Design Question: should I use MGMT port or better not?

  • 0
  • 1
  • Question
  • Updated 2 weeks ago
Hi all,
we have many switches (EOS and EXOS) and I would like to know if my design is OK or how to make it better.

We have switches in our DMZ but most of them in our LAN behind Internet and DMZ firewall.
All switches will be managed by a single separate management VLAN (inband - I didn't use the MGMT port).

Now I have to realize that some servers will be accessable direct via internet (without any firewall in front - don't ask why) and my idea is to use a X440G2 and let all ports in default vlan (without IP interface configuration) for the connection to the servers and use the MGMT port of the switch for management.

I would connet the MGMT port of the X440G2 directly to the internal management VLAN via a copper cable but I'm unsure that this will be the best and most secure solution.

Other option I know is to create an separate management vlan on the X440G2. But then I have to tag the unsecure traffic from the servers (vlan 1) and the management traffic (vlan 2) on the same port and try to separate this in the firewall.
Additional I have to add policies/acl at the X440G2 to protect management traffic from server traffic.

I've found some discussions here that I may get in trouble with the MAC address of the switch (because MAC address of switch is same on MGMT port ) or some people said - don't use the MGMT port - (the reason to say this were different then in my question) .

Because I'm new to Extreme Switches I would like to ask people with more experience. So any suggestions are welcome.

Thanks for your time.
Photo of ar

ar

  • 602 Points 500 badge 2x thumb

Posted 2 weeks ago

  • 0
  • 1
Photo of Rob Mitchell

Rob Mitchell

  • 212 Points 100 badge 2x thumb
Hi ar,

For the EXOS switches in a DMZ, personally i'd suggest not having an accessible switch IP on the DMZ-facing data plane side of things. Keep management of this switch only via the separated management port using SSH, SNMPv3, disabling telnet, disabling web browsing, which can be plugged to a completely separate (internal) iLO-type switch (not VLAN 1) so this traffic does not touch the DMZ-production traffic whatsoever. That way you'll have eyes and ears on the switch but not risking the switch itself.

Different issue with the EOS switches though, obviously they've not got a mgmt port. Whilst you may have firewall rules in place, locked down for say SSH, SNMPv3, no telnet or web browsing etc, to this switch management, longer term i'd look to swap them out for the purple EXOS switches to keep the management and DMZ-production separate and to avoid punching holes in your Firewall for switch access.

Hope this helps?

Thanks

Rob
Photo of ar

ar

  • 602 Points 500 badge 2x thumb
Hi Rob,
great help - thanks a lot.
Axel