Hi everyone,
I'll start with our simplified network diagram of our environment before diving into our problem:
Network Diagram
Goal
We're trying to setup an in-band management network to allow us to manage network devices while making an attempt to add a layer of security. Currently (and a bit embarrassingly), any workstation can connect to the management IP of any network device. Our switches are Cisco C2960XRs and they have an ethernet management port. We tried running cables from each switch's eth-management port to a "master" switch, put all network ports under a separate VLAN but that caused us headaches. So after a bit of googling, we opted instead to setup an ether-SVI assigned to the management VLAN on each switch. We then want to control access using ACLs on the firewall.
Problem
However, our core switch, has ip routing enabled. So whenever a workstation attempts to connect to a secondary switch (or any network device), the core switch (SW-1) does not route the packet to the firewall but instead, it routes the packet through the trunk (to SW-2). This is because the ether-SVI is showing up in the show ip route table on SW-1. It makes sense.
But we are trying to avoid adding ACLs to the switch. Our preference (for ease of management) is to have the ACLs consolidated on the firewall.
If I ping from Computer, the packet will hop to SW-1 and then to SW-2. We'd like for it to hop from Computer, to SW-1 to the Firewall, back to *SW-1 and then towards SW-2.
Unfortunately, I believe (with 90% confidence) that our switches do not support VRF (virtual router forwarding.. or something like that). I fear our options are limited besides some restructuring but I was hoping anyone here would have some suggestions or maybe see something that we're doing wrong.
Any help is appreciated. Thanks for your time guys & gals.
No comments:
Post a Comment