Solved

Management Network Best Practice

Posted on 2015-02-22
4
216 Views
Last Modified: 2015-06-09
Experts,

I am trying to determine what the best practice is for my situation when it comes to management of my devices. I currently have 3 cisco switches, ASA Firewall and Cisco Router that I want to all manage from an independent dedicated server that I would VPN into. The server would have a private network interface and then its management interface. Only the ASA has a dedicated management port of the network devices.

From the dedicated server I was going to run to a small 8 port switch that would then go into a dedicated port on my devices. What I am curious of is how should I setup that port on the switches and router itself. Is the best / most secure way to just create a VLAN and IP on a single port on each switch? How would I then ensure that only SSH/SMNP and other management operations would only be allowed on that single port?

I just want to keep management as separate as I can from the data side.

I hope I gave enough detail and I appreciate any responses.
--Tom
0
Comment
Question by:TechFlyer86
4 Comments
 
LVL 10

Expert Comment

by:Rafael
ID: 40625095
I'm sure there will be many differences or opinions about it. In addition to the network management server, I would make sure that all you network devices are on a specfic management Vlan as well as the same ip range.

Your other traffic should be on separate Vlans as well.  You can configure your network
Devices to listen only on SSH via that port through your configurations.
So say a 10.x.x.x for management, 172.x.x.x for say your application traffic, 192.x.x.x for DB traffic.

HTH
-Rafael
0
 
LVL 1

Expert Comment

by:ExpBartEx
ID: 40629204
Another solutions would be making use of an out-of-band solution by means of a serial Terminal server. All Cisco devices have a console port (serial port) which can be connected to the Terminal server.
Using a seperate vlan for management is using inband management which means that management traffic is going over the same physical wire as other traffic. By using the serial consoles, you can physically seperate this management traffic. Of course, you need to disable telnet/ssh logins on your vty lines on your Cisco devices so that the only management access is via serial ports.

regards,
Bart
0
 
LVL 51

Accepted Solution

by:
Netman66 earned 500 total points
ID: 40663595
You can certainly create a separate vlan and vlan interface on each device then add one port into it.  The problem lies at the server, when the private vlan connects to the server you may get a route between NICs unless you specifically prevent it - but in doing so, when you remote the server using the LAN address you won't be able to connect to the private vlan NIC.

Best to create a separate management vlan for the entire network and use ACLs to prevent access to it except from that server.
0
 

Author Comment

by:TechFlyer86
ID: 40821304
Thanks for your responses.
0

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Hello to you all, I hear of many people congratulate AWS (Amazon Web Services) on how easy it is to spin up and create new EC2 (Elastic Compute Cloud) instances, but then fail and struggle to connect to them using simple tools such as SSH (Secure…
Outsource Your Fax Infrastructure to the Cloud (And come out looking like an IT Hero!) Relative to the many demands on today’s IT teams, spending capital, time and resources to maintain physical fax servers and infrastructure is not a high priority.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.

932 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now