What is the best approach to handle managmenet of switches in a DMZ?
We are implementing a dual firewall solution (front external facing, and a rear internal/DMZ facing).
I would like to be able to manage the switches from inside the corporate network, including SNMP etc.
Also, as we are looking to implement ISE, we would need the authentication to be handled by ISE on the internal network. Will this cause issues?
Thanks in advance
I see what you mean... It kind of does, but I think what I think they mean is you have an absolute separate network (i.e. physically separate) for management, then this would work, I didn't realise that the routing information would be shared. Maybe they mean using route-maps, distribute-lists to stop this inter routing info. Maybe someone from Cisco can clarify this for us? It would make sense if it was like this:
Fa0 - management
Fa1/0/1 - network
Fa0 would just be separate from anything to do with Fa1/0/1 therefor would be secure and nothing would be able to flow between them, however it seems as though this is not the case here.
It would have been nice to make use of that management port. In any case this is too risky for a DMZ in my opinion. However what you could do is create a VRF which does do what we want to do. You can assign a vrf to a physical or virtual interface, provided that you have an IP services license. Im not sure if you can assign a VRF to the management port though.
ip vrf MGMT
ip vrf forwarding MGMT
ip address x.x.x.x x.x.x.x
ip route vrf MGMT 0.0.0.0 0.0.0.0 y.y.y.y (for your default GW)
snmp-server host b.b.b.b vrf MGMT string
logging host c.c.c.c vrf MGMT
ip tftp source interface Faxxxx
etc...... if you have tacacs+ enabled too you can also do this via the vrf I think.
Apologies in advance if the syntax is not correct, just of the top of my head for now.
Please rate useful posts & remember to mark any solved questions as answered. Thank you.