Yes

I currently access the switches via ssh on a vlan interface of 10.5.41.11

I made the lpbck int 10.6.42.11 so it would be on a different network

Sent from my Verizon Wireless BlackBerry

Do you have this command in your config:

ip ssh source-interface loopback0

HTH

No I don't have that command

I was concerned that if I did this and it did not work I would be unable to ssh to the switch. I was doing this configuration remotely. I will try this tomorrow and see if that works. Do I perform this command on the switch with the loopback? If this works I will need to also have my syslogs and NTP use the loopback, according to the DISA Stigs these are the only services that they want seperated from all other traffic. My other concern in doing this is with my TACACS authentication, will I need to add the loopback ip in TACACS in order for my user ID to work?

Yes, to comply with DISA stigs, you need this command on all your switches and routers. As you also mentioned you need to do the same for your syslog and NTP servers.  To make sure you can get back to the first device when you deploy this comman, don't save the config until you know for sure you can get back to the device. Not entirely sure, but you should not need to add the loopback to the TACACS server.  If your network is in production, make sure you have an outage window to do all of these.

HTH

Darren

If you are doing these configuration changes remotely then I would suggest that as a safety measure that you configure the reload in x command (where x is some number of minutes). If you make configuration changes and the change results in losing connectivity to the switch, then the reload will occur and will put the switch back to its working configuration.

My impression is that the layer 3 switches do not really support the concept of loopback interfaces in the same way that routers do. Would it satisfy the requirements to isolate management traffic if you configure a management VLAN and specify the management traffic to use that VLAN?

HTH

Rick

I added this to the config and still unsuccessful, I have a mgmt. workstation on a switch that can access a switch that I’m testing with and does not cross a firewall and this did not make a difference. Not sure what I’m missing on this, it should be pretty simple but it is not working.

Hi,

could you post a topology diagram and post the config of the firewall where you don't see the return traffic

Regards.

Alain..

Hi Darren

So the return traffic from Switch to the MGMT Station behind FW is being dropped

What about the ping response from Switch with source as the Loopback (10.6.42.11)  to the MGMT station(10.5.209.20) assuming ICMP is open between the two.

Regards

Varma

Traffic is not being dropped by the firewall, I see the traffic in the logs of the firewall, the tcp-syn comes thru but I never get the syn-ack back from the switch.

The switch has a transient connection between the firewall and the switch, I can connect to the switch using ssh to the switch with no problem, so I configured the loopback interface on the switch, I added the rule on the firewall to allow ssh access to the loopback interface and I can see the traffic coming in but I don’t get a response back from the switch, firewall show session closed due to age-timeout in the log on the firewall…..

Darren

Based on your comment that there is not a dynamic routing protocol and that everything is static routes, then one possible problem is that there is incomplete routing information somewhere. It might prevent the SSH request from getting from the management PC to the switch, or it might prevent the SSH response from getting from the switch to the management PC. One way to check that would be to try to traceroute from the management PC to the switch loopback interface. And to traceroute from the switch to the management PC.

I am not clear what you are trying to tell us when you said: "I have a mgmt. workstation on a switch that can access a switch that I’m  testing with and does not cross a firewall and this did not make a  difference." Clearly you are saying that it is not a firewall issue. But I can not tell whether this workstation is multiple hops away (in which case it might be a routing problem) or is closely connected. So it would help if you could clarify the topology of this network for us.

I will also repeat the point from my previous post: would a separate management vlan be an acceptable solution for isolating management traffic? A management vlan is the common solution in most organizations for separating and controlling management traffic. And I am not convinced that loopback interfaces are supported on layer 3 switches in the same way that they are supported on routers.

HTH

Rick

I was just testing this on a switch that has a network VLAN that is shared on the switch that the management workstation is connected to.

VLAN 209

VLAN 204

Test switch is 204.6

MGMT station is 209.20

Both of these VLANs are on the same switch and when I tested this, it did not work, that is all I was saying

Darren

Is the switch with the loopback acting as L2 switch or a L3 switch ?

If it is acting as L2 then the recommended way of managing the switch is by using a L3 vlan interface to connect to it.

If it is acting as L3 then you can use either.

Perhaps you can post the config of your switch  ?

Jon