I am scratching my head about how to secure our management network (ie the one with our switches on it). We want to route all traffic via the management firewall not through the 3560. Since the central routing 3560 has an IP on the management network I assume that we need an ACL to prevent other switch traffic routing into the VLAN.
We have done this and it seems to work, but I am confused by the ACL direction. At present (with it working, I think) we are using an inbound ACL (see attachment). Is this correct? Why isn't it outbound from the switch into the VLAN?
Also, is there a better way of isolating the management VLAN? Ideally, I would be happier if the management subnet did not even appear in the routing table for the central switch.
Inbound on a vlan interface would be controlling traffic coming from clients on that vlan.
Outbound on a vlan interface would be controlling traffic going to clients on that vlan.
It's not entirely clear what your setup is but does the above match what you are seeing or not ?
As for isolating the management vlan so that the subnet does not even show up in the routing table you could utilise vrf-lite which is supported on the 3560. Vrf-lite allows you have to separate virtual routing tables on the switch so the management subnet could be in it's own VRF and therefore would not appear in the global routing table.
From what you state it seems to be that our management network should have the ACL applied both in and out. Then routing will be effectively blocked from all other subnets.
The next question, which I alluded to above, is how to get the router (in the 3560) to pass traffic destined for the management network to the firewall rather than attempting to route to the VLAN interface (which will be blocked by the ACL).
Can you just add a route to the routing table for a connected subnet?
"The next question, which I alluded to above, is how to get the router (in the 3560) to pass traffic destined for the management network to the firewall rather than attempting to route to the VLAN interface (which will be blocked by the ACL)."
The question is a little confusing. If you can't route to the vlan interface then how do you manage it ?
The simplest way to not route via the vlan interface is just not to have a L3 vlan interface for the management vlan on the switch and just have it routed off the firewall but then you won't be able to connect to the switch.
"Can you just add a route to the routing table for a connected subnet?" - you can but the fact that it is connected will override this.
Are there a set of IP addresses that are allowed to connect to the management vlan ?
If you really want to "hide" the management network i strongly suggest you look into vrf-lite.
Hi everyone, I would like to thank you in advance for any help you can provide a newcomer like myself!
Im studying the 100-105 book by Odom and am currently on the topic of Port security. I purchased a used 2960 and I'm trying to follow a...
While deploying a number of 18xx/2802/3802 model access points (APs), which run AP-COS as their operating platform. It can be observed on some occasions that while many of their access points were able to join the fabric WLC withou...
I am going to design and build an LAN network under a tunnel underground with long distance between the switches.
I will have 2 Catalyst switches and 8 Industrial IE3000, and they will be connected with fiber.
For now I am planning on use Layer-2 s...