Just wondering how other people deal with this
Say on a switch I have two routed interfaces back to the core layer.
each of these would have an IP address, so there is no reason (with out ACL's in place) that you could not connect to the switch for managment on these interfaces.
I assume most people dont want this and only want one interface on the swich that you can carry out managment (loopback interface or specified SVI)
What methods to people use to limit what interface on a switch can recive managment traffic. Or do people jsut leave the routed intrefaces open and just limit what various subnets can talk to eachother?
each of these would have an IP address, so there is no reason (with out ACL's in place) that you could not connect to the switch for managment on these interfaces.
I assume most people dont want this and only want one interface on the swich that you can carry out managment (loopback interface or specified SVI)
What methods to people use to limit what interface on a switch can recive managment traffic. Or do people jsut leave the routed intrefaces open and just limit what various subnets can talk to eachother?
- If you can't explain it simply, you don't understand it well enough. Albert Einstein
- An arrow can only be shot by pulling it backward. So when life is dragging you back with difficulties. It means that its going to launch you into something great. So just focus and keep aiming.
Linkin Profile - Blog: http://Devilwah.com
Comments
-
broc Member Posts: 167What you need is physical security! Nobody should have easy physical access to your distribution or core switch (or your access switch for that matter...).
No matter what kind of security you put on the switch, you can always reset it if you have physical access."Not everything that counts can be counted, and not everything that can be counted counts.” -
DevilWAH Member Posts: 2,997 ■■■■■■■■□□What you need is physical security! Nobody should have easy physical access to your distribution or core switch (or your access switch for that matter...).
No matter what kind of security you put on the switch, you can always reset it if you have physical access.
Well yer we have locked coms room with card swipe access. but I am talking network access not physical. We have 24/7 CCTV and 24hour man security on site. So Physical security is a given here.- If you can't explain it simply, you don't understand it well enough. Albert Einstein
- An arrow can only be shot by pulling it backward. So when life is dragging you back with difficulties. It means that its going to launch you into something great. So just focus and keep aiming.
Linkin Profile - Blog: http://Devilwah.com -
broc Member Posts: 167Sorry, I thought you were talking about being able to disconnect the port physically.
In this case, you want to have a look at MPP:
Management Plane Protection - Cisco Systems"Not everything that counts can be counted, and not everything that can be counted counts.” -
Forsaken_GA Member Posts: 4,024Say on a switch I have two routed interfaces back to the core layer.
each of these would have an IP address, so there is no reason (with out ACL's in place) that you could not connect to the switch for managment on these interfaces.
I assume most people dont want this and only want one interface on the swich that you can carry out managment (loopback interface or specified SVI)
What methods to people use to limit what interface on a switch can recive managment traffic. Or do people jsut leave the routed intrefaces open and just limit what various subnets can talk to eachother?
All of our equipment is only accessible from 2 very particular servers, and these servers are only accessible from the NOC network, or the NOC VPN. Absolutely positively no remote access from public IP space.
Since our core routers are at a remote facility, they do have out of band management in the form of a separate pots line with a modem attached to it. -
DevilWAH Member Posts: 2,997 ■■■■■■■■□□sounds exactly what I want, but do you know if this works on CISCO switchs (3750's), it seems it only works on version 12.4 IOS for routers.
Cheers- If you can't explain it simply, you don't understand it well enough. Albert Einstein
- An arrow can only be shot by pulling it backward. So when life is dragging you back with difficulties. It means that its going to launch you into something great. So just focus and keep aiming.
Linkin Profile - Blog: http://Devilwah.com -
DevilWAH Member Posts: 2,997 ■■■■■■■■□□Forsaken_GA wrote: »All of our equipment is only accessible from 2 very particular servers, and these servers are only accessible from the NOC network, or the NOC VPN. Absolutely positively no remote access from public IP space.
Since our core routers are at a remote facility, they do have out of band management in the form of a separate pots line with a modem attached to it.
Yes but to do this you must have set up managment access. becasue by default on a router interface you have set to be the DFGW for a subnet, you can manager the router from that ipaddress.
So i see it there are two aproches
you either set up an ACL on ever routed interface to block managment traffic from every subnet/devices apart from the ones you want.
Or you only allow managment traffic one set interfaces (using the managment plane control feature) and then only allow the wanted devices to route to them.
the way i see it that if you use the managment plane settings you dont have to worry about someone bringing up an new interface and forgetting to protect it. As this would be the default.
