Solved

Management Network Best Practice

Posted on 2015-02-22
4
229 Views
Last Modified: 2015-06-09
Experts,

I am trying to determine what the best practice is for my situation when it comes to management of my devices. I currently have 3 cisco switches, ASA Firewall and Cisco Router that I want to all manage from an independent dedicated server that I would VPN into. The server would have a private network interface and then its management interface. Only the ASA has a dedicated management port of the network devices.

From the dedicated server I was going to run to a small 8 port switch that would then go into a dedicated port on my devices. What I am curious of is how should I setup that port on the switches and router itself. Is the best / most secure way to just create a VLAN and IP on a single port on each switch? How would I then ensure that only SSH/SMNP and other management operations would only be allowed on that single port?

I just want to keep management as separate as I can from the data side.

I hope I gave enough detail and I appreciate any responses.
--Tom
0
Comment
Question by:TechFlyer86
4 Comments
 
LVL 10

Expert Comment

by:Rafael
ID: 40625095
I'm sure there will be many differences or opinions about it. In addition to the network management server, I would make sure that all you network devices are on a specfic management Vlan as well as the same ip range.

Your other traffic should be on separate Vlans as well.  You can configure your network
Devices to listen only on SSH via that port through your configurations.
So say a 10.x.x.x for management, 172.x.x.x for say your application traffic, 192.x.x.x for DB traffic.

HTH
-Rafael
0
 
LVL 1

Expert Comment

by:ExpBartEx
ID: 40629204
Another solutions would be making use of an out-of-band solution by means of a serial Terminal server. All Cisco devices have a console port (serial port) which can be connected to the Terminal server.
Using a seperate vlan for management is using inband management which means that management traffic is going over the same physical wire as other traffic. By using the serial consoles, you can physically seperate this management traffic. Of course, you need to disable telnet/ssh logins on your vty lines on your Cisco devices so that the only management access is via serial ports.

regards,
Bart
0
 
LVL 51

Accepted Solution

by:
Netman66 earned 500 total points
ID: 40663595
You can certainly create a separate vlan and vlan interface on each device then add one port into it.  The problem lies at the server, when the private vlan connects to the server you may get a route between NICs unless you specifically prevent it - but in doing so, when you remote the server using the LAN address you won't be able to connect to the private vlan NIC.

Best to create a separate management vlan for the entire network and use ACLs to prevent access to it except from that server.
0
 

Author Comment

by:TechFlyer86
ID: 40821304
Thanks for your responses.
0

Featured Post

Free Tool: Port Scanner

Check which ports are open to the outside world. Helps make sure that your firewall rules are working as intended.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Security is one of the biggest concerns when moving and migrating your data from your on-premise location to the Public Cloud.  Where is your data? Who can access it? Will it be safe from accidental deletion?  All of these questions and more are imp…
The use of stolen credentials is a hot commodity this year allowing threat actors to move laterally within the network in order to avoid breach detection.
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…

685 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question