Community
Switches, Hubs, and Modems
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Multiple routes between 5406 and FW

 
SOLVED
Go to solution
adurotec_1
adurotec_1
Advisor

‎01-21-2010 12:59 PM

‎01-21-2010 12:59 PM

Multiple routes between 5406 and FW

After I got my configuration going I realized that from a security standpoint I would prefer that when I vpn into my network the path I take isn't over the VLAN that "live" traffic is taking between the switch and the FW.

What is the best approach to configure a separate path between the FW and my LAN just for mgmt traffic and how is it configured on the 5406 end?

My thought was to use another interface on the FW, create a new security zone, assign a /29 network, create the VLAN on the 5406 and select a port to terminate to from the FW.

What is alluding me is how I create a route for this new VLAN on the 5406 so that when traffic crosses it, it has access to a mgmt vlan that all hosts have an interface in, without it being a route to the Internet.

Thanks,
David
0 Kudos
Reply
3 REPLIES
Pieter 't Hart
Pieter 't Hart
Honored Contributor

‎01-22-2010 12:26 AM

‎01-22-2010 12:26 AM

Re: Multiple routes between 5406 and FW

when you configure a vlan as "management only", even a routing switch should not route this to other interfaces.
You need a device directly connected on this vlan to access devices with addresses on this vlan.

You can create a vpn-tunnel that terminates in this vlan with an interface on your FW.
0 Kudos
Reply
adurotec_1
adurotec_1
Advisor

‎01-22-2010 05:36 AM

‎01-22-2010 05:36 AM

Re: Multiple routes between 5406 and FW

Thank you for the info.

Would selecting an available physical interface on my FW, connecting it to a port on the switch that is assigned to the mgmt vlan and assigning an IP in the subnet of this vlan to the FW interface do the trick? Then, when I VPN in to the FW I could grant access to only this network from the VPN tunnel instead of the vlan that has access to every network and is the default route to the Internet from the LAN.

How would I prevent this mgmt only vlan from being routed by the switch once it is created? It looks like the switch creates a route the minute I give the vlan an IP address.

David
0 Kudos
Reply
Pieter 't Hart
Pieter 't Hart
Honored Contributor

‎01-22-2010 06:34 AM

‎01-22-2010 06:34 AM

Solution

Re: Multiple routes between 5406 and FW

that should work

from access and security guide :
Secure Management VLAN
This feature creates an isolated network for managing the ProCurve switches
that offer this feature. When a secure management VLAN is enabled, CLI, Menu
interface, and Web browser interface access is restricted to ports configured
as members of the VLAN. For more information, refer to the chapter titled
â Static Virtual LANs (VLANs)â in the Advanced Traffic Management Guide.


from advanced traffic management guide
If you configure a Secure Management VLAN, access to the VLAN and to the
switchâ s management functions (Menu, CLI, and web browser interface) is
available only through ports configured as members.
configuration command is :
management-vlan
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.