cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
983
Views
0
Helpful
4
Replies

Securing the management VLAN on 3560 network

bridgepartners
Level 1
Level 1

I am scratching my head about how to secure our management network (ie the one with our switches on it). We want to route all traffic via the management firewall not through the 3560. Since the central routing 3560 has an IP on the management network I assume that we need an ACL to prevent other switch traffic routing into the VLAN.

We have done this and it seems to work, but I am confused by the ACL direction. At present (with it working, I think) we are using an inbound ACL (see attachment). Is this correct? Why isn't it outbound from the switch into the VLAN?

Also, is there a better way of isolating the management VLAN? Ideally, I would be happier if the management subnet did not even appear in the routing table for the central switch.

4 Replies 4

Jon Marshall
Hall of Fame
Hall of Fame

Daniel

Inbound on a vlan interface would be controlling traffic coming from clients on that vlan.

Outbound on a vlan interface would be controlling traffic going to clients on that vlan.

It's not entirely clear what your setup is but does the above match what you are seeing or not ?

As for isolating the management vlan so that the subnet does not even show up in the routing table you could utilise vrf-lite which is supported on the 3560. Vrf-lite allows you have to separate virtual routing tables on the switch so the management subnet could be in it's own VRF and therefore would not appear in the global routing table.

Jon

Jon

I am trying to sort this out theoretically.

From what you state it seems to be that our management network should have the ACL applied both in and out. Then routing will be effectively blocked from all other subnets.

The next question, which I alluded to above, is how to get the router (in the 3560) to pass traffic destined for the management network to the firewall rather than attempting to route to the VLAN interface (which will be blocked by the ACL).

Can you just add a route to the routing table for a connected subnet?

Daniel

Daniel

"The next question, which I alluded to above, is how to get the router (in the 3560) to pass traffic destined for the management network to the firewall rather than attempting to route to the VLAN interface (which will be blocked by the ACL)."

The question is a little confusing. If you can't route to the vlan interface then how do you manage it ?

The simplest way to not route via the vlan interface is just not to have a L3 vlan interface for the management vlan on the switch and just have it routed off the firewall but then you won't be able to connect to the switch.

"Can you just add a route to the routing table for a connected subnet?" - you can but the fact that it is connected will override this.

Are there a set of IP addresses that are allowed to connect to the management vlan ?

If you really want to "hide" the management network i strongly suggest you look into vrf-lite.

Jon

The management stations are also in the management network.

VRF-lite looks very interesting. I will look at it further.

Thanks for your input.

Daniel

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco