Management of stacked switches in DMZ

Answered Question
Dec 13th, 2013
User Badges:

What is the best approach to handle managmenet of switches in a DMZ?

We are implementing a dual firewall solution (front external facing, and a rear internal/DMZ facing).

I would like to be able to manage the switches from inside the corporate network, including SNMP etc.

Also, as we are looking to implement ISE, we would need the authentication to be handled by ISE on the internal network. Will this cause issues?

Thanks in advance

Correct Answer by Bilal Nawaz about 3 years 8 months ago

I see what you mean... It kind of does, but I think what I think they mean is you have an absolute separate network (i.e. physically separate) for management, then this would work, I didn't realise that the routing information would be shared. Maybe they mean using route-maps, distribute-lists to stop this inter routing info. Maybe someone from Cisco can clarify this for us? It would make sense if it was like this:


Fa0 - management

Fa1/0/1 - network


Fa0 would just be separate from anything to do with Fa1/0/1 therefor would be secure and nothing would be able to flow between them, however it seems as though this is not the case here.

It would have been nice to make use of that management port. In any case this is too risky for a DMZ in my opinion. However what you could do is create a VRF which does do what we want to do. You can assign a vrf to a physical or virtual interface, provided that you have an IP services license. Im not sure if you can assign a VRF to the management port though.


Conf t

!

ip routing

!

ip vrf MGMT

RD 1:1

!

interface Faxxxx

ip vrf forwarding MGMT

ip address x.x.x.x x.x.x.x

!

ip route vrf MGMT 0.0.0.0 0.0.0.0 y.y.y.y (for your default GW)

!

[options]

snmp-server host b.b.b.b vrf MGMT string

logging host c.c.c.c vrf MGMT

ip tftp source interface Faxxxx

etc...... if you have tacacs+ enabled too you can also do this via the vrf I think.


Apologies in advance if the syntax is not correct, just of the top of my head for now.


Please rate useful posts & remember to mark any solved questions as answered. Thank you.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Bilal Nawaz Sat, 12/14/2013 - 08:34
User Badges:
  • Red, 2250 points or more
  • Community Spotlight Award,

    Questions Answered, June 2015

Hello,


The more recent stackable switches come with a management port Fa0 or E0 in some cases. Or even with its own VRF - almost like a seperate routing instance, this stays separate from the switch itself. You can put this on the management network, depending on your organisations security policies. From here you can configure SNMP, SSH etc... to and from this interface / VRF. All authentication can be done via this interface / VRF also.


If there isn't any management port, you can always create a VRF and assign it to a port, keep that for management. It will have its own routing table, separate from the global routing table.


Please see here:

http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst3750x_3560x/software/release/12-2_55_se/configuration/guide/3750xscg/swint.html#wp1730167


http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst4500/12-2/15-02SG/configuration/guide/config/vrf.html


Hope this helps.


Bilal


Please rate useful posts & remember to mark any solved questions as answered. Thank you.

switched switch Sat, 12/14/2013 - 23:03
User Badges:

Thanks Bilal,


Looking at the link it specifically says:


Because routing is not supported between the Ethernet management port  and the network ports, traffic between these ports cannot be sent or  received. If this happens, data packet loops occur between the ports,  which disrupt the switch and network operation. To prevent the loops,  configure route filters to avoid routes between the Ethernet management  port and the network ports.


Doesnt that contradict itself saying that traffic cannot be sent and received from the management ports to the traffic ports, but configure route filters to avoid it?


I have a specific managment subnet at each of my office locations so I was thinking maybe to put an IP address on the managment port... by route filters, does it mean some kind of distribute list?

Correct Answer
Bilal Nawaz Sun, 12/15/2013 - 02:33
User Badges:
  • Red, 2250 points or more
  • Community Spotlight Award,

    Questions Answered, June 2015

I see what you mean... It kind of does, but I think what I think they mean is you have an absolute separate network (i.e. physically separate) for management, then this would work, I didn't realise that the routing information would be shared. Maybe they mean using route-maps, distribute-lists to stop this inter routing info. Maybe someone from Cisco can clarify this for us? It would make sense if it was like this:


Fa0 - management

Fa1/0/1 - network


Fa0 would just be separate from anything to do with Fa1/0/1 therefor would be secure and nothing would be able to flow between them, however it seems as though this is not the case here.

It would have been nice to make use of that management port. In any case this is too risky for a DMZ in my opinion. However what you could do is create a VRF which does do what we want to do. You can assign a vrf to a physical or virtual interface, provided that you have an IP services license. Im not sure if you can assign a VRF to the management port though.


Conf t

!

ip routing

!

ip vrf MGMT

RD 1:1

!

interface Faxxxx

ip vrf forwarding MGMT

ip address x.x.x.x x.x.x.x

!

ip route vrf MGMT 0.0.0.0 0.0.0.0 y.y.y.y (for your default GW)

!

[options]

snmp-server host b.b.b.b vrf MGMT string

logging host c.c.c.c vrf MGMT

ip tftp source interface Faxxxx

etc...... if you have tacacs+ enabled too you can also do this via the vrf I think.


Apologies in advance if the syntax is not correct, just of the top of my head for now.


Please rate useful posts & remember to mark any solved questions as answered. Thank you.

switched switch Mon, 12/16/2013 - 21:42
User Badges:

THanks Bilal,


Im really unsure now... The switches are LAN base, so no routing functions.


Is my only other option to allow an exception through the firwall to the mangement stations?


Anyone able to advise what they do in these situations?

Bilal Nawaz Mon, 12/16/2013 - 23:31
User Badges:
  • Red, 2250 points or more
  • Community Spotlight Award,

    Questions Answered, June 2015

As a last resort you could use strict extended ACLs to your management interface inbound and outbound directions to ensure security. On your firewall and also the switch itself. Not nice, but its little more secure.


Sent from Cisco Technical Support iPhone App

switched switch Wed, 12/25/2013 - 23:05
User Badges:

Actually the 3850s support VRF on the managment interface. These switches will run lanbase I believe.


For security, I would most likely have the manangement interface connected to the firewall on separete zone with specific policies only allowed.through the firewall to allow traps etc, and only allow conections from the trusted internal network to the specific management zone.


Unless of course there is a better way to approach it ?

Bilal Nawaz Wed, 01/01/2014 - 01:38
User Badges:
  • Red, 2250 points or more
  • Community Spotlight Award,

    Questions Answered, June 2015

I would recommend the VRF as stated previously and your policy seems totally reasonable.

Hth

Sent from Cisco Technical Support iPhone App

Actions

This Discussion