01-06-2014 01:43 AM - edited 03-04-2019 09:59 PM
Hi Guys
Hope someone can help me here. Is it a good practice to use a private IP (10.1..) for example for interface vlan 10 on the public side of the network for the management of the switch? Basically I have a cisco switch that connects the ISP router (public IP) and firewall (public IP), but I am trying to have the switch managed from the internal network.
Vlan 10 is a internal routed vlan for the management of other switches. Now I am wondering if setting up a vlan interface with private IP on the external side of the network is secure? And to trunk it back to the internal router bypassing the firewall?
I have set up a different local vlan for the firewall and router and set up ports as "access ports" for that.
I have also attached a drawing.
Hope it makes sense.
Thanks for any replies.
Solved! Go to Solution.
01-06-2014 07:03 AM
Peter
I would certainly not trunk back to the inside network bypassing the firewall purely for managing the outside switch. In environments i have worked in the outside switch was actually unmanaged ie. it did not have an IP. This is because you do not want the switch to be at all visible from the outside.
If you do need to manage it then you could assign it an IP from vlan 20 (if you have one spare). The switch would still be only L2 ie the vlan 20 SVI is only used for managing it so you need to make sure if it is L3 capable that ip routing is disabled.
In terms of access to it this is problematic. The problem is that any inside IPs connecting to the switch for management etc. will be subjected to NAT by your firewall so they will all appear as the same IP once they reach the switch. So you need to use ssh to access it and use strong passwords etc. In addition you should use an acl to only allow ssh + other needed management protocols to access the SVI and only from IPs coming from the firewall (which would be public but owned by you).
You absolutely need to make sure that all other public IPs ie not owned by you are denied access including ICMP responses etc.
You can probably see why often the switch is unmanaged in these scenarios.
Jon
01-06-2014 09:08 AM
Here are a couple of ways I have done it and in order of most secure to least secure.
Use out of band management for edge devices
Create a management VRF in the switch
Punch a hole in the FW (see attached pdf)
01-06-2014 07:03 AM
Peter
I would certainly not trunk back to the inside network bypassing the firewall purely for managing the outside switch. In environments i have worked in the outside switch was actually unmanaged ie. it did not have an IP. This is because you do not want the switch to be at all visible from the outside.
If you do need to manage it then you could assign it an IP from vlan 20 (if you have one spare). The switch would still be only L2 ie the vlan 20 SVI is only used for managing it so you need to make sure if it is L3 capable that ip routing is disabled.
In terms of access to it this is problematic. The problem is that any inside IPs connecting to the switch for management etc. will be subjected to NAT by your firewall so they will all appear as the same IP once they reach the switch. So you need to use ssh to access it and use strong passwords etc. In addition you should use an acl to only allow ssh + other needed management protocols to access the SVI and only from IPs coming from the firewall (which would be public but owned by you).
You absolutely need to make sure that all other public IPs ie not owned by you are denied access including ICMP responses etc.
You can probably see why often the switch is unmanaged in these scenarios.
Jon
01-06-2014 07:34 AM
Jon
Thanks for the detailed explanation. I thought I would get a similar answer. Your solution would most probably work, however just for the sake of managing it from my desk, I think it is best to leave it unmanaged.
01-06-2014 07:36 AM
Peter
Yes, i think leaving it unmanaged is by far the better choice.
Jon
01-06-2014 08:27 AM
Jon
Just one more question.
No machine on the outside "should" directly be able to to talk to the private IP address. (vlan interface 10)? It isn't routable, only from my internal L3 switch as per diagram. How would that become visible?
01-06-2014 08:36 AM
Peter
It wouldn't be visible in terms of being able to ping it, telnet etc. When i was talking about visibility i was simply referring to the situation where you might want to configure it with an IP from vlan 20 ie. a public routable address.
I just don't like bypassing firewalls for any reason especially for something like managing switches. The possibility is remote and it may therefore be considered acceptable to do what you suggest, it's really a call you have to make depending on your security policy.
With a direct path between the outside switch and the inside switches there is always the possibility of a configuration mistake on the switch or a bug that could give you unexpected consequences. If you do not have a path around the firewall the worst that can happen is you lose internet connectivity and that's it.
Jon
01-06-2014 07:17 AM
Depending on the switch you could also try using the management port.
01-06-2014 07:36 AM
It is only a 2960. these don't come with one. I think I agree with Jon.
Thanks anyway.
01-06-2014 09:08 AM
01-06-2014 04:14 PM
Is the switch just handling these 2 connections? How about a crossover and pull the switch out?
Sent from Cisco Technical Support iPad App
01-07-2014 07:34 AM
Collin
The three options look good and you are right "most secure to least secure". The 3rd option is pretty much the same what Jon suggested (Thanks for the attachement).
The best and most secure solution will be to purchase a switch with a dedicated management port.
Thank you for all the input.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide