Managing a Public Layer 2 Switch

ecornwell · ‎01-22-2020

Hello Everyone,

I have a situation where I'm going to be installing two small switches to support two public 100Mbps internet links. Each switch will uplink to the ISP via a fiber connection and only three other ports will be used. (Each switch will connect to a set of firewalls and another public facing device.) The switches will be fully independent of each other but basically have an identical config. Given the low port count needed, I was looking at something like the C1000 series switches. Those switches don't have and Out of Band Management port. I want to make sure the switches are secure but want to be able to pull stats/logs and manage them remotely. We have a management vlan on the network but I'm not sure I want to mix the switching domains. I also don't want to give each switch a public address as that would waste the limited addressed we'll be getting.

The one thought I had was to create an SVI on the switch in our management vlan and set a port to access that and connect it to the management switches. Basically trying to build a OOB management interface. I want to try to avoid paying 3x-5x the cost for a switch that has way too many ports that we'll never use just to get the OOB management interface.

I've been trying to consider how the switch could be attacked to allow someone to remotely access the management network if we connect it like that. We'd obviously follow Cisco's hardening guide and barring any configuration errors, it would essentially require an attacker to break out of the internet VLAN on the switch and somehow get into the management vlan.

Thoughts?

Thank you for your consideration!

balaji.bandi · ‎01-22-2020

Any way your network is protected with FW, so extend your MGMT network VLAN and configure the same on the switches to Manange

any way you require Logs to send so you need definatly Layer3 IP for this to manage device with NMS also.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

ecornwell · ‎01-22-2020

I've been trying to understand how dangerous it could be to have the SVI for an internal network and the public layer 2 vlan on the same switch. The switches will be installed in a locked cabinet so I don't have to worry about someone connecting other ports (which would be shutdown anyway.) The connection would come directly from the ISPs hardware so any attack against the switch would have to come through that so I'm having a difficult time believing someone would be able to poison the mac table.

Mark Malone · ‎01-22-2020

hi
is it possible to control the traffic by a local firewall , then source all the protocols off the vlan interface and send everything through the FW on way out , even if it was only a small FW doesn't have to be cisco or a PA ---- like ip ftp source-interface vlan x

You can use a switch as a edge device but obviously it cant stop ddos and other attacks that a FW could so you do leave yourself open a bit but we have front facing devices too without firewalls in pace but securely locked as much as possible

You could also add the vlan for the mgmt into a vrf if its able to support that to isolate the tables too on the router , slight bit more protection , if not FW make sure to use login block commands , ACLs and everything else on the hardening sheets to make lock it as much as possible

that public address will be constantly hit by auto bots , i have a lot of front facing smaller sites around EMEA and i see it quite a lot

this is one today pings hitting but being blocked by front facing acls , you see SSH attempts too alot

222258: Jan 22 14:31:15.046 UTC: %FMANFP-6-IPACCESSLOGDP: SIP1: fman_fp_image: list 101 denied icmp 54.225.6.229 -> xxxxxxxxxxxx (8/0), 1 packet
222259: Jan 22 14:31:15.794 UTC: %FMANFP-6-IPACCESSLOGNP: SIP1: fman_fp_image: list 101 denied 2 xxxxxxxxxxxx -> 224.0.0.1, 2 packets
222260: Jan 22 14:31:16.412 UTC: %FMANFP-6-IPACCESSLOGDP: SIP1: fman_fp_image: list 101 denied icmp 34.235.166.32 -> xxxxxxxxxxxx (8/0), 1 packet
222261: Jan 22 14:31:19.653 UTC: %FMANFP-6-IPACCESSLOGDP: SIP1: fman_fp_image: list 101 denied icmp 54.162.228.86 -> xxxxxxxxxxxx (8/0), 1 packet

ecornwell · ‎01-22-2020

As long as I keep the public network to layer2 only, I shouldn't to worry about any of those types of attacks which is why I didn't want to give the devices a public IP.

I might be able to extend a new management network out to the switches that they are the only members of. (I could trunk the connections from the firewalls to the switches.) Then the only devices in the network would be the switches and the gateway IP. I could then control all traffic to/from them with the firewall.

It looks like the C1000 series switches don't support VRFs so that idea is out. I'm not stuck on that model but the price is compelling.

Reza Sharifi · ‎01-22-2020

Hi,

A couple questions:

Are you planning to use NAT? If you are, most small switches don't support NAT, and so you need the router peering with the ISPs to do the NAT for you unless you have enough public IPs for all end devices.

Or are you planning to use theses switches as layer-2 and extend the public IPs to the firewalls? if that is the case, most providers peer only layer-3 and will not use trunk ports.

As for OOB, if the switches you are purchasing don't have an OOB port, you can simply take an empty port from each of these switches and connect them to your out-of-band management switch using a separate vlan. Depending on the management switch setup, you would want to peer that switch with the firewalls layer-3 or if that switch is layer-2 you want to extend the management vlan to the firewall and add the gateway for all OOB ports to the firewall.

HTH

ecornwell · ‎01-22-2020

The switches will only be Layer 2 for the ISP connections. The switches are there to terminate the fiber connection and to break out the single hand-off to the pair of Active/Passive firewalls and router.

All the public IPs will be used at the Firewalls/router in the image. (Where any NAT/routing is done.)

If I would extend the mgmt vlan to the switch, I wouldn't be able to use the firewall to control the traffic.