Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Security Question

Service Provider link terminates on the 2960 switch, one leg from the switch connects to Firewall, another leg from the switch connects to VPN Router.

How do I securely connect Internet Switch to the network to monitor bandwidth using SNMP.

Attached file show physical connectivity

thanks

Tom

3 REPLIES
Hall of Fame Super Blue

Re: Security Question

tomfree_leo wrote:

Service Provider link terminates on the 2960 switch, one leg from the switch connects to Firewall, another leg from the switch connects to VPN Router.

How do I securely connect Internet Switch to the network to monitor bandwidth using SNMP.

Attached file show physical connectivity

thanks

Tom

Tom

If you simply want to poll the switch for SNMP statistics then you may as well go via the VPN router as this has a connection straight into your network anway.

Alternatively you could add a rule to your firewall allowing your internal SNMP management station access to the switch.

Edit - note if the VPN router is not firewalling as well then you may want to consider terminating the inside interface of the VPN router onto a DMZ on the firewall. If you did do this then you would need to use the firewall to gain SNMP access to the switch.

Jon

Re: Security Question

Service Provider link terminates on the 2960 switch, one leg from the switch connects to Firewall, another leg from the switch connects to VPN Router.

How do I securely connect Internet Switch to the network to monitor bandwidth using SNMP.

Attached file show physical connectivity

thanks

Tom

Hi Tom,

You can try with secure acl configuration with specific ip having access with specifci community name configured at server and switch end to poll the switch for interface bandwidth utilization.

Check out the below link for acl in switches 2960

http://www.cisco.com/en/US/docs/switches/lan/catalyst2960/software/release/12.2_37_se/configuration/guide/swacl.html

Hope to Help !!

Ganesh.H

New Member

Re: Security Question

It really should be simpler than that.  It's a 2960 so the only IP that you have is for whatever VLAN interface you define.

1.  Take your precautions against the 802.1q VLAN hopping.  (Don't use VLAN1, etc.)

2.  Take other necessary precautions to secure switch as mentioned by other posts.

3.  Use one VLAN for management and connect to the inside of the network.  Use the other VLAN for connecting the SP to the FW and VPN.  Do NOT give that VLAN an interface with an IP address.  You can only do that to one SVI anyway.  The 2960 is NOT a layer 3 device and it isn't going to pass public traffic across the L3 interface into the inside network.

Yes you have to be cautious when creating your VLANs but this is easily secured.

If you are really paranoid then I would actually suggest a similar approach but use another interface from the firewall or 802.1q from the firewall to the management interface/VLAN of the switch.  This is more secure than actually giving your switch a public IP address on the outside of the firewall.

Tyler West, CCNP

CWI, Inc.

186
Views
0
Helpful
3
Replies