So we have a typical collapsed core setup, the core is a HA pair of 10G switches. All the routing is done on the core switches.
I'd like to control access to the management network through the edge firewall, mostly because it's less tedious and time-consuming than creating or adjusting ACLs on the core switches. However, since the core switches have IP addresses in the management network, traffic destined to that network gets processed by the switches before hitting the firewall. Since routing is turned off on that VLAN, the traffic goes nowhere (the switch mgmt IP addresses are still pingable though).
So, what is the best solution here? Do I adjust the metrics so the route to the management network is more desirable than the directly attached route on the core switches (if this is even possible, I can't find a way on these Extreme switches). Or is this going to require policy based routing? Or do I just suck it up and write the ACLs? Am I overlooking a simpler solution? Thanks in advance!
No comments:
Post a Comment