So how do you insure that only your servers can talk to your devices?- If you can't explain it simply, you don't understand it well enough. Albert Einstein
- An arrow can only be shot by pulling it backward. So when life is dragging you back with difficulties. It means that its going to launch you into something great. So just focus and keep aiming.
Linkin Profile - Blog: http://Devilwah.com -
broc Member Posts: 167sounds exactly what I want, but do you know if this works on CISCO switchs (3750's), it seems it only works on version 12.4 IOS for routers.
Cheers
I believe it does, I seems to remember setting it up on a 3560 before... But I'm not 100% sure. Give it a try and let us know"Not everything that counts can be counted, and not everything that can be counted counts.” -
Forsaken_GA Member Posts: 4,024Yes but to do this you must have set up managment access. becasue by default on a router interface you have set to be the DFGW for a subnet, you can manager the router from that ipaddress.
So i see it there are two aproches
you either set up an ACL on ever routed interface to block managment traffic from every subnet/devices apart from the ones you want.
Or you only allow managment traffic one set interfaces (using the managment plane control feature) and then only allow the wanted devices to route to them.
the way i see it that if you use the managment plane settings you dont have to worry about someone bringing up an new interface and forgetting to protect it. As this would be the default.
So how do you insure that only your servers can talk to your devices?
Oh, we don't care what interface it comes in over. The only management protocols allowed are ssh and snmp, and both are restricted by access list, with other protections in place to prevent spoofing. -
Nuul Member Posts: 158I assume most people dont want this and only want one interface on the swich that you can carry out managment (loopback interface or specified SVI)
That's the way I set mine up, I only use the SVI. I keep all my switches in VLAN1 (management by default so why fight it). That way I know all my switch IPs are in the 10.0.0.x /24 range. The FWSM in the 6513 (the collapsed core) keeps everyone out of that VLAN except those in the secured users VLAN; that VLAN primarily consists of my department plus some people I trust in the infrastructure group. What's the reason for wanting two management interfaces if you don't mind me asking? -
DevilWAH Member Posts: 2,997 ■■■■■■■■□□Forsaken_GA wrote: »Oh, we don't care what interface it comes in over. The only management protocols allowed are ssh and snmp, and both are restricted by access list, with other protections in place to prevent spoofing.
So you have an ACL on the VTY lines that just says allow managment from X,Y,Z
deny any thing else?- If you can't explain it simply, you don't understand it well enough. Albert Einstein
- An arrow can only be shot by pulling it backward. So when life is dragging you back with difficulties. It means that its going to launch you into something great. So just focus and keep aiming.
Linkin Profile - Blog: http://Devilwah.com -
networker050184 Mod Posts: 11,962 ModSo you have an ACL on the VTY lines that just says allow managment from X,Y,Z
deny any thing else?
Thats how we do it. I don't see why it would matter what IP on the device they connect to as long as they are trusted.An expert is a man who has made all the mistakes which can be made. -
Cyanic Member Posts: 289Forsaken_GA wrote: »Oh, we don't care what interface it comes in over. The only management protocols allowed are ssh and snmp, and both are restricted by access list
Ditto, we just control them from certain IPs or subnets. We mostly use SVIs so that if one core area goes down the same interface can be reached via the other backup core. -
DevilWAH Member Posts: 2,997 ■■■■■■■■□□Cheers guys,
Thats how I do it currently as well, just wondering if there were other better methods.
So in fact for logical purposes there is no reson to have a managment interface configured, other then to make it easy to keep track of managment IP's.
I am comming at this from a switching point of view where the default config is normaly to set up a SVI interface for managment. I supose with routers this is not done so much and you would just used an ip from an interface or a loopback address.
Aaron- If you can't explain it simply, you don't understand it well enough. Albert Einstein
- An arrow can only be shot by pulling it backward. So when life is dragging you back with difficulties. It means that its going to launch you into something great. So just focus and keep aiming.
Linkin Profile - Blog: http://Devilwah.com -
networker050184 Mod Posts: 11,962 ModCheers guys,
Thats how I do it currently as well, just wondering if there were other better methods.
So in fact for logical purposes there is no reson to have a managment interface configured, other then to make it easy to keep track of managment IP's.
I am comming at this from a switching point of view where the default config is normaly to set up a SVI interface for managment. I supose with routers this is not done so much and you would just used an ip from an interface or a loopback address.
Aaron
The loopback interface on the router would serve the same purpose as the SVI. Its always a good idea to have a management interface that never goes down for things like SNMP, NTP etc. You wouldn't want to poll a device on an interface IP that might change or flap.An expert is a man who has made all the mistakes which can be made.