Solved

Management Network Best Practice

Posted on 2015-02-22
4
234 Views
Last Modified: 2015-06-09
Experts,

I am trying to determine what the best practice is for my situation when it comes to management of my devices. I currently have 3 cisco switches, ASA Firewall and Cisco Router that I want to all manage from an independent dedicated server that I would VPN into. The server would have a private network interface and then its management interface. Only the ASA has a dedicated management port of the network devices.

From the dedicated server I was going to run to a small 8 port switch that would then go into a dedicated port on my devices. What I am curious of is how should I setup that port on the switches and router itself. Is the best / most secure way to just create a VLAN and IP on a single port on each switch? How would I then ensure that only SSH/SMNP and other management operations would only be allowed on that single port?

I just want to keep management as separate as I can from the data side.

I hope I gave enough detail and I appreciate any responses.
--Tom
0
Comment
Question by:TechFlyer86
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
4 Comments
 
LVL 10

Expert Comment

by:Rafael
ID: 40625095
I'm sure there will be many differences or opinions about it. In addition to the network management server, I would make sure that all you network devices are on a specfic management Vlan as well as the same ip range.

Your other traffic should be on separate Vlans as well.  You can configure your network
Devices to listen only on SSH via that port through your configurations.
So say a 10.x.x.x for management, 172.x.x.x for say your application traffic, 192.x.x.x for DB traffic.

HTH
-Rafael
0
 
LVL 1

Expert Comment

by:ExpBartEx
ID: 40629204
Another solutions would be making use of an out-of-band solution by means of a serial Terminal server. All Cisco devices have a console port (serial port) which can be connected to the Terminal server.
Using a seperate vlan for management is using inband management which means that management traffic is going over the same physical wire as other traffic. By using the serial consoles, you can physically seperate this management traffic. Of course, you need to disable telnet/ssh logins on your vty lines on your Cisco devices so that the only management access is via serial ports.

regards,
Bart
0
 
LVL 51

Accepted Solution

by:
Netman66 earned 500 total points
ID: 40663595
You can certainly create a separate vlan and vlan interface on each device then add one port into it.  The problem lies at the server, when the private vlan connects to the server you may get a route between NICs unless you specifically prevent it - but in doing so, when you remote the server using the LAN address you won't be able to connect to the private vlan NIC.

Best to create a separate management vlan for the entire network and use ACLs to prevent access to it except from that server.
0
 

Author Comment

by:TechFlyer86
ID: 40821304
Thanks for your responses.
0

Featured Post

When ransomware hits your clients, what do you do?

MSPs: Endpoint security isn’t enough to prevent ransomware.
As the impact and severity of crypto ransomware attacks has grown, Webroot has fought back, not just by building a next-gen endpoint solution capable of preventing ransomware attacks but also by being a thought leader.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
forward schedule of change 1 85
slow vpn connection 9 92
NAT/PAT unable to config correctly 7 64
Cisco HSRP - Do i need more than one WAN IP ? 7 44
Hello to you all, I hear of many people congratulate AWS (Amazon Web Services) on how easy it is to spin up and create new EC2 (Elastic Compute Cloud) instances, but then fail and struggle to connect to them using simple tools such as SSH (Secure…
PRTG Network Monitor lets you monitor your bandwidth usage, so you know who is using up your bandwidth, and what they're using it for.
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…

740 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question