cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
263
Views
0
Helpful
5
Replies

Management Int

ray_stone
Level 1
Level 1

Hi, May i know the use of Management Int in ASA FW and if we make a DHCP Server in Management V-lan and make mutiple scope according to configured V-lans on FW using other interfaces then how the FW will allocate the Dynamic IP to the V-lans client machine as V-lan doesn't forward the broadcast. Please respond? Thanks

5 Replies 5

husycisco
Level 7
Level 7

Hello Ray,

Managament interface exists for creating an Out Of Band (OOB) Management segment. Syslog servers, Terminal routers, event managers, monitoring and management servers usually take place in that management segment and according to best practises (OOB), the sensitive information that these servers collect&send should not travel across the backbone against sniffing, and should stay in an abandoned segment. So you VPN into firewall and then connect management segment.

As you may know, ip helper-address command in routers and switches do forward the broadcast to target IP as a unicast. As far as i know, ip helper-address does not exist in PIX and ASA, but instead, you can use dhcp-relay.

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a008075fcfb.shtml

Regards

Thanks, the information is valuable but still have few doubts.

1) By default, the management interfaces is a part of V-lan1, if we make the other V-lan like V-lan 100 and assign all interfaces except int e/0 which is a part of V-lan1. Now we place one Domain Server in V-lan 1 and second Domain Server place in second V-lan 100 then wht wud be the difference in terms of blocking and permitting in both Vlans. Here, i wud know what will be the different function of Management Interface.

2) As security concerned we must not used the default V-lan 1 on Management Interface and it must be changed. Why?

Ray, the reason to discourage the use of VLAN1 is due to VLAN hopping attacks. There are two types of this attack, on of which becomes highly effective if the attacker knows your native vlan.

VLANs should not be the 'sole' method to control security and interzone communication. They are not orignally meant for this. You should use the mechanisms builtin the ASA for this (ACL,nameif security zones,nat-control) etc.

Regards

Farrukh

Hi Farrukh,

Thanks for your answers. I have created two V-Lans (V-Lan1 and V-Lan100) same SL 100 but the main difference is V-lan 1 interface is a Management Interface. Can you please show the difference between both V-lans briefly as here I am bit confused.

The recommendation for not using VLAN 1 isfor NATIVE VLANS. Sorry I don't understand your question as to what 'difference' you are looking for, please elucidate further.

Regards

Farrukh

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: