Hey all - I've done a bunch of Googling and reading on this and I'm trying to wrap my head around management and VRFs. I understand what a VRF is - basically an isolated routing table. That said, I'm a bit confused regarding the management interface and management VRF, or basically curious about best-practices.
Let's go with the following setup:
Vlan 1 - Default
Vlan 2 - Mgmt
This switch is also acting as my inter-vlan router. As things sit, both vlans have vlan interfaces enabled and both in the default VRF, so given the proper gateway or routes, any computer on vlan 1 can interact with everything on vlan 2, and vice-versa. This is great for admin computers on vlan 1 to access management ports on vlan 2, but bad for security unless every management port has ACLs enabled.
If I put vlan 2 into the MGMT vrf, that disables all routing between vlan 1 and 2. Once thats done, what's the best method for providing access to a management vlan without a route? Dual-home the admin stations with Tagging? (Won't work for VPN though, but I could use jumpboxes for that).
Thanks!
No comments:
Post a Comment