sunhux
asked on
protecting/filtering Management VLan using Cisco ACL
Due to legacy design, our Management VLan (where consoles of various servers, ESXi hosts, devices including WAF & Firewalls) are open to users to ssh/ssl in (though password will be prompted).
There's an urgency to fix this: I heard this VLAN sits on either the core or distribution Layer3 switches & not behind firewall : to migrate it to behind firewall is going to take time & we may not have enough free firewall port/leg.
What's the fastest & safest (ie without causing disruption when making change) to get this VLan filtered/protected (pending firewall being purchased which will take a while) as it's considered quite a risk.
I suggest to put ACLs on the distribution/core switch but my netwk admin objected, saying core switch's function is
for fast routing/switching & we should not put ACLs as it will slow down the routing/switching. He further argued that such ACL can be complex & accidentally blocked dynamic routing protocols (EIGRP & OSPF etc), causing disruption.
Our core & distribution switches sit in the same Nexus chassis.
There's an urgency to fix this: I heard this VLAN sits on either the core or distribution Layer3 switches & not behind firewall : to migrate it to behind firewall is going to take time & we may not have enough free firewall port/leg.
What's the fastest & safest (ie without causing disruption when making change) to get this VLan filtered/protected (pending firewall being purchased which will take a while) as it's considered quite a risk.
I suggest to put ACLs on the distribution/core switch but my netwk admin objected, saying core switch's function is
for fast routing/switching & we should not put ACLs as it will slow down the routing/switching. He further argued that such ACL can be complex & accidentally blocked dynamic routing protocols (EIGRP & OSPF etc), causing disruption.
Our core & distribution switches sit in the same Nexus chassis.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
netadmin lead's concern of creating ACL is it will cause service disruption, blocking away dynamic routing protocols & caused slowness:
is this a valid concern?
Q1:
I've always thought ACL is applied on an interface so at most the Management VLAN is affected, am I not right?
Q2:
If it's a VLAN, can it not be easily be ported over to say, a distribution switch (as our Access switches are Layer 2 switch so IP ACLs are not possible)??
is this a valid concern?
Q1:
I've always thought ACL is applied on an interface so at most the Management VLAN is affected, am I not right?
Q2:
If it's a VLAN, can it not be easily be ported over to say, a distribution switch (as our Access switches are Layer 2 switch so IP ACLs are not possible)??
ASKER
>do you have a vlan / subnet that is allowed to do management work ?
Yes, our sysadmins & netadmins access the various ESXi hosts, WAF/network consoles from 2 subnets/VLANs only, so I suppose this should not be too complex an ACL
Yes, our sysadmins & netadmins access the various ESXi hosts, WAF/network consoles from 2 subnets/VLANs only, so I suppose this should not be too complex an ACL
ASKER
Doubts I have:
a) it's not a practice to create ACLs in core switch to filter who (or which IP) could access the Management VLAN
b) the netadmin lead said it's not a practice to do so on distribution switch too; he's not revealing whether our
Management VLAN sits on core or distribution, just saying it's not a practice on both core+distribution to
create ACLs. In general practice, where do one place Management VLAN? Is core, distri or access switch?
Currently the Management VLAN is open on all ports to entire corporate including our internal Wifi which I'm
very concerned