Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
New Member

External / DMZ Monitoring

We currently have some Cisco 3560X switches that are internet facing and also some Cisco 3750X switches that are within our Corporate DMZ.

The external facing switches are just really operating at layer 2, have no IP address configuration and just forward all traffic to our firewall.

We currently have HP NNM on our internal LAN for monitoring.

I want to be able to monitor the switches both inside our corporate DMZ and also the external internet facing switches in case of hardware failure etc. However at the same time I obviously want to make sure that this is done as securely as possible without introducing any unnecessary risks.

I was thinking of using SNMPv3 to monitor the switches but in the case of the internet facing switches I would need to assign external IP addresses to them (hence using our valuable external pool of addresses available).

I’d be grateful for any advice on the best way to complete this.

 

thanks

2 REPLIES
New Member

As you know, there are

As you know, there are several ways to do this. An easier way could be to use the managment port (next to the console port).

 

You can create a management VLAN on your internal network and put these management ports on that VLAN.

 

You can also, as you stated, make the external switches layer 3 and add ACLs on the SVIs and explicitly allow management traffic. Maybe use Control Plane Protection on these switches.

 

http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst3750x_3560x/software/release/15-0_1_se/release/notes/OL25302.html#wp1041191

 

If you decide to use anything other than the management interfaces, you will need to address your firewall rules to allow SNMPv3 traffic in/out.

 

Good luck.

 

New Member

thanks Lee, I'm presuming

thanks Lee, I'm presuming that by using the managament interface and also putting an ACL on it then this would be the most secure ? This will also mean that I don't need to make our internet switches visible on the internet if i'm using the management interface.

90
Views
0
Helpful
2
Replies
CreatePlease to create content