ryan80
asked on
Creation of management network for router access, iLO, .......
I would like to create a management network that I can use to manage network devices, iLO cards, and things of the such.
I am looking to find the best way of going about this. For my Cisco gear, would making loopback interfaces be a good idea? If so do you have any advice on how to configure? (I am not sure how to restrict management access to only the loopback)
Or should I just a SVI mapped to a VLAN that is not used on any access ports and use that for management?
Any ideas on how to seperate this? ultimately I only want a few IP addresses and a management VPN to be able to access this management network.
I am looking to find the best way of going about this. For my Cisco gear, would making loopback interfaces be a good idea? If so do you have any advice on how to configure? (I am not sure how to restrict management access to only the loopback)
Or should I just a SVI mapped to a VLAN that is not used on any access ports and use that for management?
Any ideas on how to seperate this? ultimately I only want a few IP addresses and a management VPN to be able to access this management network.
ASKER
How do I block SSH access to all interfaces except the one designated as a management interface on a router? (not just allowing the IPs of the management stations)
It won't be possible to access the service through any other interface, they will be coming from networks not allowed by the acl.
ASKER
Where would the acl be placed to restrict access to the loopback?
With the access-class applied to your VTY's no IP address other than the ones allowed in your access-list can access the router, no matter what interface (in essence you can think of it as to applying that acl to all interfaces).
If you want to configure the router to limit ssh to a specific interface you can configure the routers control-plane, this config will give you the resources to limit access to router services as well as limiting the packets p/second through service-policies. It's configuration can get fairly complex but it is a good security strategy an one that is in cisco's hardening blue print to address DDOS on your network infrastructure.
If you want to configure the router to limit ssh to a specific interface you can configure the routers control-plane, this config will give you the resources to limit access to router services as well as limiting the packets p/second through service-policies. It's configuration can get fairly complex but it is a good security strategy an one that is in cisco's hardening blue print to address DDOS on your network infrastructure.
ASKER
Thanks,
Just to be clear here is a scenario, if I have a router with 4 IP addresses on it, say one to a loopback, one on a wan card, and 2 on subinterfaces connecting to a switch. I want to make it so even when sitting at a management station, a SSH session will only be accepted by the IP address at the loopback interface. Would this be the control-plane, or can i use a extended ACL for the access-class?
And for the swiches, I guess that a SVI be used for management, assigned to a VLAN that is not assigned to any access ports on the switch? Then block the routing to that VLAN with ACLs?
Just to be clear here is a scenario, if I have a router with 4 IP addresses on it, say one to a loopback, one on a wan card, and 2 on subinterfaces connecting to a switch. I want to make it so even when sitting at a management station, a SSH session will only be accepted by the IP address at the loopback interface. Would this be the control-plane, or can i use a extended ACL for the access-class?
And for the swiches, I guess that a SVI be used for management, assigned to a VLAN that is not assigned to any access ports on the switch? Then block the routing to that VLAN with ACLs?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
thanks, this was a great help
access-list 1 permit 10.0.0.1
line vty 0 15
access-class 1 in
you can use standard named acl's as well
ip access-list st MANAGEMENT
permit host 10.0.0.1
line vty 0 15
access-class 1 in
That would be the first step for remote management through ssh/telnet, you should apply the same setup to you snmp and any other service hosted by your router (i.e. HTTP) to lock them down.
Configuring a loopback interface is optimal for management if you are running a routing protocol were you can redistribute that ip address dynamically, if you are running an environment with static routes using loopback interface might be more work for what it is worth.
Your iLo's and other devices you could create a vlan dedicated for iLo's and secure them with a firewall or a vlan interface with an access-group (referencing an access list that has all the stations that can access-your ilo's, on thing to be careful is the direction of your access-group on the interface in or out, if configured on the interface that is the default gateway of the ilo vlan it would be on the out direction).
ip access-list ext ilo-management
permit ip host 10.0.0.1 10.1.1.0 0.0.0.255
interface vlan 10
ip address 10.1.1.1 255.255.255.0
ip accessg-group ilo-management out
something like this would work