Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

Management Network Best Practice

Posted on 2015-02-22
4
Medium Priority
?
262 Views
Last Modified: 2015-06-09
Experts,

I am trying to determine what the best practice is for my situation when it comes to management of my devices. I currently have 3 cisco switches, ASA Firewall and Cisco Router that I want to all manage from an independent dedicated server that I would VPN into. The server would have a private network interface and then its management interface. Only the ASA has a dedicated management port of the network devices.

From the dedicated server I was going to run to a small 8 port switch that would then go into a dedicated port on my devices. What I am curious of is how should I setup that port on the switches and router itself. Is the best / most secure way to just create a VLAN and IP on a single port on each switch? How would I then ensure that only SSH/SMNP and other management operations would only be allowed on that single port?

I just want to keep management as separate as I can from the data side.

I hope I gave enough detail and I appreciate any responses.
--Tom
0
Comment
Question by:TechFlyer86
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
4 Comments
 
LVL 10

Expert Comment

by:Rafael
ID: 40625095
I'm sure there will be many differences or opinions about it. In addition to the network management server, I would make sure that all you network devices are on a specfic management Vlan as well as the same ip range.

Your other traffic should be on separate Vlans as well.  You can configure your network
Devices to listen only on SSH via that port through your configurations.
So say a 10.x.x.x for management, 172.x.x.x for say your application traffic, 192.x.x.x for DB traffic.

HTH
-Rafael
0
 
LVL 1

Expert Comment

by:ExpBartEx
ID: 40629204
Another solutions would be making use of an out-of-band solution by means of a serial Terminal server. All Cisco devices have a console port (serial port) which can be connected to the Terminal server.
Using a seperate vlan for management is using inband management which means that management traffic is going over the same physical wire as other traffic. By using the serial consoles, you can physically seperate this management traffic. Of course, you need to disable telnet/ssh logins on your vty lines on your Cisco devices so that the only management access is via serial ports.

regards,
Bart
0
 
LVL 51

Accepted Solution

by:
Netman66 earned 1500 total points
ID: 40663595
You can certainly create a separate vlan and vlan interface on each device then add one port into it.  The problem lies at the server, when the private vlan connects to the server you may get a route between NICs unless you specifically prevent it - but in doing so, when you remote the server using the LAN address you won't be able to connect to the private vlan NIC.

Best to create a separate management vlan for the entire network and use ACLs to prevent access to it except from that server.
0
 

Author Comment

by:TechFlyer86
ID: 40821304
Thanks for your responses.
0

Featured Post

WEBINAR - Latest Cyber Tips for Defense

Join the WatchGuard Threat Research Team on October 26th for an informative webinar featuring expert tips and tricks for defending your organization from today's latest cyber threats. Don't leave yourself vulnerable to attack. Register for the webinar today!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

How to set-up an On Demand, IPSec, Site to SIte, VPN from a Draytek Vigor Router to a Cyberoam UTM Appliance. A concise guide to the settings required on both devices
In this article, we’ll look at how to deploy ProxySQL.
NetCrunch network monitor is a highly extensive platform for network monitoring and alert generation. In this video you'll see a live demo of NetCrunch with most notable features explained in a walk-through manner. You'll also get to know the philos…
Monitoring a network: how to monitor network services and why? Michael Kulchisky, MCSE, MCSA, MCP, VTSP, VSP, CCSP outlines the philosophy behind service monitoring and why a handshake validation is critical in network monitoring. Software utilized …

597 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question