10-19-2008 03:37 AM - edited 03-11-2019 06:59 AM
Hi, May i know the use of Management Int in ASA FW and if we make a DHCP Server in Management V-lan and make mutiple scope according to configured V-lans on FW using other interfaces then how the FW will allocate the Dynamic IP to the V-lans client machine as V-lan doesn't forward the broadcast. Please respond? Thanks
10-19-2008 05:10 AM
Hello Ray,
Managament interface exists for creating an Out Of Band (OOB) Management segment. Syslog servers, Terminal routers, event managers, monitoring and management servers usually take place in that management segment and according to best practises (OOB), the sensitive information that these servers collect&send should not travel across the backbone against sniffing, and should stay in an abandoned segment. So you VPN into firewall and then connect management segment.
As you may know, ip helper-address command in routers and switches do forward the broadcast to target IP as a unicast. As far as i know, ip helper-address does not exist in PIX and ASA, but instead, you can use dhcp-relay.
Regards
10-19-2008 09:59 PM
Thanks, the information is valuable but still have few doubts.
1) By default, the management interfaces is a part of V-lan1, if we make the other V-lan like V-lan 100 and assign all interfaces except int e/0 which is a part of V-lan1. Now we place one Domain Server in V-lan 1 and second Domain Server place in second V-lan 100 then wht wud be the difference in terms of blocking and permitting in both Vlans. Here, i wud know what will be the different function of Management Interface.
2) As security concerned we must not used the default V-lan 1 on Management Interface and it must be changed. Why?
10-19-2008 10:54 PM
Ray, the reason to discourage the use of VLAN1 is due to VLAN hopping attacks. There are two types of this attack, on of which becomes highly effective if the attacker knows your native vlan.
VLANs should not be the 'sole' method to control security and interzone communication. They are not orignally meant for this. You should use the mechanisms builtin the ASA for this (ACL,nameif security zones,nat-control) etc.
Regards
Farrukh
10-20-2008 01:10 AM
Hi Farrukh,
Thanks for your answers. I have created two V-Lans (V-Lan1 and V-Lan100) same SL 100 but the main difference is V-lan 1 interface is a Management Interface. Can you please show the difference between both V-lans briefly as here I am bit confused.
10-20-2008 01:35 AM
The recommendation for not using VLAN 1 isfor NATIVE VLANS. Sorry I don't understand your question as to what 'difference' you are looking for, please elucidate further.
Regards
Farrukh
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: