Solved: Management Network Design - Page 2

Mark Mattix · ‎07-31-2017

Hello, I'm looking for recommendations for the best way to design a management network for one of my locations. Some devices have built in management interfaces like my 2960s and other devices like my 3925E do not have specific interfaces so I planned to use gi0/3 as a management port.

My plan is to create a management vlan on my L3 core switch and then connect all of the other components to this management vlan and only allow SSH into the vlan.

What methods can I use to insure data traffic doesn't attempt to use the management port on a device like the 3925E which will have a another interface for data traffic? Should I be doing this a different way? Thanks for the advice!

Mark Mattix · ‎08-02-2017

So you think this should be applied to the SVI but outbound? I thought outbound meant traffic leaving the SVI?

ip access-list extended Management-IN
permit tcp 192.168.1.0 0.0.255.255 any eq 443
deny ip any any log

Jon Marshall · ‎08-02-2017

SVIs are no different to physical interfaces in terms of direction so yes to your question, you need to swap the directions around for your acls.

Jon

Mark Mattix · ‎08-02-2017

Sorry to keep bothering you about this but I thought I understood how this worked. Client traffic from 192.168.1.0 would be the source and it would come IN to the management SVI, right? Once it's in I allowed it to go to any ip with the port of 443.

Mark Mattix · ‎08-02-2017

The client traffic from 192.168.1.0 would physically come in to the device via it's corresponding interface but isn't that traffic also going into the virtual SVI?

Jon Marshall · ‎08-02-2017

No problem, I am using phone so my answers may have been a bit brief.

Think of it from the perspective of the router in terms of direction so traffic from the clients comes into the SVI for the client vlan and then goes out of management SVI to the server.

And traffic from the server to the clients comes into the SVI for the server vlan and out of the SVI for the client vlan.

In other words inbound to an SVI is traffic coming from devices in that vlan going out and outbound from an SVI is traffic coming from somewhere else going to devices in that vlan.

Does that help ?

Jon

Mark Mattix · ‎08-02-2017

That does help, I need some time to reflect on this... lol Thank you!

Mark Mattix · ‎08-09-2017

Thanks again for your help Jon. I finally understand what I was doing wrong. Luckily my understanding of ACLs and direction was correct but the flow of traffic on SVIs is where I was having a problem... I appreciate your help!

Jon Marshall · ‎07-31-2017

Just to add to Mark's response for the devices without dedicated ports you can place the interface into it's own VRF.

Mark Mattix · ‎07-31-2017

Thanks Jon I will consider this!