I am looking at setting up a Management vlan, on which I will put all the Management interfaces for my various networkable devices (Firewall Mgmt Interfaces, Server RAC, WAP Mgmt Interfaces, etc).
What are best practices when it comes to accessing that mgmt vlan--For example, as the IT administrator, my workstation is only on the Business network--But if I need to access the firewall through the mgmt interface, should I have a 2nd nic that I use exclusively for the mgmt network? Or should I write ACLs that allow only certain IPs (my workstation) to access the mgmt network?
Does this make any kind of sense?
Thanks for your time--
-Josh
Don't permission your desktop; instead, have a bastion host (preferably a physical server rather than a VM) which is permitted to access the management VLAN, and ensure that only IT staff have credentials to log in to the machine. This is more scaleable than restricting access to your workstation, for two reasons:
1) If you (and your workstation) need to move to another floor/building, there are no implications to network management.
2) A single administrative control point; if/when you hire other administrators, all you need to do is give them access to the bastion host, rather than permission their machines on every network device they need to manage.
We do it by ACL. The network team is all on a vlan and that vlan can access the mgmt network. This may not work depending on the size of your organization. If there are only 1 or 2 members needing access, doing it by individual IP should work fine.
I tend to avoid multi-homing a machine, just because it feels dirty.
I'd recommend a VPN gateway or terminal server into the management gateway. A physical connection would be OK too if there was some way to guarantee that you wouldn't accidentally stomp on another IP. I wouldn't put a DHCP server on that network either, unless absolutely required by some silly device.