Just wondering how other people deal with this

DevilWAH

Say on a switch I have two routed interfaces back to the core layer.

each of these would have an IP address, so there is no reason (with out ACL's in place) that you could not connect to the switch for managment on these interfaces.

I assume most people dont want this and only want one interface on the swich that you can carry out managment (loopback interface or specified SVI)

What methods to people use to limit what interface on a switch can recive managment traffic. Or do people jsut leave the routed intrefaces open and just limit what various subnets can talk to eachother?

broc

What you need is physical security! Nobody should have easy physical access to your distribution or core switch (or your access switch for that matter...).

No matter what kind of security you put on the switch, you can always reset it if you have physical access.

DevilWAH

broc wrote: »

What you need is physical security! Nobody should have easy physical access to your distribution or core switch (or your access switch for that matter...).

No matter what kind of security you put on the switch, you can always reset it if you have physical access.

Well yer we have locked coms room with card swipe access. but I am talking network access not physical. We have 24/7 CCTV and 24hour man security on site. So Physical security is a given here.

broc

Sorry, I thought you were talking about being able to disconnect the port physically.

In this case, you want to have a look at MPP:

Management Plane Protection - Cisco Systems

Forsaken_GA

DevilWAH wrote: »

Say on a switch I have two routed interfaces back to the core layer.

each of these would have an IP address, so there is no reason (with out ACL's in place) that you could not connect to the switch for managment on these interfaces.

I assume most people dont want this and only want one interface on the swich that you can carry out managment (loopback interface or specified SVI)

What methods to people use to limit what interface on a switch can recive managment traffic. Or do people jsut leave the routed intrefaces open and just limit what various subnets can talk to eachother?

All of our equipment is only accessible from 2 very particular servers, and these servers are only accessible from the NOC network, or the NOC VPN. Absolutely positively no remote access from public IP space.

Since our core routers are at a remote facility, they do have out of band management in the form of a separate pots line with a modem attached to it.

DevilWAH

sounds exactly what I want, but do you know if this works on CISCO switchs (3750's), it seems it only works on version 12.4 IOS for routers.

Cheers

DevilWAH

Forsaken_GA wrote: »

All of our equipment is only accessible from 2 very particular servers, and these servers are only accessible from the NOC network, or the NOC VPN. Absolutely positively no remote access from public IP space.

Since our core routers are at a remote facility, they do have out of band management in the form of a separate pots line with a modem attached to it.

Yes but to do this you must have set up managment access. becasue by default on a router interface you have set to be the DFGW for a subnet, you can manager the router from that ipaddress.

So i see it there are two aproches

you either set up an ACL on ever routed interface to block managment traffic from every subnet/devices apart from the ones you want.

Or you only allow managment traffic one set interfaces (using the managment plane control feature) and then only allow the wanted devices to route to them.

the way i see it that if you use the managment plane settings you dont have to worry about someone bringing up an new interface and forgetting to protect it. As this would be the default.

So how do you insure that only your servers can talk to your devices?

broc

DevilWAH wrote: »

sounds exactly what I want, but do you know if this works on CISCO switchs (3750's), it seems it only works on version 12.4 IOS for routers.

Cheers

I believe it does, I seems to remember setting it up on a 3560 before... But I'm not 100% sure. Give it a try and let us know

Forsaken_GA

DevilWAH wrote: »

Yes but to do this you must have set up managment access. becasue by default on a router interface you have set to be the DFGW for a subnet, you can manager the router from that ipaddress.

So i see it there are two aproches

you either set up an ACL on ever routed interface to block managment traffic from every subnet/devices apart from the ones you want.

Or you only allow managment traffic one set interfaces (using the managment plane control feature) and then only allow the wanted devices to route to them.

the way i see it that if you use the managment plane settings you dont have to worry about someone bringing up an new interface and forgetting to protect it. As this would be the default.

So how do you insure that only your servers can talk to your devices?

Oh, we don't care what interface it comes in over. The only management protocols allowed are ssh and snmp, and both are restricted by access list, with other protections in place to prevent spoofing.

Nuul

DevilWAH wrote: »

I assume most people dont want this and only want one interface on the swich that you can carry out managment (loopback interface or specified SVI)

That's the way I set mine up, I only use the SVI. I keep all my switches in VLAN1 (management by default so why fight it). That way I know all my switch IPs are in the 10.0.0.x /24 range. The FWSM in the 6513 (the collapsed core) keeps everyone out of that VLAN except those in the secured users VLAN; that VLAN primarily consists of my department plus some people I trust in the infrastructure group. What's the reason for wanting two management interfaces if you don't mind me asking?

DevilWAH

Forsaken_GA wrote: »

Oh, we don't care what interface it comes in over. The only management protocols allowed are ssh and snmp, and both are restricted by access list, with other protections in place to prevent spoofing.

So you have an ACL on the VTY lines that just says allow managment from X,Y,Z

deny any thing else?

networker050184

DevilWAH wrote: »

So you have an ACL on the VTY lines that just says allow managment from X,Y,Z

deny any thing else?

Thats how we do it. I don't see why it would matter what IP on the device they connect to as long as they are trusted.

Cyanic

Forsaken_GA wrote: »

Oh, we don't care what interface it comes in over. The only management protocols allowed are ssh and snmp, and both are restricted by access list

Ditto, we just control them from certain IPs or subnets. We mostly use SVIs so that if one core area goes down the same interface can be reached via the other backup core.

DevilWAH

Cheers guys,

Thats how I do it currently as well, just wondering if there were other better methods.

So in fact for logical purposes there is no reson to have a managment interface configured, other then to make it easy to keep track of managment IP's.

I am comming at this from a switching point of view where the default config is normaly to set up a SVI interface for managment. I supose with routers this is not done so much and you would just used an ip from an interface or a loopback address.

Aaron

networker050184

DevilWAH wrote: »

Cheers guys,

Thats how I do it currently as well, just wondering if there were other better methods.

So in fact for logical purposes there is no reson to have a managment interface configured, other then to make it easy to keep track of managment IP's.

I am comming at this from a switching point of view where the default config is normaly to set up a SVI interface for managment. I supose with routers this is not done so much and you would just used an ip from an interface or a loopback address.

Aaron

The loopback interface on the router would serve the same purpose as the SVI. Its always a good idea to have a management interface that never goes down for things like SNMP, NTP etc. You wouldn't want to poll a device on an interface IP that might change or flap.