Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1112
Views
15
Helpful
8
Replies

Ping L2 switch from Router on different subnet

Go to solution
Mokhalil82
Level 4
Level 4

‎03-27-2015 04:15 AM - edited ‎03-07-2019 11:17 PM

Hi Guys

 

I am setting up a failover between production and dr sites. Please see attached diagram.

So ive got my primary and backup router each in a different building connected via some L3 switches. My internal failover is to be setup using IP SLA which I am comfortable with. My ISP are using HSRP to failover their router for which I am providing a L2 link by installing the 2 new switches as shown in the diagram. 

My question 1st is, I want to get remote access to these 2 new switches, but I dont want to assign my public IP range to them for management access. Is that possible and how?

I can assign the public IP address to them on a vlan and get access, but to save the public IPs I am wondering if I can assign as private IP to them and get management access from the internal network.

Now my 2nd question is, what is the best practice in this scenario, shall I just connect them in and not setup any remote access, so its the same as a cable failing, if i lose connection and a failover occurs, I will just have to physically investigate (after carrying out all other troubleshooting of course), or is it recommended on these external switches to lock them down like you would with any ordinary switch on the internal network. their only function is to provide L2 connectivity for the HSRP on the ISP routers.

 

Thanks

 

 

Labels:
Preview file
18 KB
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Bilal Nawaz
VIP Alumni
VIP Alumni

‎03-27-2015 05:12 AM

What I would do is have an interface (management interface) either dedicated mgmt port built in to the switch or use VRF to a DMZ with private IP address. You didnt mention what switch it is...?

Idea being, that the switch should not be able to "route traffic" and only to allow access for mgmt.

Please rate useful posts & remember to mark any solved questions as answered. Thank you.

View solution in original post

0 Helpful

Go to solution
Richard Burts
Hall of Fame
Hall of Fame
In response to Bilal Nawaz

‎03-27-2015 06:09 AM

If the switch does have a management port that could give you out of band management and that would be a good thing. But it would require a second cable connecting your switch to your router. The other alternative would be to configure one vlan to carry the Internet traffic (no IP address for the switch in this vlan to save the public IP) and another vlan to be the management vlan with a private address. You would then configure the port connecting the switch to your router(s) and configure that interface as a trunk. HTH Rick
HTH

Rick

View solution in original post

0 Helpful
8 Replies 8

Go to solution
Bilal Nawaz
VIP Alumni
VIP Alumni

‎03-27-2015 05:12 AM

What I would do is have an interface (management interface) either dedicated mgmt port built in to the switch or use VRF to a DMZ with private IP address. You didnt mention what switch it is...?

Idea being, that the switch should not be able to "route traffic" and only to allow access for mgmt.

Please rate useful posts & remember to mark any solved questions as answered. Thank you.
0 Helpful

Go to solution
Richard Burts
Hall of Fame
Hall of Fame
In response to Bilal Nawaz

‎03-27-2015 06:09 AM

If the switch does have a management port that could give you out of band management and that would be a good thing. But it would require a second cable connecting your switch to your router. The other alternative would be to configure one vlan to carry the Internet traffic (no IP address for the switch in this vlan to save the public IP) and another vlan to be the management vlan with a private address. You would then configure the port connecting the switch to your router(s) and configure that interface as a trunk. HTH Rick
HTH

Rick
0 Helpful

Go to solution
Bilal Nawaz
VIP Alumni
VIP Alumni
In response to Richard Burts

‎03-27-2015 06:35 AM

These are valid points Rick, though I would like to express my opinion, that the benefits of using that second cable if possible outweighs the alternative of using trunking/vlan tagging for numerous reasons.

If feasible, I would avoid having "dirty" traffic flowing down same physical links as mgmt traffic that might (if compromised) be used to "route" via the switch.

Please rate useful posts & remember to mark any solved questions as answered. Thank you.

Go to solution
Richard Burts
Hall of Fame
Hall of Fame
In response to Bilal Nawaz

‎03-27-2015 06:52 AM

I agree with your opinion that the second cable to a dedicated management port is the more desirable solution and that is why I listed it first. But the second vlan for management running over a trunk port is also a feasible solution which the original poster needs to consider.

 

HTH

 

Rick

HTH

Rick

Go to solution
Mokhalil82
Level 4
Level 4
In response to Richard Burts

‎03-28-2015 03:52 AM

Hi 

Thanks for the useful responses. We dont have budget for the 2 switches that need to be added so will be digging out any old switches and I doubt they will have a management port. 

So I take it option 2 may be my only option, although i will try to find a switch with a management port.

From what I remember we took some standard 3750 switches out a few months ago so may reuse them. I don't think they come with a management port.

 

Thanks for the help

0 Helpful

Go to solution
Richard Burts
Hall of Fame
Hall of Fame
In response to Mokhalil82

‎03-28-2015 07:57 AM

I would point out that the alternative for a separate connection to manage the switches does not require a specified management port on the switch, though if the switch had one that would be the optimum solution. You could achieve much the same result by configuring a new VLAN, assigning a switch access port to that VLAN and connecting that port with the second cable.

 

There is a logistical consideration about this solution. Using a second cable would require a second interface on the router. And I can see that many organizations would be reluctant to allocate an additional router interface just to provide management access that is separate from the data traffic. 

 

So perhaps the more realistic option is the option to configure a management VLAN on the switch and to configure trunking between the switch and the router.

 

HTH

 

Rick

HTH

Rick

Go to solution
Mokhalil82
Level 4
Level 4
In response to Richard Burts

‎03-28-2015 10:12 AM

Ive just labbed it to ensure it works, it does, thanks

0 Helpful

Go to solution
Richard Burts
Hall of Fame
Hall of Fame
In response to Mokhalil82

‎03-28-2015 11:03 AM

I am glad to know that you have labbed it up and that it does work. I am pleased that our responses were helpful to you. Thank you for using the rating system to mark this question as answered. This makes it easier for other readers in the forum to identify discussions which have helpful information. I hope to see you continue your activity in the forum.

 

HTH

 

Rick

HTH

Rick
0 Helpful
Customers Also Viewed These Support Documents