Edge Switch Setup & Management

gregtmacd · ‎04-29-2013

I have a switch that is outside my Firewall, Cisco 3850 24 port...So ISP router to Switch then to firewall...What is the best way to setup management of this switch?

Would I setup an out of band IP that is on my network so I can Telnet in or is this a security concern? Or do you assign a routeable IP to the switch and manage it this way? or no management IP and just connect using com port if needed?

What would be the best practise in setting this up? Do you setup a VLAN or just leave it like a Hub?

Thanks In Advanced!

Cheers.

Greg

Bilal Nawaz · ‎04-29-2013

Hello, Anything with an IP can be vulnerable.
Although....
Normally new devices come with a management port just dedicated for management which is contained within a VRF I believe, that would be ideal in this case.
If not, then some sort of terminal service device that has a console connection would be best.

Something like this maybe? http://www.perle.com/Supportfiles/cisco_Tech_Note.shtml

Hope this helps

Sent from Cisco Technical Support iPhone App

Please rate useful posts & remember to mark any solved questions as answered. Thank you.

shillings · ‎04-30-2013

I agree with Bilal that the securest means of managing the device is via console port.

However, there are less secure alternatives that are acceptable for many businesses. Think of all the ISPs and their networks. Many still manage their public infrastructure via SSHv2, an ACL and Cisco's SAFE best practice recommendations.

Depending upon your circumstances, even Control Plane Policing might be a bit over the top. Strong passwords are essential though. I think Quite Mode is one of the more important SAFE recommendations too. It locks down remote access for a preset period, following a configured number of failed login attempts.