I'm currently using Allied Telesis switches but the command line is pretty much Cisco equivalent .
I currently have a management network (VLAN 100) which is the only interface configured on all of my switches, apart from my core switch. This has IP addresses configured as the gateway for every VLAN and as such management is accessible on each interface address of the core switch.
I'm looking to isolate the management network either through a firewall or just isolate it completely. The problem I have is that the core switch also needs to be managed and as soon as I assign an IP address on the management vlan it allows other VLAN's to route into it.
How do I allow management of the switch on one Interface address (V100) but not on others whilst still allowing the core switch to continue routing for all the other networks?
I spoke to the manufacturer (AT) who suggested setting up an access-list and applying it to prevent traffic entering and leaving the v100 network whilst also restricting access to the cli using port blocking. This was foiled when I could only apply the access list to a physical interface and not a virtual one.
I've seen references to using the loopback for management but not sure if this will actually help me. Will this remove the gateway address for v100 and assigning it to the loopback prevent routing into the v100 network? If so then I could use this and an access list on the vty to prevent switch access.
How does the switch know when to answer this? Is the loopback also assigned to the VLAN?
The rest of the switches only have an IP address on the v100 for management so they wouldn't be an issue
Hope this makes sense. Thanks in advance