Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Private IP on public side of network (Switch management)

Hi Guys


Hope someone can help me here. Is it a good practice to use a private IP (10.1..) for example for interface vlan 10 on the public side of the network for the management of the switch? Basically I have a cisco switch that connects the ISP router (public IP) and firewall (public IP), but I am trying to have the switch managed from the internal network.

Vlan 10 is a internal routed vlan for the management of other switches. Now I am wondering if setting up a vlan interface with private IP on the external side of the network is secure? And to trunk it back to the internal router bypassing the firewall?

I have set up a different local vlan for the firewall and router and set up ports as "access ports" for that.


I have also attached a drawing.

Hope it makes sense.

Thanks for any replies.

2 ACCEPTED SOLUTIONS

Accepted Solutions
Hall of Fame Super Blue

Private IP on public side of network (Switch management)

Peter

I would certainly not trunk back to the inside network bypassing the firewall purely for managing the outside switch. In environments i have worked in the outside switch was actually unmanaged ie. it did not have an IP.  This is because you do not want the switch to be at all visible from the outside.

If you do need to manage it then you could assign it an IP from vlan 20 (if you have one spare). The switch would still be only L2 ie the vlan 20 SVI is only used for managing it so you need to make sure if it is L3 capable that ip routing is disabled.

In terms of access to it this is problematic. The problem is that any inside IPs connecting to the switch for management etc. will be subjected to NAT by your firewall so they will all appear as the same IP once they reach the switch. So you need to use ssh to access it and use strong passwords etc. In addition you should use an acl to only allow ssh + other needed management protocols to access the SVI and only from IPs coming from the firewall (which would be public but owned by you).

You absolutely need to make sure that all other public IPs ie not owned by you are denied access including ICMP responses etc.

You can probably see why often the switch is unmanaged in these scenarios.

Jon

Re: Private IP on public side of network (Switch management)

Here are a couple of ways I have done it and in order of most secure to least secure.

Use out of band management for edge devices

Create a management VRF in the switch

Punch a hole in the FW (see attached pdf)

10 REPLIES
Hall of Fame Super Blue

Private IP on public side of network (Switch management)

Peter

I would certainly not trunk back to the inside network bypassing the firewall purely for managing the outside switch. In environments i have worked in the outside switch was actually unmanaged ie. it did not have an IP.  This is because you do not want the switch to be at all visible from the outside.

If you do need to manage it then you could assign it an IP from vlan 20 (if you have one spare). The switch would still be only L2 ie the vlan 20 SVI is only used for managing it so you need to make sure if it is L3 capable that ip routing is disabled.

In terms of access to it this is problematic. The problem is that any inside IPs connecting to the switch for management etc. will be subjected to NAT by your firewall so they will all appear as the same IP once they reach the switch. So you need to use ssh to access it and use strong passwords etc. In addition you should use an acl to only allow ssh + other needed management protocols to access the SVI and only from IPs coming from the firewall (which would be public but owned by you).

You absolutely need to make sure that all other public IPs ie not owned by you are denied access including ICMP responses etc.

You can probably see why often the switch is unmanaged in these scenarios.

Jon

New Member

Private IP on public side of network (Switch management)

Jon

Thanks for the detailed explanation. I thought I would get a similar answer. Your solution would most probably work, however just for the sake of managing it from my desk, I think it is best to leave it unmanaged.

Hall of Fame Super Blue

Private IP on public side of network (Switch management)

Peter

Yes, i think leaving it unmanaged is by far the better choice.

Jon

New Member

Private IP on public side of network (Switch management)

Jon

Just one more question.

No machine on the outside "should" directly be able to to talk to the private IP address. (vlan interface 10)? It isn't routable, only from my internal L3 switch as per diagram. How would that become visible?

Hall of Fame Super Blue

Private IP on public side of network (Switch management)

Peter

It wouldn't be visible in terms of being able to ping it, telnet etc. When i was talking about visibility i was simply referring to the situation where you might want to configure it with an IP from vlan 20 ie. a public routable address.

I just don't like bypassing firewalls for any reason especially for something like managing switches. The possibility is remote and it may therefore be considered acceptable to do what you suggest, it's really a call you have to make depending on your security policy.

With a direct path between the outside switch and the inside switches there is always the possibility of a configuration mistake on the switch or a bug that could give you unexpected consequences. If you do not have a path around the firewall the worst that can happen is you lose internet connectivity and that's it.

Jon

Private IP on public side of network (Switch management)

Depending on the switch you could also try using the management port.

New Member

Private IP on public side of network (Switch management)

It is only a 2960. these don't come with one. I think I agree with Jon.

Thanks anyway.

Re: Private IP on public side of network (Switch management)

Here are a couple of ways I have done it and in order of most secure to least secure.

Use out of band management for edge devices

Create a management VRF in the switch

Punch a hole in the FW (see attached pdf)

Re: Private IP on public side of network (Switch management)

Is the switch just handling these 2 connections? How about a crossover and pull the switch out?

Sent from Cisco Technical Support iPad App

New Member

Re: Private IP on public side of network (Switch management)

Collin

The three options look good and you are right "most secure to least secure". The 3rd option is pretty much the same what Jon suggested (Thanks for the attachement).

The best and most secure solution will be to purchase a switch with a dedicated management port.

Thank you for all the input.

253
Views
0
Helpful
10
Replies
CreatePlease login to create content