not understand what you intend this to do "ip source-interface Vlan500"

It is not clear what you are configuring for syslog and whether you intend to send syslog messages to a collector. But if you do then you need to specify a source address for those messages.

HTH

Rick

Flavio Miranda · ‎11-23-2024

@mspdog22

If your switch and firewall have a layer 3 connection, all you need to do is setup routes using the firewall as Gateway.

By configuring IP source vlan and service, you are defining each interface the switch Will use to originate the traffic, but , Will be with routes that you can define the destination of the management traffic.

Use specifc routes for management traffic and one default router for everything else.

ammahend · ‎11-23-2024

you can also consider putting management place traffic in a separate VRF, this ensures complete logical segregation of the management plane from the data plane.

-hope this helps-

balaji.bandi · ‎11-24-2024

Not sure what device model here.

If you do not like to use Data path then you need to consider OOB best practice that will be used different path.

This is in band management - so Firewall should able to allow or deny based on the source address allowed to reach this switch VLAN 500, If that firewall is transit for VLAN 500. if the switch used default route towards Firewall then that is only path available for the switch,

until you connect 2 different interface to Firewall and have segment the traffic, then you can have static entry for routing different path.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

paul driver · ‎11-24-2024

Hello

@mspdog22 wrote:

We do not want the switch mgmt traffic to flow over the default route on the switch. We have this tied back to a firewall to control

So this suggests the L3 gateway for vlan 500 resides on the FW, which means either you have no default-gateway on the switch(s) so remote access external to that vlan will be unreachable or you do have a default-gateway on the switch for vlan 500 and you deny remote external access via fw policy/acl or VRF?

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul