How to give a switch an ip for management

Unanswered Question
May 23rd, 2007
User Badges:

Hi


I'm going to put a switch in our DMZ, so all it does is allow switching within the DMZ. It isn't going to have any direct links into the internal network. Now I've hit a snag in this plan.


Basically the DMZ has public ip addresses and are in VLAN 130,131,132. My question is if I create an interface for vlan 130 on the switch and then give it an ip address, its going to need a public ip address for me to be able to reach it from my internal vlan. BTW the dmz and internal zones are separated via a pix 515e firewall.


My question is if I give the vlan 130 interface a private ip e.g 192.168.2.1 will I still be able to reach it, if say I put a route on the firewall to say 192.168.2.0 lies in the interface which has vlan130?


I hope this describes the situation in a clear way. Any further question please just ask.


The switch is a 3560-G series switch.


Thanks in advance

Dan

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Amit Singh Wed, 05/23/2007 - 22:10
User Badges:
  • Cisco Employee,

Dan,


You dont need a public IP on these switches to manage it from your internal vlans. You have to either use staic NAT from the inside interface to DMZ interface for 192.168.2.0 ip range or do a self static for the same IP range on Pix DMZ interface. You have to use ACL's and routes on PIX to allow the traffic from the DMZ to the inside vlans and you should be able to get an access to the switch.


HTH,Please rate if it does.


-amit singh

dan_track Wed, 05/23/2007 - 23:53
User Badges:

Hi


Thanks for your reply. It seems to have helped focus me. My internal vlan has the 10.0.0.0/8 range while the new ip's I want to use on the switch are 192.168.2.1 and 192.168.2.2 on vlan 130.


Any chance you could please give me an example of the static command I need to use?


Many Thanks

Dan

Jon Marshall Wed, 05/23/2007 - 23:40
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Hi Dan It's a bit unclear what you mean by "Basically the DMZ has public ip addresses and are in VLAN 130,131,132"


Do you have 3 separate DMZ interfaces on your pix firewall \then.


Amit is right in that you don't need to use a public ip address. You could use a private address but you would need to add an interface on your pix in that same subnet range to be able to access it if that makes sense.


If you can't do this then yes you will need a public IP address on the switch interface.


HTH


Jon

Actions

This Discussion