Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

Management Int

Hi, May i know the use of Management Int in ASA FW and if we make a DHCP Server in Management V-lan and make mutiple scope according to configured V-lans on FW using other interfaces then how the FW will allocate the Dynamic IP to the V-lans client machine as V-lan doesn't forward the broadcast. Please respond? Thanks

5 REPLIES

Re: Management Int

Hello Ray,

Managament interface exists for creating an Out Of Band (OOB) Management segment. Syslog servers, Terminal routers, event managers, monitoring and management servers usually take place in that management segment and according to best practises (OOB), the sensitive information that these servers collect&send should not travel across the backbone against sniffing, and should stay in an abandoned segment. So you VPN into firewall and then connect management segment.

As you may know, ip helper-address command in routers and switches do forward the broadcast to target IP as a unicast. As far as i know, ip helper-address does not exist in PIX and ASA, but instead, you can use dhcp-relay.

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a008075fcfb.shtml

Regards

Community Member

Re: Management Int

Thanks, the information is valuable but still have few doubts.

1) By default, the management interfaces is a part of V-lan1, if we make the other V-lan like V-lan 100 and assign all interfaces except int e/0 which is a part of V-lan1. Now we place one Domain Server in V-lan 1 and second Domain Server place in second V-lan 100 then wht wud be the difference in terms of blocking and permitting in both Vlans. Here, i wud know what will be the different function of Management Interface.

2) As security concerned we must not used the default V-lan 1 on Management Interface and it must be changed. Why?

Re: Management Int

Ray, the reason to discourage the use of VLAN1 is due to VLAN hopping attacks. There are two types of this attack, on of which becomes highly effective if the attacker knows your native vlan.

VLANs should not be the 'sole' method to control security and interzone communication. They are not orignally meant for this. You should use the mechanisms builtin the ASA for this (ACL,nameif security zones,nat-control) etc.

Regards

Farrukh

Community Member

Re: Management Int

Hi Farrukh,

Thanks for your answers. I have created two V-Lans (V-Lan1 and V-Lan100) same SL 100 but the main difference is V-lan 1 interface is a Management Interface. Can you please show the difference between both V-lans briefly as here I am bit confused.

Re: Management Int

The recommendation for not using VLAN 1 isfor NATIVE VLANS. Sorry I don't understand your question as to what 'difference' you are looking for, please elucidate further.

Regards

Farrukh

121
Views
0
Helpful
5
Replies
CreatePlease to create content