- Community Home
- >
- Networking
- >
- Legacy
- >
- Switches, Hubs, Modems
- >
- Multiple routes between 5406 and FW
Switches, Hubs, and Modems
1748211
Members
4426
Online
108759
Solutions
Forums
Categories
Company
Local Language
юдл
back
Forums
Discussions
Forums
- Data Protection and Retention
- Entry Storage Systems
- Legacy
- Midrange and Enterprise Storage
- Storage Networking
- HPE Nimble Storage
Discussions
Discussions
Discussions
Forums
Forums
Discussions
юдл
back
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
- BladeSystem Infrastructure and Application Solutions
- Appliance Servers
- Alpha Servers
- BackOffice Products
- Internet Products
- HPE 9000 and HPE e3000 Servers
- Networking
- Netservers
- Secure OS Software for Linux
- Server Management (Insight Manager 7)
- Windows Server 2003
- Operating System - Tru64 Unix
- ProLiant Deployment and Provisioning
- Linux-Based Community / Regional
- Microsoft System Center Integration
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Blogs
Information
Community
Resources
Community Language
Language
Forums
Blogs
Go to solution
Topic Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО01-21-2010 12:59 PM
тАО01-21-2010 12:59 PM
After I got my configuration going I realized that from a security standpoint I would prefer that when I vpn into my network the path I take isn't over the VLAN that "live" traffic is taking between the switch and the FW.
What is the best approach to configure a separate path between the FW and my LAN just for mgmt traffic and how is it configured on the 5406 end?
My thought was to use another interface on the FW, create a new security zone, assign a /29 network, create the VLAN on the 5406 and select a port to terminate to from the FW.
What is alluding me is how I create a route for this new VLAN on the 5406 so that when traffic crosses it, it has access to a mgmt vlan that all hosts have an interface in, without it being a route to the Internet.
Thanks,
David
What is the best approach to configure a separate path between the FW and my LAN just for mgmt traffic and how is it configured on the 5406 end?
My thought was to use another interface on the FW, create a new security zone, assign a /29 network, create the VLAN on the 5406 and select a port to terminate to from the FW.
What is alluding me is how I create a route for this new VLAN on the 5406 so that when traffic crosses it, it has access to a mgmt vlan that all hosts have an interface in, without it being a route to the Internet.
Thanks,
David
Solved! Go to Solution.
3 REPLIES 3
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО01-22-2010 12:26 AM
тАО01-22-2010 12:26 AM
Re: Multiple routes between 5406 and FW
when you configure a vlan as "management only", even a routing switch should not route this to other interfaces.
You need a device directly connected on this vlan to access devices with addresses on this vlan.
You can create a vpn-tunnel that terminates in this vlan with an interface on your FW.
You need a device directly connected on this vlan to access devices with addresses on this vlan.
You can create a vpn-tunnel that terminates in this vlan with an interface on your FW.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО01-22-2010 05:36 AM
тАО01-22-2010 05:36 AM
Re: Multiple routes between 5406 and FW
Thank you for the info.
Would selecting an available physical interface on my FW, connecting it to a port on the switch that is assigned to the mgmt vlan and assigning an IP in the subnet of this vlan to the FW interface do the trick? Then, when I VPN in to the FW I could grant access to only this network from the VPN tunnel instead of the vlan that has access to every network and is the default route to the Internet from the LAN.
How would I prevent this mgmt only vlan from being routed by the switch once it is created? It looks like the switch creates a route the minute I give the vlan an IP address.
David
Would selecting an available physical interface on my FW, connecting it to a port on the switch that is assigned to the mgmt vlan and assigning an IP in the subnet of this vlan to the FW interface do the trick? Then, when I VPN in to the FW I could grant access to only this network from the VPN tunnel instead of the vlan that has access to every network and is the default route to the Internet from the LAN.
How would I prevent this mgmt only vlan from being routed by the switch once it is created? It looks like the switch creates a route the minute I give the vlan an IP address.
David
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО01-22-2010 06:34 AM
тАО01-22-2010 06:34 AM
Solution
that should work
from access and security guide :
Secure Management VLAN
This feature creates an isolated network for managing the ProCurve switches
that offer this feature. When a secure management VLAN is enabled, CLI, Menu
interface, and Web browser interface access is restricted to ports configured
as members of the VLAN. For more information, refer to the chapter titled
├в Static Virtual LANs (VLANs)├в in the Advanced Traffic Management Guide.
from advanced traffic management guide
If you configure a Secure Management VLAN, access to the VLAN and to the
switch├в s management functions (Menu, CLI, and web browser interface) is
available only through ports configured as members.
configuration command is :
management-vlan
from access and security guide :
Secure Management VLAN
This feature creates an isolated network for managing the ProCurve switches
that offer this feature. When a secure management VLAN is enabled, CLI, Menu
interface, and Web browser interface access is restricted to ports configured
as members of the VLAN. For more information, refer to the chapter titled
├в Static Virtual LANs (VLANs)├в in the Advanced Traffic Management Guide.
from advanced traffic management guide
If you configure a Secure Management VLAN, access to the VLAN and to the
switch├в s management functions (Menu, CLI, and web browser interface) is
available only through ports configured as members.
configuration command is :
management-vlan
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.
News and Events
Support
© Copyright 2024 Hewlett Packard Enterprise Development LP