[c-nsp] separation of management traffic on L3 switch
Robert Blayzor
rblayzor at inoc.net
Wed Jan 25 08:28:01 EST 2006
Rutger Bevaart wrote:
> What I figured would be plausible scenario's:
>
> 1. Use egress ACL's on all customer VLAN's.
> 2. Use PBR to prevent routing to the Management subnet.
> 3. Use VRF's to separate into two zones.
>
> What would need to be done anyway is protect the 3550 snmp and vty with
> ACL's.
>
> Anybody have any insights they can share?
The snmp-server can be protected by wrapping it with an ACL, ie:
snmp-server commmunity private RW 10
Where 10 is your ACL.
On the same note you can wrap the vty's with an access-list also.
line vty 0 4
access-class 1 in
As for preventing route leaking, I'd use VRF to seperate your routing
instances.
Again, all the above assumes you have an IOS image that supports those
features! ;-)
--
Robert Blayzor, BOFH
INOC, LLC
rblayzor\@(inoc.net|gmail.com)
PGP: 0x66F90BFC @ http://pgp.mit.edu
Key fingerprint = 6296 F715 038B 44C1 2720 292A 8580 500E 66F9 0BFC
Calculating in binary code is as easy as 01,10,11.
More information about the cisco-nsp
mailing list