How to access a layer 2 switch from a remote location?
- VPLv 79 months ago
Ooh, good question! We had 750+ (remote) stores and even though the switches were manageable, we never accessed them remotely. We'd access the store's router but never telnetted or SSH'd into the switch. We always just sent a replacement switch and had the site swap the switches for us.
I think we did that because the switches didn't have much to their configs -- just VLAN defs -- so their usual problem was some sort of mechanical/power failure. So, we'd just FedEx a replacement device.
- BigELv 79 months ago
This is probably your typical business MANAGED switch. First, you usually don't have a web interface, it is ssh or console/serial port both using CLI.
Now to secure that, if the remote location has a ssh bastion that restricts IP access, that is one typical way. This would rely on layer 3 access to the switch, used alone.
One also usually uses a backup method, a terminal server connected to the serial line. This is also in the out of band network and you use the bastion to connect to it.
This also works if the switch does not have layer 3 access enabled or has failed.
The third way I have seen is for sites with little internal infrastructure. You setup a small router or terminal management device that has a cell phone access and of course serial line access to the switch. This again works without layer 3 access or even network access, so good for a firewall that is down or network cut off.
I've seen a small Cisco to do this and there are boxes that do this like opengear.
(Yes, often you use software tools to manage switches, like Ansible or Ciscoworks, and manage the configs remotely, but you still need a method to access them.)
- Crim LiarLv 79 months ago
I would guess that depends on your layer 2 switch! If it has a web admin page *all* you'd have to do is create some port forwarding on the local router and punch through the local firewall. That's actually pretty risky! If your switch doesn't have a web admin page sitting at a local IP then it's actually possible that you couldn't access it from outside of the local network - which while frustrating is at least secure!