Management network advice
-
Hi,
I'm currently using Allied Telesis switches but the command line is pretty much Cisco equivalent .
I currently have a management network (VLAN 100) which is the only interface configured on all of my switches, apart from my core switch. This has IP addresses configured as the gateway for every VLAN and as such management is accessible on each interface address of the core switch.
I'm looking to isolate the management network either through a firewall or just isolate it completely. The problem I have is that the core switch also needs to be managed and as soon as I assign an IP address on the management vlan it allows other VLAN's to route into it.
How do I allow management of the switch on one Interface address (V100) but not on others whilst still allowing the core switch to continue routing for all the other networks?
I spoke to the manufacturer (AT) who suggested setting up an access-list and applying it to prevent traffic entering and leaving the v100 network whilst also restricting access to the cli using port blocking. This was foiled when I could only apply the access list to a physical interface and not a virtual one.
I've seen references to using the loopback for management but not sure if this will actually help me. Will this remove the gateway address for v100 and assigning it to the loopback prevent routing into the v100 network? If so then I could use this and an access list on the vty to prevent switch access.
How does the switch know when to answer this? Is the loopback also assigned to the VLAN?
The rest of the switches only have an IP address on the v100 for management so they wouldn't be an issue
Hope this makes sense. Thanks in advance
M
-
@Mark-Sammon said in Management network advice:
Hi,
I'm currently using Allied Telesis switches but the command line is pretty much Cisco equivalent .
I currently have a management network (VLAN 100) which is the only interface configured on all of my switches, apart from my core switch. This has IP addresses configured as the gateway for every VLAN and as such management is accessible on each interface address of the core switch.
Mark, I'm confused by the statement above. Does each switch have on it an interface VLAN 100 as the default gateway for each VLAN on the switch like VLAN 50, 60 and 70, etc...? If so, I do not know how that works. Or do you have a VLAN 100 with multiple IP addresses interface in it that ack as default gateway for each VLAN? still not sure how that works... So, I struggle with making sense of this... Please help.
I'm looking to isolate the management network either through a firewall or just isolate it completely. The problem I have is that the core switch also needs to be managed and as soon as I assign an IP address on the management vlan it allows other VLAN's to route into it.
Same as above...not sure about this configuration as usually a single VLAN, like VLAN 100, usually represents a single subnet. but you're telling me that you already have multiple IP addresses within the same subnet and now you're adding another one into VLAN 100 but you're expecting to isolate it?
How do I allow management of the switch on one Interface address (V100) but not on others whilst still allowing the core switch to continue routing for all the other networks?
I spoke to the manufacturer (AT) who suggested setting up an access-list and applying it to prevent traffic entering and leaving the v100 network whilst also restricting access to the cli using port blocking. This was foiled when I could only apply the access list to a physical interface and not a virtual one.
I would agree with AT support here. In the cisco world, you attach an ACL to a physical interface by using
ip access-group in or ip access-group outand virtual interfaces withip access-class in or ip access-class outcommand. Having said, that I've never tried with interface VLANs.I've seen references to using the loopback for management but not sure if this will actually help me. Will this remove the gateway address for v100 and assigning it to the loopback prevent routing into the v100 network? If so then I could use this and an access list on the vty to prevent switch access.
How does the switch know when to answer this? Is the loopback also assigned to the VLAN?
The rest of the switches only have an IP address on the v100 for management so they wouldn't be an issue
Hope this makes sense. Thanks in advance
M
I'm still not clearly seeing how VLAN 100 is setup... can you post a mock setup so that I can see this configuration? and also how you would have a loopback interface configured?
-
Hi Ronnie,
Basically the core switch has the IP Gateways for all the internal VLAN's. V100 labelled the management VLAN.
I can access the core switch on ANY of the IP Gateway addresses of the core switch.All other switches in the network only have 1 IP address assigned to them and that is on V100, so that we can manage them. these aren't the issue.
I need to be able to manage the core switch ONLY on the management V100 IP address and somehow block all the others. The plan is to prevent ANY traffic routing in/out the Management VLAN from the corporate network so that if my corporate network is compromised and bad actor wouldn't be able to access my switch infrastructure and other management devices.
In order to apply the same to rule to my core switch I have to assign it an IP address on V100 and as soon as I do so it allows traffic to route into the V100 network.
I've done more reading and the ACL seems to be the suggested way and on Cisco it seems to be allowed, however this option doesn't seem to be available on AT switches.
I've raised this with their support.I don't think the loopback interface is a solution for me here
Hope this clarifies things
Mark
-
Never having worked with AT switches, I'm not sure.
On the AT switch, do they have a logical management port ...like an
mt 0/0/0? if so special rules may apply to this port...I don't know.
