05-04-2015 02:56 AM - edited 03-07-2019 11:51 PM
Hi
I have 2 sites that are approx a mile apart. Both sites are connected using single mode fiber. There is an ISP managed router at each site providing active/standby failover using HSRP. Please see attached diagram.
I am installing an external switch at each site (shown in red) which will be running the L2 VLAN for the HSRP failover that the ISP is using. Now in regards to management access to these switches from my internal network, I could use a public IP (in black) from the range that I have as the management IP for each switch but that would be wasting my public IPs so I am think of using a private IP subnet (in red).
The routers will be reconfigured with sub-interfaces so I can get connectivity between my routers and these switches. The external switches to not have dedicated management ports. I want to know what my options may be.
I am thinking of the following solutions:
Solution 1 - Use a static route on the core switches of ip route 192.168.10.0 255.255.255.240 x.x.x.x where this route point out towards the external switches. So routing the management traffic out to these external switches
Solution 2 - Creating a VLAN interface on each internal core switch with an IP address from the 192.168.10.0 subnet, then connecting a cable directly to these external switches so bypassing the firewall and then just allowing the single management vlan across this link. So this will just be an access VLAN.
Solution 1 means mixing management traffic with internet traffic. Not sure how secure solution 2 is. Does anyone have any other recommendation or can I employ one of these solutions. Or is this a case of me having to use my public IPs for management. Im sure these may be common scenarios, so just trying to see what the solution for management access is.
Thanks
Solved! Go to Solution.
05-04-2015 08:33 AM
I get it.
So i recommend the solution 2 this way you don't dependent on others device like firewall (thinking in cases of disaster) but as i said my concern is if you have thought a oob (out-of-band) network dedicated to be fast your support when production network down.
Gus Magno
05-04-2015 07:47 AM
One question: Are you outside of the sites?
My recommendation if you need keep your access in this devices when a problem happen is solution 1.
But my concern is if you have thought a oob (out-of-band) network dedicated to prevent the down time in your enviroment
Regards
Gus Magno.
05-04-2015 08:08 AM
Hi Gus
I am inside the site. So I would be coming off an access layer switch connected to the core switch at site 1.
05-04-2015 08:33 AM
I get it.
So i recommend the solution 2 this way you don't dependent on others device like firewall (thinking in cases of disaster) but as i said my concern is if you have thought a oob (out-of-band) network dedicated to be fast your support when production network down.
Gus Magno
05-04-2015 12:34 PM
Thanks for the advice Gus. OOB is always a good idea so I will be considering that but that would be a whole different discussion with management and a different project. For now I'm just trying to ensure these switches are installed and management setup. But OOB management is something this network definitely needs.
Thanks
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide