Sup, r/networking?
So, I've been involved in a project which has the setup as illustrated here: https://i.imgur.com/WPpXWsO.png
Basically a Catalyst 3850 is gonna be the L3 boundary for the internal network (including the management network, as in all default gateways are on this switch) and the pair of PA acts as the Internet gateway, doing NAT and security stuff. SVI for VLAN 100 (TRANSIT), 101 and 102 (DATA) and 420 (MGMT) are created on the 3850.
Now all data networks are working fine, there's a transit VLAN used between the firewall and the 3850 (as the 3850 cannot have sub interface, I've reconfigured the existing link between them as a trunk, shown in the diagram) and all servers in VLAN 101 and 102 can manage to get to the outside.
The question is: The core switch is being managed using any possible IP on it. Now I want to restrict the management of the core switch only to the IP address that I assigned on the OOB management port (not SVI 420). Problem is, that port belongs to a separate, factory-created VRF which cannot be assigned to other interfaces. I've come up with this setup so that there's a path to the OOB management port and I personally think that since this is a L3 port, it shouldn't create L2 loop.
However, is this ever a good design in production environment? What's your opinion on this?
No comments:
Post a Comment