Management Int

Unanswered Question
Oct 19th, 2008

Hi, May i know the use of Management Int in ASA FW and if we make a DHCP Server in Management V-lan and make mutiple scope according to configured V-lans on FW using other interfaces then how the FW will allocate the Dynamic IP to the V-lans client machine as V-lan doesn't forward the broadcast. Please respond? Thanks

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
husycisco Sun, 10/19/2008 - 05:10

Hello Ray,

Managament interface exists for creating an Out Of Band (OOB) Management segment. Syslog servers, Terminal routers, event managers, monitoring and management servers usually take place in that management segment and according to best practises (OOB), the sensitive information that these servers collect&send should not travel across the backbone against sniffing, and should stay in an abandoned segment. So you VPN into firewall and then connect management segment.

As you may know, ip helper-address command in routers and switches do forward the broadcast to target IP as a unicast. As far as i know, ip helper-address does not exist in PIX and ASA, but instead, you can use dhcp-relay.


ray_stone Sun, 10/19/2008 - 21:59

Thanks, the information is valuable but still have few doubts.

1) By default, the management interfaces is a part of V-lan1, if we make the other V-lan like V-lan 100 and assign all interfaces except int e/0 which is a part of V-lan1. Now we place one Domain Server in V-lan 1 and second Domain Server place in second V-lan 100 then wht wud be the difference in terms of blocking and permitting in both Vlans. Here, i wud know what will be the different function of Management Interface.

2) As security concerned we must not used the default V-lan 1 on Management Interface and it must be changed. Why?

Farrukh Haroon Sun, 10/19/2008 - 22:54

Ray, the reason to discourage the use of VLAN1 is due to VLAN hopping attacks. There are two types of this attack, on of which becomes highly effective if the attacker knows your native vlan.

VLANs should not be the 'sole' method to control security and interzone communication. They are not orignally meant for this. You should use the mechanisms builtin the ASA for this (ACL,nameif security zones,nat-control) etc.



ray_stone Mon, 10/20/2008 - 01:10

Hi Farrukh,

Thanks for your answers. I have created two V-Lans (V-Lan1 and V-Lan100) same SL 100 but the main difference is V-lan 1 interface is a Management Interface. Can you please show the difference between both V-lans briefly as here I am bit confused.

Farrukh Haroon Mon, 10/20/2008 - 01:35

The recommendation for not using VLAN 1 isfor NATIVE VLANS. Sorry I don't understand your question as to what 'difference' you are looking for, please elucidate further.




This Discussion