Solved

How can I make a specific port a management port on a Cisco switch for auditing

Posted on 2013-10-25
5
424 Views
Last Modified: 2013-12-03
Hi,

I was wondering if it is possible to create or indicate another port on a different VLAN to act as a management port and still keep the default management port on VLAN 1. I have created a 2nd VLAN to handle all network traffic and now I have a requierment to audit my switch's. I wanted to install the CNA software onto one of my servers connected to VALN 2 as well as GFI Events Manager to be able to pull audit info from that specific port. Also, I have multiple switchs connected in series and want to be able to pull thier info as well but I need to pull it from just the one switch. Setup is as follows:

VLAN1= Unclassified / Management
VLAN2= Classified
Port 23= server that would be used to pull auditing info from switches

I'm not sure if any of this is possible but would greatly appreciate any help.
Thank You
0
Comment
Question by:mritwonderful
  • 3
  • 2
5 Comments
 
LVL 45

Expert Comment

by:Craig Beck
ID: 39602330
Most newer Cisco Switches have a separate physical port which can be used for OOB management.
0
 
LVL 62

Accepted Solution

by:
btan earned 500 total points
ID: 39602541
There are security risks associated with using any VLAN. VLAN1, although being the native VLAN on Cisco switches is just like any other VLAN. Using VLAN1 is actually "not" an issue, it is just like any other VLAN - other than it is there right out of the box. If you are worried about security, moving VLAN's is only going to help you a little.

This article has good reading that shift traffic from VLAN1 to another VLAN via bridging http://technologyordie.com/moving-a-subnet-to-a-different-vlan

But I still see if the CISCO device is harden, the VLAN control can still be secure. Pls see
http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a0080120f48.shtml#vlanmaps

E.g. Use of VLAN map to prevent hosts that are contained within the same VLAN from communicating with each other, Use of PACLs applied to the inbound direction on Layer 2 physical interfaces of a switch, etc.

Overall, I believe PVLAN may be for consideration to create the primary and secondary VLAN. Private VLANs (PVLANs) are a Layer 2 security feature that limits connectivity between workstations or servers within a VLAN. Without PVLANs all devices on a Layer 2 VLAN can communicate freely.

There are three types of Private VLANs: isolated VLANs, community VLANs, and primary VLANs. The configuration of PVLANs makes use of primary and secondary VLANs. The primary VLAN contains all promiscuous ports, which are described later, and includes one or more secondary VLANs, which can be either isolated or community VLANs.

When implementing PVLANs, it is important to ensure that the Layer 3 configuration in place supports the restrictions that are imposed by PVLANs and does not allow for the PVLAN configuration to be subverted. Layer 3 filtering using a Router ACL or firewall can prevent the subversion of the PVLAN configuration.


Overall the goal should be to isolate your higher security devices (management interfaces to infrastructure devices) to another segment (vlan) away from your users and VLAN 1. As mentioned, using VLAN 1 as your native VLAN is not a large security risk. It is just the default VLAN out of the box. Just that most of the time best practices dictate that you should use something else.


To minimise any risk whilst still "reusing" VLAN1, after considering also the a/m hardening guide and VLAN design, you can add in few pointer if that does not further complicate your objective:

1 Move all your unused ports to an unused VLAN. When you make a vacant port live, you just need to move it back into VLAN1 and away you go.

2 Shutdown all vacant ports.

3 Stop ports that are not trunks from being able to trunk.
e.g. All ports by default are setup to be able to trunk. Any LAN intruder could plug a switch in and then get a trunk to all your VLAN traffic. If the ports are connected to network hosts, ensure you have them in access mode by using < switchport mode access >.

4 Make sure that all the devices on your network are on and then apply < sticky port mode security > with a mac limit of 1 to the ports. Can be too restrictive though

5. Make sure your switches are located in locked cabinets in locked rooms if at all possible. Optional if physical security is of concern esp during the assessment period..
0
 
LVL 62

Expert Comment

by:btan
ID: 39602550
Also not forgetting, you cannot rename or delete VLAN 1.
A switch can only create VLANs if it is in VTP server mode or VTP transparent mode.
You can assign the ports of a Layer 2 Catalyst Switch to multiple VLANs, but the switch only supports one active management VLAN interface at a time

Creating Ethernet VLANs on Catalyst Switches
http://www.cisco.com/en/US/tech/tk389/tk689/technologies_configuration_example09186a008009478e.shtml

How To Add, Modify, and Remove VLANs on a Catalyst Using SNMP
http://www.cisco.com/en/US/tech/tk648/tk362/technologies_tech_note09186a00801c6035.shtml

Managing vlan.dat in Cisco Catalyst Switches Running Cisco IOS Software
http://www.cisco.com/en/US/products/hw/switches/ps5213/products_tech_note09186a0080a49dbf.shtml
0
 
LVL 45

Expert Comment

by:Craig Beck
ID: 39602559
You can assign the ports of a Layer 2 Catalyst Switch to multiple VLANs, but the switch only supports one active management VLAN interface at a time
True, you can only have one management SVI, however if you use the OOB management port (if present) you can have one management address attached to a SVI as well as one management address configured on the dedicated management port...

http://www.cisco.com/en/US/docs/switches/lan/catalyst2960/software/release/12.2_55_se/configuration/guide/swint.html#wp2220949
0
 
LVL 62

Expert Comment

by:btan
ID: 39602583
thks ... and an SVI will not be active until it is associated with a physical port.
There is always one-to-one mapping between a VLAN and a SVI.  
Meaning only one SVI can be mapped to a VLAN.
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Join Greg Farro and Ethan Banks from Packet Pushers (http://packetpushers.net/podcast/podcasts/pq-show-93-smart-network-monitoring-paessler-sponsored/) and Greg Ross from Paessler (https://www.paessler.com/prtg) for a discussion about smart network …
David Varnum recently wrote up his impressions of PRTG, based on a presentation by my colleague Christian at Tech Field Day at VMworld in Barcelona. Thanks David, for your detailed and honest evaluation!
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…

776 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question