HPE Community
Switching and Routing
1829717 Members
1971 Online
109992 Solutions
New Discussion

Re: Outside Switch Management from Inside

 
ABZ78
Advisor

‎10-03-2020 02:30 PM - edited ‎10-03-2020 03:38 PM

‎10-03-2020 02:30 PM - edited ‎10-03-2020 03:38 PM

Outside Switch Management from Inside

Take for example an HP 5406zl used as a layer 2 switch that sits between the ISP router and a Firewall cluster that uses HA active passive.  The ISP router comes into the HP switch with the public IP and goes through the switch using mac address and reaches the firewall where it is NAT to the inside network. 

OUTSIDE network: IP: 92.x.x.0/26,  Default gateway. 92.x.x.1/26, Firewall outside interface IP: 92.x.x.20/26

INSIDE network: 10.0.0.0/8

  1. How do you manage the HP 5406zl switch from the inside network?
  2. Any best practice for securing the switch?

I'd add a network diagram, but the option is greyed out. 

0 Kudos
6 REPLIES 6
parnassus
Honored Contributor

‎10-04-2020 11:07 AM

‎10-04-2020 11:07 AM

Re: Outside Switch Management from Inside

Shouldn't be the upside-down scenario? ISP<->Firewall<->L2/L3 Switch instead?

You could manage the switch through OoBM Management Port on MM(s) (in your topology its position renders it totally unuseful).


I'm not an HPE Employee
Kudos and Accepted Solution banner
ABZ78
Advisor

‎10-04-2020 11:53 AM - edited ‎10-04-2020 11:55 AM

‎10-04-2020 11:53 AM - edited ‎10-04-2020 11:55 AM

Re: Outside Switch Management from Inside

You would go ISP ---> Firewall if using a single firewall.  However you can't go from a router to our firewall becasue it is acive / passive. Meaning the primary and failover firewall have the same IP on the outside interface.   So it would look like this:

ISP--->L2---->Firewall---->L2----L3

0 Kudos
parnassus
Honored Contributor

‎10-04-2020 12:13 PM

‎10-04-2020 12:13 PM

Re: Outside Switch Management from Inside

Exactly...when you have a clustered frontend firewall solution you generally need one or more L2 switch between Firewall Nodes and ISPs' Routers...BUT using an HP 5400zl Switch series for THAT purpose is a total waste...and that explain WHY I wrote that, generally, the chain is: ISP Router <-> Firewall <-> L2/L3 Switch (that is the simplest case) or ISPs Router(s) <-> Dumb L2 Switch(es) <-> Firewall Clustered nodes (A/A or A/S) <-> L2/L3 Switch (more complex case).

I'm not an HPE Employee
Kudos and Accepted Solution banner
0 Kudos
ABZ78
Advisor

‎10-04-2020 12:57 PM

‎10-04-2020 12:57 PM

Re: Outside Switch Management from Inside

I agree, we would use a smaller switch, however it happens to be the smallest switch we have that supports the required bandwidth.

We are using a 5406zl because we need to have 10GB connection to the ISP.

Our smaller swtiches do not have this capability as they only support a 1GB connections. 

We have extra 5400's to spare.  

0 Kudos
parnassus
Honored Contributor

‎10-05-2020 07:09 AM

‎10-05-2020 07:09 AM

Re: Outside Switch Management from Inside

I don't know your exact requirments about 10Gbps links to your ISP Router(s) but an HPE OfficeConnect 1950 12XGT 4SFP+ Switch (JH295A) - see the QuickSpecs about the Switch Series here - provides twelve 10GBASE-T interfaces plus four SFP+ Slots...it is just 1 HE and with a comparatively low power consumption (Max 75W).


I'm not an HPE Employee
Kudos and Accepted Solution banner
ABZ78
Advisor

‎10-06-2020 06:54 AM

‎10-06-2020 06:54 AM

Re: Outside Switch Management from Inside

Thanks for the switch informaiton.  That is definatley way better. Ok so back to the question:

  1. How do you manage the HP  switch from the inside network?
    1. Obviously the management port with and ip of the inside network. But can I used snmp and a assign a logging server to that management port?  Meaning how do I still use HPE IMC to manage the switch from the inside?
  2. Any best practice for securing the switch?  The default vlan will not have an ip address since this is a layer 2 swtich. So should I bother locking out telnet server and adding ssh crypto key or disable https access, etc?
0 Kudos
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.