06-21-2019 09:40 PM
Hi everyone!
I have devices enabled with management ports to access. Those are placed in DMZ zone specially like DMZ SW, VM servers, SAN SW etc.
Now I have queries need to be answered:
1. What will be the best practice to connect to manage them through management ports? Using a common management SW?
2. Is it wise to keep them accessible from LAN side configuring the management port using the same IP subset that i got in my LAN side as management traffics are not allowed to travel to a default router? If no, than how to access them remotely through management IP from different network?
Thanks in advance :)
Solved! Go to Solution.
06-23-2019 11:04 PM
Hi,
Another method may that you will connect Magamenet Switch to the Core switch and restrict Management VLAN access using the VACL or use a sperate VRF and route leak as required so your IT team can access the Management switch without having dual NIC or switching himself from to Management network.
Regards,
Deepak Kumar
06-22-2019 12:36 AM
Hello,
in general, it is recommended to separate management and production/user traffic, and to use a separate Vlan for management. If your management traffic cannot be routed outside of your network, there is obviously no way to access your devices remotely, at least not using the management IP addresses.
It might be useful to post a brief schematic drawing showing your topology, as well as what devices you actually have, in order to give you a more specific answer...
06-22-2019 02:34 AM - edited 06-22-2019 02:38 AM
Hello Georg,
Thanks for the replay. The diagram has been attached. Where I have a management SW that connects all management ports form devices from DMZ zone (Colored RED). What will be best way to access network 10.251.251.0/24 to that management network from a particular user VLAN having network of 192.168.100.0/24 in a effective way where security is not compromised.
06-22-2019 04:13 AM - edited 06-22-2019 04:14 AM
Hello
If the dmz subnet resides on the FW then the best way is to advertise that dmz subnet via a static route into you production network then restrict access to on the FW for mgt services (snmp/ntp/ssh,tacacs etc.) to/from that dmz subnet
06-22-2019 05:11 AM - edited 06-22-2019 05:12 AM
Dear Paul Driver
To do so, default route is needed from management ports and I afraid there is no gateway setting on the management port for it. Than how can I route the traffic to my production network?
Please correct me if i'm wrong.
06-22-2019 06:00 AM
06-23-2019 08:22 PM
06-23-2019 11:04 PM
Hi,
Another method may that you will connect Magamenet Switch to the Core switch and restrict Management VLAN access using the VACL or use a sperate VRF and route leak as required so your IT team can access the Management switch without having dual NIC or switching himself from to Management network.
Regards,
Deepak Kumar
06-26-2019 08:43 PM
06-24-2019 12:49 AM
06-26-2019 08:44 PM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide