Solved: How to test/scan replacement router on live network before deploying

douglas.mckee · ‎09-26-2017

Good Morning,

We have a bunch of 4351/4451 routers we are deploying and our security manager would like us to place them on the network for security scanning before deploying. What's the best way to install identically configured replacement routers on live network for security scanning before deploying without causing issues within our network?

***I'm thinking about using the management Gig0 interface but not sure it will allow the security scan to pass traffic through this port.***

E.g. I currently have configured a 4351 for replacement but is configured identically to the 2851 I'm replacing.

Thank you,

Doug,

trfinkenstadt · ‎09-27-2017

Switch-side: Put it in a vlan reachable from the security guys.

router-side: static IP with a default route and/or a route back to the security guys. Ensure that OSPF/RIP/EIGRP protocols are passive-interface on that one.

View solution in original post

trfinkenstadt · ‎09-26-2017

If you have a spare interface (non-mgmt), then you could put it on a LAN in your environment or lab and have the security guys scan that IP address.

douglas.mckee · ‎09-26-2017

Thanks for the quick response. I'm assuming I can just put a static IP address on this port (Non-Mgmt) without changing the rest of the config such as the loopback address? Also, on the switch this port will be connected to I will just put access to the management Vlan that is configured on the router port and this should prevent routing issues within our network when testing?

trfinkenstadt · ‎09-27-2017

Switch-side: Put it in a vlan reachable from the security guys.

router-side: static IP with a default route and/or a route back to the security guys. Ensure that OSPF/RIP/EIGRP protocols are passive-interface on that one.

douglas.mckee · ‎09-28-2017

Thank you for all the information! I will be testing one of our 4351's today.

Doug