Solved

How can I make a specific port a management port on a Cisco switch for auditing

Posted on 2013-10-25
5
419 Views
Last Modified: 2013-12-03
Hi,

I was wondering if it is possible to create or indicate another port on a different VLAN to act as a management port and still keep the default management port on VLAN 1. I have created a 2nd VLAN to handle all network traffic and now I have a requierment to audit my switch's. I wanted to install the CNA software onto one of my servers connected to VALN 2 as well as GFI Events Manager to be able to pull audit info from that specific port. Also, I have multiple switchs connected in series and want to be able to pull thier info as well but I need to pull it from just the one switch. Setup is as follows:

VLAN1= Unclassified / Management
VLAN2= Classified
Port 23= server that would be used to pull auditing info from switches

I'm not sure if any of this is possible but would greatly appreciate any help.
Thank You
0
Comment
Question by:mritwonderful
  • 3
  • 2
5 Comments
 
LVL 45

Expert Comment

by:Craig Beck
Comment Utility
Most newer Cisco Switches have a separate physical port which can be used for OOB management.
0
 
LVL 61

Accepted Solution

by:
btan earned 500 total points
Comment Utility
There are security risks associated with using any VLAN. VLAN1, although being the native VLAN on Cisco switches is just like any other VLAN. Using VLAN1 is actually "not" an issue, it is just like any other VLAN - other than it is there right out of the box. If you are worried about security, moving VLAN's is only going to help you a little.

This article has good reading that shift traffic from VLAN1 to another VLAN via bridging http://technologyordie.com/moving-a-subnet-to-a-different-vlan

But I still see if the CISCO device is harden, the VLAN control can still be secure. Pls see
http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a0080120f48.shtml#vlanmaps

E.g. Use of VLAN map to prevent hosts that are contained within the same VLAN from communicating with each other, Use of PACLs applied to the inbound direction on Layer 2 physical interfaces of a switch, etc.

Overall, I believe PVLAN may be for consideration to create the primary and secondary VLAN. Private VLANs (PVLANs) are a Layer 2 security feature that limits connectivity between workstations or servers within a VLAN. Without PVLANs all devices on a Layer 2 VLAN can communicate freely.

There are three types of Private VLANs: isolated VLANs, community VLANs, and primary VLANs. The configuration of PVLANs makes use of primary and secondary VLANs. The primary VLAN contains all promiscuous ports, which are described later, and includes one or more secondary VLANs, which can be either isolated or community VLANs.

When implementing PVLANs, it is important to ensure that the Layer 3 configuration in place supports the restrictions that are imposed by PVLANs and does not allow for the PVLAN configuration to be subverted. Layer 3 filtering using a Router ACL or firewall can prevent the subversion of the PVLAN configuration.


Overall the goal should be to isolate your higher security devices (management interfaces to infrastructure devices) to another segment (vlan) away from your users and VLAN 1. As mentioned, using VLAN 1 as your native VLAN is not a large security risk. It is just the default VLAN out of the box. Just that most of the time best practices dictate that you should use something else.


To minimise any risk whilst still "reusing" VLAN1, after considering also the a/m hardening guide and VLAN design, you can add in few pointer if that does not further complicate your objective:

1 Move all your unused ports to an unused VLAN. When you make a vacant port live, you just need to move it back into VLAN1 and away you go.

2 Shutdown all vacant ports.

3 Stop ports that are not trunks from being able to trunk.
e.g. All ports by default are setup to be able to trunk. Any LAN intruder could plug a switch in and then get a trunk to all your VLAN traffic. If the ports are connected to network hosts, ensure you have them in access mode by using < switchport mode access >.

4 Make sure that all the devices on your network are on and then apply < sticky port mode security > with a mac limit of 1 to the ports. Can be too restrictive though

5. Make sure your switches are located in locked cabinets in locked rooms if at all possible. Optional if physical security is of concern esp during the assessment period..
0
 
LVL 61

Expert Comment

by:btan
Comment Utility
Also not forgetting, you cannot rename or delete VLAN 1.
A switch can only create VLANs if it is in VTP server mode or VTP transparent mode.
You can assign the ports of a Layer 2 Catalyst Switch to multiple VLANs, but the switch only supports one active management VLAN interface at a time

Creating Ethernet VLANs on Catalyst Switches
http://www.cisco.com/en/US/tech/tk389/tk689/technologies_configuration_example09186a008009478e.shtml

How To Add, Modify, and Remove VLANs on a Catalyst Using SNMP
http://www.cisco.com/en/US/tech/tk648/tk362/technologies_tech_note09186a00801c6035.shtml

Managing vlan.dat in Cisco Catalyst Switches Running Cisco IOS Software
http://www.cisco.com/en/US/products/hw/switches/ps5213/products_tech_note09186a0080a49dbf.shtml
0
 
LVL 45

Expert Comment

by:Craig Beck
Comment Utility
You can assign the ports of a Layer 2 Catalyst Switch to multiple VLANs, but the switch only supports one active management VLAN interface at a time
True, you can only have one management SVI, however if you use the OOB management port (if present) you can have one management address attached to a SVI as well as one management address configured on the dedicated management port...

http://www.cisco.com/en/US/docs/switches/lan/catalyst2960/software/release/12.2_55_se/configuration/guide/swint.html#wp2220949
0
 
LVL 61

Expert Comment

by:btan
Comment Utility
thks ... and an SVI will not be active until it is associated with a physical port.
There is always one-to-one mapping between a VLAN and a SVI.  
Meaning only one SVI can be mapped to a VLAN.
0

Featured Post

Do You Know the 4 Main Threat Actor Types?

Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

Join & Write a Comment

Suggested Solutions

Using in-flight Wi-Fi when you travel? Business travelers beware! In-flight Wi-Fi networks could rip the door right off your digital privacy portal. That’s no joke either, as it might also provide a convenient entrance for bad threat actors.
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

14 Experts available now in Live!

Get 1:1 Help Now