Creation of management network for router access, iLO, .......

Posted on 2011-02-16
Last Modified: 2012-05-11
I would like to create a management network that I can use to manage network devices, iLO cards, and things of the such.

I am looking to find the best way of going about this. For my Cisco gear, would making loopback interfaces be a good idea? If so do you have any advice on how to configure? (I am not sure how to restrict management access to only the loopback)

Or should I just a SVI mapped to a VLAN that is not used on any access ports and use that for management?

Any ideas on how to seperate this? ultimately I only want a few IP addresses and a management VPN to be able to access this management network.
Question by:ryan80
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 3

Expert Comment

ID: 34911441
This is dependent on your environment. For your cisco devices as best practice you should create an access-list with your management stations (the ones that are allowed to access your cisco devices) and configure an "access-class XX in" on your VTY's.

access-list 1 permit
line vty 0 15
 access-class 1 in

you can use standard named acl's as well

ip access-list st MANAGEMENT
 permit host
line vty 0 15
 access-class 1 in

That would be the first step for remote management through ssh/telnet, you should apply the same setup to you snmp and any other service hosted by your router (i.e. HTTP) to lock them down.

Configuring a loopback interface is optimal for management if you are running a routing protocol were you can redistribute that ip address dynamically, if you are running an environment with static routes using loopback interface might be more work for what it is worth.

Your iLo's and other devices you could create a vlan dedicated for iLo's and secure them with a firewall or a vlan interface with an access-group (referencing an access list that has all the stations that can access-your ilo's, on thing to be careful is the direction of your access-group on the interface in or out, if configured on the interface that is the default gateway of the ilo vlan it would be on the out direction).

ip access-list ext ilo-management
 permit ip host

interface vlan 10
 ip address
 ip accessg-group  ilo-management out

something like this would work
LVL 12

Author Comment

ID: 34911740
How do I block SSH access to all interfaces except the one designated as a management interface on a router? (not just allowing the IPs of the management stations)

Expert Comment

ID: 34912646
It won't be possible to access the service through any other interface, they will be coming from networks not allowed by the acl.

Schedule a Tour of the ATEN booth at InfoComm 2017

Tour the ATEN booth to see the the Latest Addition to the Modular Matrix Switch Series, New 4K HDMI Over IP Extender and more! Enter ATEN's Ultimate Giveaway Sweepstakes for a chance to win one of several great prizes, including an ATEN US7220 2-Port Thunderbolt 2 Sharing Switch!

LVL 12

Author Comment

ID: 34912978
Where would the acl be placed to restrict access to the loopback?

Expert Comment

ID: 34917044
With the access-class applied to your VTY's no IP address other than the ones allowed in your access-list can access the router, no matter what interface (in essence you can think of it as to applying that acl to all interfaces).

If you want to configure the router to limit ssh to a specific interface you can configure the routers control-plane, this config will give you the resources to limit access to router services as well as limiting the packets p/second through service-policies.  It's configuration can get fairly complex but it is a good security strategy an one that is in cisco's hardening blue print to address DDOS on your network infrastructure.
LVL 12

Author Comment

ID: 34917255

Just to be clear here is a scenario, if I have a router with 4 IP addresses on it, say one to a loopback, one on a wan card, and 2 on subinterfaces connecting to a switch. I want to make it so even when sitting at a management station, a SSH session will only be accepted by the IP address at the loopback interface. Would this be the control-plane, or can i use a extended ACL for the access-class?

And for the swiches, I guess that a SVI be used for management, assigned to a VLAN that is not assigned to any access ports on the switch? Then block the routing to that VLAN with ACLs?

Accepted Solution

mikegatti earned 500 total points
ID: 34917925
I think we have to define the goal. Is the goal to limit who can ssh/telnet to the device, or is the goal to limit what packets can get to the routers management-plane that will process the ssh/telnet session.

If the goal is to limit who can ssh to the device, the vty configuration with access-class will address your needs, the nice thing here is that it applies to any inbound packet to the router through any interface. You can use the same configuration cross all your cisco devices, thus maintaining a nice and consistence standard config.  

if you want to limit what packets get to the management-plane through a specific interface you can you use the control-plane configuration or you can create access-lists and apply them to the interfaces with access-groups.
Here is one way of only allowing ssh or other protocols to a Loopback interface using the control plane configuration:

control-plane host
  management-interface Loopback 0  allow ssh telnet

there are pros and cons with this setup, in an environment with dynamic routing protocols you might loose your routing protocol but still have connectivity with your PTP interfaces, using this setup will limit you to ssh from one router to the other to troubleshoot since there is no route to/from the Loopback (the vty access-class would have the same affect if your PTP interfaces were not permitted, in this case a good IP architecture would be helpful if you have a dedicated standard block of IP address for PTP interfaces and they are permited in your access-list).

A great document to lock down cisco devices can be found at:

Cisco Guide to Harden Cisco IOS Devices

LVL 12

Author Closing Comment

ID: 34919461
thanks, this was a great help

Featured Post

Free NetCrunch network monitor licenses!

Only on Experts-Exchange: Sign-up for a free-trial and we'll send you your permanent license!

Here is what you get: 30 Nodes | Unlimited Sensors | No Time Restrictions | Absolutely FREE!

Act now. This offer ends July 14, 2017.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In the hope of saving someone else's sanity... About a year ago we bought a Cisco 1921 router with two ADSL/VDSL EHWIC cards to load balance local network traffic over the two broadband lines we have, but we couldn't get the routing to work consi…
I recently attended Cisco Live! in Las Vegas, a conference that boasted over 28,000 techies in attendance, and a week of hands-on learning hosted by a solid partner with which Concerto goes to market.  Every year, Cisco displays cutting-edge technol…
After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
In this video we outline the Physical Segments view of NetCrunch network monitor. By following this brief how-to video, you will be able to learn how NetCrunch visualizes your network, how granular is the information collected, as well as where to f…

691 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question