Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 266
  • Last Modified:

Management Network Best Practice

Experts,

I am trying to determine what the best practice is for my situation when it comes to management of my devices. I currently have 3 cisco switches, ASA Firewall and Cisco Router that I want to all manage from an independent dedicated server that I would VPN into. The server would have a private network interface and then its management interface. Only the ASA has a dedicated management port of the network devices.

From the dedicated server I was going to run to a small 8 port switch that would then go into a dedicated port on my devices. What I am curious of is how should I setup that port on the switches and router itself. Is the best / most secure way to just create a VLAN and IP on a single port on each switch? How would I then ensure that only SSH/SMNP and other management operations would only be allowed on that single port?

I just want to keep management as separate as I can from the data side.

I hope I gave enough detail and I appreciate any responses.
--Tom
0
TechFlyer86
Asked:
TechFlyer86
1 Solution
 
RafaelCommented:
I'm sure there will be many differences or opinions about it. In addition to the network management server, I would make sure that all you network devices are on a specfic management Vlan as well as the same ip range.

Your other traffic should be on separate Vlans as well.  You can configure your network
Devices to listen only on SSH via that port through your configurations.
So say a 10.x.x.x for management, 172.x.x.x for say your application traffic, 192.x.x.x for DB traffic.

HTH
-Rafael
0
 
ExpBartExCommented:
Another solutions would be making use of an out-of-band solution by means of a serial Terminal server. All Cisco devices have a console port (serial port) which can be connected to the Terminal server.
Using a seperate vlan for management is using inband management which means that management traffic is going over the same physical wire as other traffic. By using the serial consoles, you can physically seperate this management traffic. Of course, you need to disable telnet/ssh logins on your vty lines on your Cisco devices so that the only management access is via serial ports.

regards,
Bart
0
 
Netman66Commented:
You can certainly create a separate vlan and vlan interface on each device then add one port into it.  The problem lies at the server, when the private vlan connects to the server you may get a route between NICs unless you specifically prevent it - but in doing so, when you remote the server using the LAN address you won't be able to connect to the private vlan NIC.

Best to create a separate management vlan for the entire network and use ACLs to prevent access to it except from that server.
0
 
TechFlyer86Author Commented:
Thanks for your responses.
0

Featured Post

Keep up with what's happening at Experts Exchange!

Sign up to receive Decoded, a new monthly digest with product updates, feature release info, continuing education opportunities, and more.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now