Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win


How can I make a specific port a management port on a Cisco switch for auditing

Posted on 2013-10-25
Medium Priority
Last Modified: 2013-12-03

I was wondering if it is possible to create or indicate another port on a different VLAN to act as a management port and still keep the default management port on VLAN 1. I have created a 2nd VLAN to handle all network traffic and now I have a requierment to audit my switch's. I wanted to install the CNA software onto one of my servers connected to VALN 2 as well as GFI Events Manager to be able to pull audit info from that specific port. Also, I have multiple switchs connected in series and want to be able to pull thier info as well but I need to pull it from just the one switch. Setup is as follows:

VLAN1= Unclassified / Management
VLAN2= Classified
Port 23= server that would be used to pull auditing info from switches

I'm not sure if any of this is possible but would greatly appreciate any help.
Thank You
Question by:mritwonderful
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
LVL 47

Expert Comment

by:Craig Beck
ID: 39602330
Most newer Cisco Switches have a separate physical port which can be used for OOB management.
LVL 65

Accepted Solution

btan earned 2000 total points
ID: 39602541
There are security risks associated with using any VLAN. VLAN1, although being the native VLAN on Cisco switches is just like any other VLAN. Using VLAN1 is actually "not" an issue, it is just like any other VLAN - other than it is there right out of the box. If you are worried about security, moving VLAN's is only going to help you a little.

This article has good reading that shift traffic from VLAN1 to another VLAN via bridging http://technologyordie.com/moving-a-subnet-to-a-different-vlan

But I still see if the CISCO device is harden, the VLAN control can still be secure. Pls see

E.g. Use of VLAN map to prevent hosts that are contained within the same VLAN from communicating with each other, Use of PACLs applied to the inbound direction on Layer 2 physical interfaces of a switch, etc.

Overall, I believe PVLAN may be for consideration to create the primary and secondary VLAN. Private VLANs (PVLANs) are a Layer 2 security feature that limits connectivity between workstations or servers within a VLAN. Without PVLANs all devices on a Layer 2 VLAN can communicate freely.

There are three types of Private VLANs: isolated VLANs, community VLANs, and primary VLANs. The configuration of PVLANs makes use of primary and secondary VLANs. The primary VLAN contains all promiscuous ports, which are described later, and includes one or more secondary VLANs, which can be either isolated or community VLANs.

When implementing PVLANs, it is important to ensure that the Layer 3 configuration in place supports the restrictions that are imposed by PVLANs and does not allow for the PVLAN configuration to be subverted. Layer 3 filtering using a Router ACL or firewall can prevent the subversion of the PVLAN configuration.

Overall the goal should be to isolate your higher security devices (management interfaces to infrastructure devices) to another segment (vlan) away from your users and VLAN 1. As mentioned, using VLAN 1 as your native VLAN is not a large security risk. It is just the default VLAN out of the box. Just that most of the time best practices dictate that you should use something else.

To minimise any risk whilst still "reusing" VLAN1, after considering also the a/m hardening guide and VLAN design, you can add in few pointer if that does not further complicate your objective:

1 Move all your unused ports to an unused VLAN. When you make a vacant port live, you just need to move it back into VLAN1 and away you go.

2 Shutdown all vacant ports.

3 Stop ports that are not trunks from being able to trunk.
e.g. All ports by default are setup to be able to trunk. Any LAN intruder could plug a switch in and then get a trunk to all your VLAN traffic. If the ports are connected to network hosts, ensure you have them in access mode by using < switchport mode access >.

4 Make sure that all the devices on your network are on and then apply < sticky port mode security > with a mac limit of 1 to the ports. Can be too restrictive though

5. Make sure your switches are located in locked cabinets in locked rooms if at all possible. Optional if physical security is of concern esp during the assessment period..
LVL 65

Expert Comment

ID: 39602550
Also not forgetting, you cannot rename or delete VLAN 1.
A switch can only create VLANs if it is in VTP server mode or VTP transparent mode.
You can assign the ports of a Layer 2 Catalyst Switch to multiple VLANs, but the switch only supports one active management VLAN interface at a time

Creating Ethernet VLANs on Catalyst Switches

How To Add, Modify, and Remove VLANs on a Catalyst Using SNMP

Managing vlan.dat in Cisco Catalyst Switches Running Cisco IOS Software
LVL 47

Expert Comment

by:Craig Beck
ID: 39602559
You can assign the ports of a Layer 2 Catalyst Switch to multiple VLANs, but the switch only supports one active management VLAN interface at a time
True, you can only have one management SVI, however if you use the OOB management port (if present) you can have one management address attached to a SVI as well as one management address configured on the dedicated management port...

LVL 65

Expert Comment

ID: 39602583
thks ... and an SVI will not be active until it is associated with a physical port.
There is always one-to-one mapping between a VLAN and a SVI.  
Meaning only one SVI can be mapped to a VLAN.

Featured Post

Threat Trends for MSPs to Watch

See the findings.
Despite its humble beginnings, phishing has come a long way since those first crudely constructed emails. Today, phishing sites can appear and disappear in the length of a coffee break, and it takes more than a little know-how to keep your clients secure.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This paper addresses the security of Sennheiser DECT Contact Center and Office (CC&O) headsets. It describes the DECT security chain comprised of “Pairing”, “Per Call Authentication” and “Encryption”, which are all part of the standard DECT protocol.
What monsters are hiding in your child's room? In this article I will share with you a tech horror story that could happen to anyone, along with some tips on how you can prevent it from happening to you.
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…
There's a multitude of different network monitoring solutions out there, and you're probably wondering what makes NetCrunch so special. It's completely agentless, but does let you create an agent, if you desire. It offers powerful scalability …
Suggested Courses

604 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question