10-16-2011 01:12 PM - edited 03-07-2019 02:50 AM
I have a task to implement a loopback network to seperate management access to the switches via the loopback network. I have all L3 3750 switches in the
network seperated by multiple firewall in a zone design. I added a loopback0 interface to one of the swithces and configured the routes and firewall rules to allow
ssh access from one of my workstations to the loopback network. When I try to ssh to the loopback interface I get a connection timeout using Putty. I can see the traffic passing the firewall policies but I don't get a response back from the switch. I'm not using a routing protocol to advertise the routes everything is static routes. I'm not sure what I'm missing to make this work. Can some one please point me in the direction. This configuration is required to meet a DISA Stig for seperation of management access to switches.
here is what I have configured on the switch
int loopback0
ip address 10.6.42.11 255.255.255.255
trying to access this from a workstation 10.5.209.20 using putty, I have the route on the switch the workstation is connect to to send all 10.6.0.0/16 traffic to a firewall and the rule to allow ssh from this workstation to the Loopback in place and I have the route on the firewall to send the traffic out the proper interface to reach the loopback ip, i see the packets entering successfully but on the firewall that sits in front of the switch I don't se a response coming back from the loopback IP.......help
10-16-2011 02:50 PM
Does your IOS image support SSH?
Can you provide sh ver?
HTH
10-16-2011 03:38 PM
Yes
I currently access the switches via ssh on a vlan interface of 10.5.41.11
I made the lpbck int 10.6.42.11 so it would be on a different network
Sent from my Verizon Wireless BlackBerry
10-16-2011 05:12 PM
Do you have this command in your config:
HTH
10-16-2011 05:29 PM
No I don't have that command
I was concerned that if I did this and it did not work I would be unable to ssh to the switch. I was doing this configuration remotely. I will try this tomorrow and see if that works. Do I perform this command on the switch with the loopback? If this works I will need to also have my syslogs and NTP use the loopback, according to the DISA Stigs these are the only services that they want seperated from all other traffic. My other concern in doing this is with my TACACS authentication, will I need to add the loopback ip in TACACS in order for my user ID to work?
10-16-2011 05:51 PM
Yes, to comply with DISA stigs, you need this command on all your switches and routers. As you also mentioned you need to do the same for your syslog and NTP servers. To make sure you can get back to the first device when you deploy this comman, don't save the config until you know for sure you can get back to the device. Not entirely sure, but you should not need to add the loopback to the TACACS server. If your network is in production, make sure you have an outage window to do all of these.
HTH
10-16-2011 06:58 PM
Darren
If you are doing these configuration changes remotely then I would suggest that as a safety measure that you configure the reload in x command (where x is some number of minutes). If you make configuration changes and the change results in losing connectivity to the switch, then the reload will occur and will put the switch back to its working configuration.
My impression is that the layer 3 switches do not really support the concept of loopback interfaces in the same way that routers do. Would it satisfy the requirements to isolate management traffic if you configure a management VLAN and specify the management traffic to use that VLAN?
HTH
Rick
10-17-2011 06:13 AM
I added this to the config and still unsuccessful, I have a mgmt. workstation on a switch that can access a switch that I’m testing with and does not cross a firewall and this did not make a difference. Not sure what I’m missing on this, it should be pretty simple but it is not working.
10-17-2011 06:30 AM
Hi,
could you post a topology diagram and post the config of the firewall where you don't see the return traffic
Regards.
Alain..
10-17-2011 06:43 AM
Hi Darren
So the return traffic from Switch to the MGMT Station behind FW is being dropped
What about the ping response from Switch with source as the Loopback (10.6.42.11) to the MGMT station(10.5.209.20) assuming ICMP is open between the two.
Regards
Varma
10-17-2011 06:50 AM
Traffic is not being dropped by the firewall, I see the traffic in the logs of the firewall, the tcp-syn comes thru but I never get the syn-ack back from the switch.
The switch has a transient connection between the firewall and the switch, I can connect to the switch using ssh to the switch with no problem, so I configured the loopback interface on the switch, I added the rule on the firewall to allow ssh access to the loopback interface and I can see the traffic coming in but I don’t get a response back from the switch, firewall show session closed due to age-timeout in the log on the firewall…..
10-17-2011 06:46 AM
Darren
Based on your comment that there is not a dynamic routing protocol and that everything is static routes, then one possible problem is that there is incomplete routing information somewhere. It might prevent the SSH request from getting from the management PC to the switch, or it might prevent the SSH response from getting from the switch to the management PC. One way to check that would be to try to traceroute from the management PC to the switch loopback interface. And to traceroute from the switch to the management PC.
I am not clear what you are trying to tell us when you said: "I have a mgmt. workstation on a switch that can access a switch that I’m testing with and does not cross a firewall and this did not make a difference." Clearly you are saying that it is not a firewall issue. But I can not tell whether this workstation is multiple hops away (in which case it might be a routing problem) or is closely connected. So it would help if you could clarify the topology of this network for us.
I will also repeat the point from my previous post: would a separate management vlan be an acceptable solution for isolating management traffic? A management vlan is the common solution in most organizations for separating and controlling management traffic. And I am not convinced that loopback interfaces are supported on layer 3 switches in the same way that they are supported on routers.
HTH
Rick
10-17-2011 06:54 AM
I was just testing this on a switch that has a network VLAN that is shared on the switch that the management workstation is connected to.
VLAN 209
VLAN 204
Test switch is 204.6
MGMT station is 209.20
Both of these VLANs are on the same switch and when I tested this, it did not work, that is all I was saying
10-17-2011 10:25 AM
Darren
Is the switch with the loopback acting as L2 switch or a L3 switch ?
If it is acting as L2 then the recommended way of managing the switch is by using a L3 vlan interface to connect to it.
If it is acting as L3 then you can use either.
Perhaps you can post the config of your switch ?
Jon
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide