Search this Blog

Monday, December 16, 2013

What is the best approach to handle managmenet of switches in a DMZ?


What is the best approach to handle managmenet of switches in a DMZ?  We are implementing a dual firewall solution (front external facing, and a rear internal/DMZ facing). I would like to be able to manage the switches from inside the corporate network, including SNMP etc.
Also, as we are looking to implement ISE, we would need the authentication to be handled by ISE on the internal network. Will this cause issues?


What I think they mean is you have an absolute separate network (i.e. physically separate) for management, then this would work, I didn't realise that the routing information would be shared. Maybe they mean using route-maps, distribute-lists to stop this inter routing info. Maybe someone from Cisco can clarify this for us? It would make sense if it was like this:
Fa0 - management
Fa1/0/1 - network
Fa0 would just be separate from anything to do with Fa1/0/1 therefor would be secure and nothing would be able to flow between them, however it seems as though this is not the case here. It would have been nice to make use of that management port. In any case this is too risky for a DMZ in my opinion. However what you could do is create a VRF which does do what we want to do. You can assign a vrf to a physical or virtual interface, provided that you have an IP services license. Im not sure if you can assign a VRF to the management port though.

Conf t
!
ip routing
!
ip vrf MGMT
RD 1:1
!
interface Faxxxx
ip vrf forwarding MGMT
ip address x.x.x.x x.x.x.x
!
ip route vrf MGMT 0.0.0.0 0.0.0.0 y.y.y.y (for your default GW)
!
[options]
snmp-server host b.b.b.b vrf MGMT string
logging host c.c.c.c vrf MGMT
ip tftp source interface Faxxxx
etc...... if you have tacacs+ enabled too you can also do this via the vrf I think.

The more recent stackable switches come with a management port Fa0 or E0 in some cases. Or even with its own VRF - almost like a seperate routing instance, this stays separate from the switch itself. You can put this on the management network, depending on your organisations security policies. From here you can configure SNMP, SSH etc... to and from this interface / VRF. All authentication can be done via this interface / VRF also.

If there isn't any management port, you can always create a VRF and assign it to a port, keep that for management. It will have its own routing table, separate from the global routing table.

Please click here for the swint details and click here for vrf details.

Citation - This blog post does not reflect original content from the author. Rather it summarizes content that are relevant to the topic from different sources in the web. The sources might include any online discussion boards, forums, websites and others.

No comments :

Post a Comment

 
/* Google Analytics begin ----------------------------------------------- */ /* Google Analytics end ----------------------------------------------- */