Security Question

Unanswered Question
Apr 26th, 2010
User Badges:

Service Provider link terminates on the 2960 switch, one leg from the switch connects to Firewall, another leg from the switch connects to VPN Router.

How do I securely connect Internet Switch to the network to monitor bandwidth using SNMP.

Attached file show physical connectivity


thanks

Tom

Attachment: 
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Jon Marshall Mon, 04/26/2010 - 00:46
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

tomfree_leo wrote:


Service Provider link terminates on the 2960 switch, one leg from the switch connects to Firewall, another leg from the switch connects to VPN Router.

How do I securely connect Internet Switch to the network to monitor bandwidth using SNMP.

Attached file show physical connectivity


thanks

Tom


Tom


If you simply want to poll the switch for SNMP statistics then you may as well go via the VPN router as this has a connection straight into your network anway.


Alternatively you could add a rule to your firewall allowing your internal SNMP management station access to the switch.


Edit - note if the VPN router is not firewalling as well then you may want to consider terminating the inside interface of the VPN router onto a DMZ on the firewall. If you did do this then you would need to use the firewall to gain SNMP access to the switch.


Jon

Ganesh Hariharan Mon, 04/26/2010 - 00:55
User Badges:
  • Purple, 4500 points or more
  • Community Spotlight Award,

    Member's Choice, February 2016

Service Provider link terminates on the 2960 switch, one leg from the switch connects to Firewall, another leg from the switch connects to VPN Router.

How do I securely connect Internet Switch to the network to monitor bandwidth using SNMP.

Attached file show physical connectivity


thanks

Tom


Hi Tom,


You can try with secure acl configuration with specific ip having access with specifci community name configured at server and switch end to poll the switch for interface bandwidth utilization.


Check out the below link for acl in switches 2960


http://www.cisco.com/en/US/docs/switches/lan/catalyst2960/software/release/12.2_37_se/configuration/guide/swacl.html


Hope to Help !!


Ganesh.H

TYLER WEST Mon, 04/26/2010 - 03:40
User Badges:

It really should be simpler than that.  It's a 2960 so the only IP that you have is for whatever VLAN interface you define.

1.  Take your precautions against the 802.1q VLAN hopping.  (Don't use VLAN1, etc.)

2.  Take other necessary precautions to secure switch as mentioned by other posts.

3.  Use one VLAN for management and connect to the inside of the network.  Use the other VLAN for connecting the SP to the FW and VPN.  Do NOT give that VLAN an interface with an IP address.  You can only do that to one SVI anyway.  The 2960 is NOT a layer 3 device and it isn't going to pass public traffic across the L3 interface into the inside network.


Yes you have to be cautious when creating your VLANs but this is easily secured.

If you are really paranoid then I would actually suggest a similar approach but use another interface from the firewall or 802.1q from the firewall to the management interface/VLAN of the switch.  This is more secure than actually giving your switch a public IP address on the outside of the firewall.


Tyler West, CCNP

CWI, Inc.

Actions

This Discussion