Securing Management NICs

Notice: Page may contain affiliate links for which we may earn a small commission through services like Amazon Affiliates or Skimlinks.
A

Allan74

Member
May 15, 2019
132
13
18
Other than authentication of course, are simple MAC Address based static IPv4 reservations and VLan tags enough to keep my management interfaces out of sight and out of mind on a common subnet/scope with all my internal traffic, ie. Safe ?
I am in the process of opening things up a bit to the outside world (family) and just want to ensure that curious grandkids are kept at bay.

This is simply my home setup, so the plan is to NOT Manage my switches and have OPNsense take care of everything for ease of management.

I could have my Netgear MS510TX (my agro/tor) but I purchased it for it's mixed bag of connection speeds and pseudo management, not Netgear's 1990 Web admin console. The only thing I want to use of it's features are to trunk a couple of the ports to feed another managed switch (old Dell, which isn't any better looking management-wise).
www.netgear.com

MS510TX — 8-port Multi-Gigabit Ethernet Smart Switch with 10G Copper / 10G SFP+ Fiber Uplinks

Find setup help, user guides, product information, firmware, and troubleshooting for your MS510TX Smart switch on our official NETGEAR Support site today
www.netgear.com www.netgear.com

So, nothing matches, no easy central management.... for everyone else, there's Ubiquity...LOL

If I am looking at this all wrong, please let me know. Suggestions are not only welcome, but appreciated.

thanks.
Allan
 
R

Rand__

Well-Known Member
Mar 6, 2014
6,634
1,767
113
Vlans are as safe as your firewall rules and firmware can make things;)

You might want to lock down allowed mgmt ips (by fw rule) for the subnet and assign that statically to your own box or a vm on your box, but else it should be fine if the fw cannot be accessed.
Changing default passwords everywhere (fw) goes without saying o/c :)

O/c that will not provide 100% safety. As soon as you have physical access to ports or boxes there are ways to circumvent things.
 
E

Evan

Well-Known Member
Jan 6, 2016
3,346
598
113
I have management connections protected on VLAN-1 that’s only accessible by select ports and and from VLAN-2.
Kids traffic on VLAN-3
Different numbers and something actually a little more complicated than that but you get the idea.
Just as I have some devices completely isolated from even outbound internet access.

simple enough and secure enough and only maybe 2hrs to set everything up one day (granted it’s Meraki so it’s simple)
 
You must log in or register to reply here.
Top Bottom