Security Question

Unanswered Question
Apr 26th, 2010

Service Provider link terminates on the 2960 switch, one leg from the switch connects to Firewall, another leg from the switch connects to VPN Router.

How do I securely connect Internet Switch to the network to monitor bandwidth using SNMP.

Attached file show physical connectivity

thanks

Tom

Attachment: 
I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Jon Marshall Mon, 04/26/2010 - 00:46

tomfree_leo wrote:

Service Provider link terminates on the 2960 switch, one leg from the switch connects to Firewall, another leg from the switch connects to VPN Router.

How do I securely connect Internet Switch to the network to monitor bandwidth using SNMP.

Attached file show physical connectivity

thanks

Tom

Tom

If you simply want to poll the switch for SNMP statistics then you may as well go via the VPN router as this has a connection straight into your network anway.

Alternatively you could add a rule to your firewall allowing your internal SNMP management station access to the switch.

Edit - note if the VPN router is not firewalling as well then you may want to consider terminating the inside interface of the VPN router onto a DMZ on the firewall. If you did do this then you would need to use the firewall to gain SNMP access to the switch.

Jon

Ganesh Hariharan Mon, 04/26/2010 - 00:55

Service Provider link terminates on the 2960 switch, one leg from the switch connects to Firewall, another leg from the switch connects to VPN Router.

How do I securely connect Internet Switch to the network to monitor bandwidth using SNMP.

Attached file show physical connectivity

thanks

Tom

Hi Tom,

You can try with secure acl configuration with specific ip having access with specifci community name configured at server and switch end to poll the switch for interface bandwidth utilization.

Check out the below link for acl in switches 2960

http://www.cisco.com/en/US/docs/switches/lan/catalyst2960/software/release/12.2_37_se/configuration/guide/swacl.html

Hope to Help !!

Ganesh.H

TYLER WEST Mon, 04/26/2010 - 03:40

It really should be simpler than that.  It's a 2960 so the only IP that you have is for whatever VLAN interface you define.

1.  Take your precautions against the 802.1q VLAN hopping.  (Don't use VLAN1, etc.)

2.  Take other necessary precautions to secure switch as mentioned by other posts.

3.  Use one VLAN for management and connect to the inside of the network.  Use the other VLAN for connecting the SP to the FW and VPN.  Do NOT give that VLAN an interface with an IP address.  You can only do that to one SVI anyway.  The 2960 is NOT a layer 3 device and it isn't going to pass public traffic across the L3 interface into the inside network.

Yes you have to be cautious when creating your VLANs but this is easily secured.

If you are really paranoid then I would actually suggest a similar approach but use another interface from the firewall or 802.1q from the firewall to the management interface/VLAN of the switch.  This is more secure than actually giving your switch a public IP address on the outside of the firewall.

Tyler West, CCNP

CWI, Inc.

Actions

This Discussion