Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1163
Views
0
Helpful
10
Replies

Private IP on public side of network (Switch management)

Go to solution
ppataki01
Level 1
Level 1

‎01-06-2014 01:43 AM - edited ‎03-04-2019 09:59 PM

Hi Guys


Hope someone can help me here. Is it a good practice to use a private IP (10.1..) for example for interface vlan 10 on the public side of the network for the management of the switch? Basically I have a cisco switch that connects the ISP router (public IP) and firewall (public IP), but I am trying to have the switch managed from the internal network.

Vlan 10 is a internal routed vlan for the management of other switches. Now I am wondering if setting up a vlan interface with private IP on the external side of the network is secure? And to trunk it back to the internal router bypassing the firewall?

I have set up a different local vlan for the firewall and router and set up ports as "access ports" for that.


I have also attached a drawing.

Hope it makes sense.

Thanks for any replies.

Labels:
Preview file
65 KB
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame

‎01-06-2014 07:03 AM

Peter

I would certainly not trunk back to the inside network bypassing the firewall purely for managing the outside switch. In environments i have worked in the outside switch was actually unmanaged ie. it did not have an IP.  This is because you do not want the switch to be at all visible from the outside.

If you do need to manage it then you could assign it an IP from vlan 20 (if you have one spare). The switch would still be only L2 ie the vlan 20 SVI is only used for managing it so you need to make sure if it is L3 capable that ip routing is disabled.

In terms of access to it this is problematic. The problem is that any inside IPs connecting to the switch for management etc. will be subjected to NAT by your firewall so they will all appear as the same IP once they reach the switch. So you need to use ssh to access it and use strong passwords etc. In addition you should use an acl to only allow ssh + other needed management protocols to access the SVI and only from IPs coming from the firewall (which would be public but owned by you).

You absolutely need to make sure that all other public IPs ie not owned by you are denied access including ICMP responses etc.

You can probably see why often the switch is unmanaged in these scenarios.

Jon

View solution in original post

0 Helpful

Go to solution
Collin Clark
VIP Alumni
VIP Alumni

‎01-06-2014 09:08 AM

Here are a couple of ways I have done it and in order of most secure to least secure.

Use out of band management for edge devices

Create a management VRF in the switch

Punch a hole in the FW (see attached pdf)

View solution in original post

Preview file
43 KB
0 Helpful
10 Replies 10

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame

‎01-06-2014 07:03 AM

Peter

I would certainly not trunk back to the inside network bypassing the firewall purely for managing the outside switch. In environments i have worked in the outside switch was actually unmanaged ie. it did not have an IP.  This is because you do not want the switch to be at all visible from the outside.

If you do need to manage it then you could assign it an IP from vlan 20 (if you have one spare). The switch would still be only L2 ie the vlan 20 SVI is only used for managing it so you need to make sure if it is L3 capable that ip routing is disabled.

In terms of access to it this is problematic. The problem is that any inside IPs connecting to the switch for management etc. will be subjected to NAT by your firewall so they will all appear as the same IP once they reach the switch. So you need to use ssh to access it and use strong passwords etc. In addition you should use an acl to only allow ssh + other needed management protocols to access the SVI and only from IPs coming from the firewall (which would be public but owned by you).

You absolutely need to make sure that all other public IPs ie not owned by you are denied access including ICMP responses etc.

You can probably see why often the switch is unmanaged in these scenarios.

Jon

0 Helpful

Go to solution
ppataki01
Level 1
Level 1
In response to Jon Marshall

‎01-06-2014 07:34 AM

Jon

Thanks for the detailed explanation. I thought I would get a similar answer. Your solution would most probably work, however just for the sake of managing it from my desk, I think it is best to leave it unmanaged.

0 Helpful

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame
In response to ppataki01

‎01-06-2014 07:36 AM

Peter

Yes, i think leaving it unmanaged is by far the better choice.

Jon

0 Helpful

Go to solution
ppataki01
Level 1
Level 1
In response to Jon Marshall

‎01-06-2014 08:27 AM

Jon

Just one more question.

No machine on the outside "should" directly be able to to talk to the private IP address. (vlan interface 10)? It isn't routable, only from my internal L3 switch as per diagram. How would that become visible?

0 Helpful

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame
In response to ppataki01

‎01-06-2014 08:36 AM

Peter

It wouldn't be visible in terms of being able to ping it, telnet etc. When i was talking about visibility i was simply referring to the situation where you might want to configure it with an IP from vlan 20 ie. a public routable address.

I just don't like bypassing firewalls for any reason especially for something like managing switches. The possibility is remote and it may therefore be considered acceptable to do what you suggest, it's really a call you have to make depending on your security policy.

With a direct path between the outside switch and the inside switches there is always the possibility of a configuration mistake on the switch or a bug that could give you unexpected consequences. If you do not have a path around the firewall the worst that can happen is you lose internet connectivity and that's it.

Jon

0 Helpful

Go to solution
Kelvin Willacey
Level 4
Level 4

‎01-06-2014 07:17 AM

Depending on the switch you could also try using the management port.

0 Helpful

Go to solution
ppataki01
Level 1
Level 1
In response to Kelvin Willacey

‎01-06-2014 07:36 AM

It is only a 2960. these don't come with one. I think I agree with Jon.

Thanks anyway.

0 Helpful

Go to solution
Collin Clark
VIP Alumni
VIP Alumni

‎01-06-2014 09:08 AM

Here are a couple of ways I have done it and in order of most secure to least secure.

Use out of band management for edge devices

Create a management VRF in the switch

Punch a hole in the FW (see attached pdf)

Preview file
43 KB
0 Helpful

Go to solution
Jeff Van Houten
Level 5
Level 5
In response to Collin Clark

‎01-06-2014 04:14 PM

Is the switch just handling these 2 connections? How about a crossover and pull the switch out?

Sent from Cisco Technical Support iPad App

0 Helpful

Go to solution
ppataki01
Level 1
Level 1
In response to Collin Clark

‎01-07-2014 07:34 AM

Collin

The three options look good and you are right "most secure to least secure". The 3rd option is pretty much the same what Jon suggested (Thanks for the attachement).

The best and most secure solution will be to purchase a switch with a dedicated management port.

Thank you for all the input.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card