01-22-2020 06:46 AM
Hello Everyone,
I have a situation where I'm going to be installing two small switches to support two public 100Mbps internet links. Each switch will uplink to the ISP via a fiber connection and only three other ports will be used. (Each switch will connect to a set of firewalls and another public facing device.) The switches will be fully independent of each other but basically have an identical config. Given the low port count needed, I was looking at something like the C1000 series switches. Those switches don't have and Out of Band Management port. I want to make sure the switches are secure but want to be able to pull stats/logs and manage them remotely. We have a management vlan on the network but I'm not sure I want to mix the switching domains. I also don't want to give each switch a public address as that would waste the limited addressed we'll be getting.
The one thought I had was to create an SVI on the switch in our management vlan and set a port to access that and connect it to the management switches. Basically trying to build a OOB management interface. I want to try to avoid paying 3x-5x the cost for a switch that has way too many ports that we'll never use just to get the OOB management interface.
I've been trying to consider how the switch could be attacked to allow someone to remotely access the management network if we connect it like that. We'd obviously follow Cisco's hardening guide and barring any configuration errors, it would essentially require an attacker to break out of the internet VLAN on the switch and somehow get into the management vlan.
Thoughts?
Thank you for your consideration!
01-22-2020 06:53 AM
Any way your network is protected with FW, so extend your MGMT network VLAN and configure the same on the switches to Manange
any way you require Logs to send so you need definatly Layer3 IP for this to manage device with NMS also.
01-22-2020 07:38 AM
I've been trying to understand how dangerous it could be to have the SVI for an internal network and the public layer 2 vlan on the same switch. The switches will be installed in a locked cabinet so I don't have to worry about someone connecting other ports (which would be shutdown anyway.) The connection would come directly from the ISPs hardware so any attack against the switch would have to come through that so I'm having a difficult time believing someone would be able to poison the mac table.
01-22-2020 07:08 AM
01-22-2020 07:42 AM
As long as I keep the public network to layer2 only, I shouldn't to worry about any of those types of attacks which is why I didn't want to give the devices a public IP.
I might be able to extend a new management network out to the switches that they are the only members of. (I could trunk the connections from the firewalls to the switches.) Then the only devices in the network would be the switches and the gateway IP. I could then control all traffic to/from them with the firewall.
It looks like the C1000 series switches don't support VRFs so that idea is out. I'm not stuck on that model but the price is compelling.
01-22-2020 07:24 AM
Hi,
A couple questions:
Are you planning to use NAT? If you are, most small switches don't support NAT, and so you need the router peering with the ISPs to do the NAT for you unless you have enough public IPs for all end devices.
Or are you planning to use theses switches as layer-2 and extend the public IPs to the firewalls? if that is the case, most providers peer only layer-3 and will not use trunk ports.
As for OOB, if the switches you are purchasing don't have an OOB port, you can simply take an empty port from each of these switches and connect them to your out-of-band management switch using a separate vlan. Depending on the management switch setup, you would want to peer that switch with the firewalls layer-3 or if that switch is layer-2 you want to extend the management vlan to the firewall and add the gateway for all OOB ports to the firewall.
HTH
01-22-2020 07:33 AM
The switches will only be Layer 2 for the ISP connections. The switches are there to terminate the fiber connection and to break out the single hand-off to the pair of Active/Passive firewalls and router.
All the public IPs will be used at the Firewalls/router in the image. (Where any NAT/routing is done.)
If I would extend the mgmt vlan to the switch, I wouldn't be able to use the firewall to control the traffic.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide