Securing the management VLAN on 3560 network

Unanswered Question
Sep 19th, 2009

I am scratching my head about how to secure our management network (ie the one with our switches on it). We want to route all traffic via the management firewall not through the 3560. Since the central routing 3560 has an IP on the management network I assume that we need an ACL to prevent other switch traffic routing into the VLAN.

We have done this and it seems to work, but I am confused by the ACL direction. At present (with it working, I think) we are using an inbound ACL (see attachment). Is this correct? Why isn't it outbound from the switch into the VLAN?

Also, is there a better way of isolating the management VLAN? Ideally, I would be happier if the management subnet did not even appear in the routing table for the central switch.

Attachment: 
I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Jon Marshall Sat, 09/19/2009 - 12:07

Daniel

Inbound on a vlan interface would be controlling traffic coming from clients on that vlan.

Outbound on a vlan interface would be controlling traffic going to clients on that vlan.

It's not entirely clear what your setup is but does the above match what you are seeing or not ?

As for isolating the management vlan so that the subnet does not even show up in the routing table you could utilise vrf-lite which is supported on the 3560. Vrf-lite allows you have to separate virtual routing tables on the switch so the management subnet could be in it's own VRF and therefore would not appear in the global routing table.

Jon

bridgepartners Sun, 09/20/2009 - 08:59

Jon

I am trying to sort this out theoretically.

From what you state it seems to be that our management network should have the ACL applied both in and out. Then routing will be effectively blocked from all other subnets.

The next question, which I alluded to above, is how to get the router (in the 3560) to pass traffic destined for the management network to the firewall rather than attempting to route to the VLAN interface (which will be blocked by the ACL).

Can you just add a route to the routing table for a connected subnet?

Daniel

Jon Marshall Sun, 09/20/2009 - 09:13

Daniel

"The next question, which I alluded to above, is how to get the router (in the 3560) to pass traffic destined for the management network to the firewall rather than attempting to route to the VLAN interface (which will be blocked by the ACL)."

The question is a little confusing. If you can't route to the vlan interface then how do you manage it ?

The simplest way to not route via the vlan interface is just not to have a L3 vlan interface for the management vlan on the switch and just have it routed off the firewall but then you won't be able to connect to the switch.

"Can you just add a route to the routing table for a connected subnet?" - you can but the fact that it is connected will override this.

Are there a set of IP addresses that are allowed to connect to the management vlan ?

If you really want to "hide" the management network i strongly suggest you look into vrf-lite.

Jon

bridgepartners Mon, 09/21/2009 - 00:28

The management stations are also in the management network.

VRF-lite looks very interesting. I will look at it further.

Thanks for your input.

Daniel

Actions

This Discussion