6

I am looking at setting up a Management vlan, on which I will put all the Management interfaces for my various networkable devices (Firewall Mgmt Interfaces, Server RAC, WAP Mgmt Interfaces, etc).

What are best practices when it comes to accessing that mgmt vlan--For example, as the IT administrator, my workstation is only on the Business network--But if I need to access the firewall through the mgmt interface, should I have a 2nd nic that I use exclusively for the mgmt network? Or should I write ACLs that allow only certain IPs (my workstation) to access the mgmt network?

Does this make any kind of sense?

Thanks for your time--

-Josh

Josh Brower
  • 1,669
  • 3
  • 18
  • 29

3 Answers3

3

Don't permission your desktop; instead, have a bastion host (preferably a physical server rather than a VM) which is permitted to access the management VLAN, and ensure that only IT staff have credentials to log in to the machine. This is more scaleable than restricting access to your workstation, for two reasons:

1) If you (and your workstation) need to move to another floor/building, there are no implications to network management.

2) A single administrative control point; if/when you hire other administrators, all you need to do is give them access to the bastion host, rather than permission their machines on every network device they need to manage.

Murali Suriar
  • 10,296
  • 8
  • 41
  • 62
  • Since we use RADIUS, we would not need to give them permission to every network device they would need to manage... – Josh Brower Oct 06 '10 at 00:19
  • Does your RADIUS server check the originating IP of the requested management connection? The typical use for bastion hosts is to have a small set of ACLs (on the devices or on a firewall between "normal" and "management" network) to limit woh can manage. Couple that with a single (or a limited) amount of hosts where you manage accounts and you've decreased your management burden. – Vatine Oct 06 '10 at 08:34
  • Josh: do you not have ACLs restricting the source IP from which people can SSH to network devices? (VTY access lists on Cisco, for example?) – Murali Suriar Oct 06 '10 at 11:43
  • @Vatine: no, our RADIUS server does not check the originating IPs... Yet.... @ Murali: no, not yet.... – Josh Brower Oct 07 '10 at 11:52
1

We do it by ACL. The network team is all on a vlan and that vlan can access the mgmt network. This may not work depending on the size of your organization. If there are only 1 or 2 members needing access, doing it by individual IP should work fine.

I tend to avoid multi-homing a machine, just because it feels dirty.

MDMarra
  • 100,734
  • 32
  • 197
  • 329
1

I'd recommend a VPN gateway or terminal server into the management gateway. A physical connection would be OK too if there was some way to guarantee that you wouldn't accidentally stomp on another IP. I wouldn't put a DHCP server on that network either, unless absolutely required by some silly device.

JakeRobinson
  • 2,904
  • 18
  • 26