12-13-2013 10:12 PM - edited 03-07-2019 05:04 PM
What is the best approach to handle managmenet of switches in a DMZ?
We are implementing a dual firewall solution (front external facing, and a rear internal/DMZ facing).
I would like to be able to manage the switches from inside the corporate network, including SNMP etc.
Also, as we are looking to implement ISE, we would need the authentication to be handled by ISE on the internal network. Will this cause issues?
Thanks in advance
Solved! Go to Solution.
12-15-2013 02:33 AM
I see what you mean... It kind of does, but I think what I think they mean is you have an absolute separate network (i.e. physically separate) for management, then this would work, I didn't realise that the routing information would be shared. Maybe they mean using route-maps, distribute-lists to stop this inter routing info. Maybe someone from Cisco can clarify this for us? It would make sense if it was like this:
Fa0 - management
Fa1/0/1 - network
Fa0 would just be separate from anything to do with Fa1/0/1 therefor would be secure and nothing would be able to flow between them, however it seems as though this is not the case here.
It would have been nice to make use of that management port. In any case this is too risky for a DMZ in my opinion. However what you could do is create a VRF which does do what we want to do. You can assign a vrf to a physical or virtual interface, provided that you have an IP services license. Im not sure if you can assign a VRF to the management port though.
Conf t
!
ip routing
!
ip vrf MGMT
RD 1:1
!
interface Faxxxx
ip vrf forwarding MGMT
ip address x.x.x.x x.x.x.x
!
ip route vrf MGMT 0.0.0.0 0.0.0.0 y.y.y.y (for your default GW)
!
[options]
snmp-server host b.b.b.b vrf MGMT string
logging host c.c.c.c vrf MGMT
ip tftp source interface Faxxxx
etc...... if you have tacacs+ enabled too you can also do this via the vrf I think.
Apologies in advance if the syntax is not correct, just of the top of my head for now.
Please rate useful posts & remember to mark any solved questions as answered. Thank you.
12-14-2013 08:34 AM
Hello,
The more recent stackable switches come with a management port Fa0 or E0 in some cases. Or even with its own VRF - almost like a seperate routing instance, this stays separate from the switch itself. You can put this on the management network, depending on your organisations security policies. From here you can configure SNMP, SSH etc... to and from this interface / VRF. All authentication can be done via this interface / VRF also.
If there isn't any management port, you can always create a VRF and assign it to a port, keep that for management. It will have its own routing table, separate from the global routing table.
Please see here:
Hope this helps.
Bilal
Please rate useful posts & remember to mark any solved questions as answered. Thank you.
12-14-2013 11:03 PM
Thanks Bilal,
Looking at the link it specifically says:
Because routing is not supported between the Ethernet management port and the network ports, traffic between these ports cannot be sent or received. If this happens, data packet loops occur between the ports, which disrupt the switch and network operation. To prevent the loops, configure route filters to avoid routes between the Ethernet management port and the network ports.
Doesnt that contradict itself saying that traffic cannot be sent and received from the management ports to the traffic ports, but configure route filters to avoid it?
I have a specific managment subnet at each of my office locations so I was thinking maybe to put an IP address on the managment port... by route filters, does it mean some kind of distribute list?
12-15-2013 02:33 AM
I see what you mean... It kind of does, but I think what I think they mean is you have an absolute separate network (i.e. physically separate) for management, then this would work, I didn't realise that the routing information would be shared. Maybe they mean using route-maps, distribute-lists to stop this inter routing info. Maybe someone from Cisco can clarify this for us? It would make sense if it was like this:
Fa0 - management
Fa1/0/1 - network
Fa0 would just be separate from anything to do with Fa1/0/1 therefor would be secure and nothing would be able to flow between them, however it seems as though this is not the case here.
It would have been nice to make use of that management port. In any case this is too risky for a DMZ in my opinion. However what you could do is create a VRF which does do what we want to do. You can assign a vrf to a physical or virtual interface, provided that you have an IP services license. Im not sure if you can assign a VRF to the management port though.
Conf t
!
ip routing
!
ip vrf MGMT
RD 1:1
!
interface Faxxxx
ip vrf forwarding MGMT
ip address x.x.x.x x.x.x.x
!
ip route vrf MGMT 0.0.0.0 0.0.0.0 y.y.y.y (for your default GW)
!
[options]
snmp-server host b.b.b.b vrf MGMT string
logging host c.c.c.c vrf MGMT
ip tftp source interface Faxxxx
etc...... if you have tacacs+ enabled too you can also do this via the vrf I think.
Apologies in advance if the syntax is not correct, just of the top of my head for now.
Please rate useful posts & remember to mark any solved questions as answered. Thank you.
12-16-2013 09:42 PM
THanks Bilal,
Im really unsure now... The switches are LAN base, so no routing functions.
Is my only other option to allow an exception through the firwall to the mangement stations?
Anyone able to advise what they do in these situations?
12-16-2013 11:31 PM
As a last resort you could use strict extended ACLs to your management interface inbound and outbound directions to ensure security. On your firewall and also the switch itself. Not nice, but its little more secure.
Sent from Cisco Technical Support iPhone App
12-25-2013 11:05 PM
Actually the 3850s support VRF on the managment interface. These switches will run lanbase I believe.
For security, I would most likely have the manangement interface connected to the firewall on separete zone with specific policies only allowed.through the firewall to allow traps etc, and only allow conections from the trusted internal network to the specific management zone.
Unless of course there is a better way to approach it ?
01-01-2014 01:38 AM
I would recommend the VRF as stated previously and your policy seems totally reasonable.
Hth
Sent from Cisco Technical Support iPhone App
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide