For configuring the management interface IP for Cisco Ironport device, should it be on the public IP address or private IP address? Could you please confirm the IP address desing for the ironport management interface? thanks
The answer to this question depends on several factors, what you intend to do with the appliance, how you intend on allowing access to the appliance and where it sits in your network. Typically customers will utilize the management interface on their internal network thus giving it a private IP. This way the web interface, ssh and ftp access are allowed internally but not to the public. Those services can be enabled on other interfaces as well, but the most common practice is to set up the management interface for internal access only on your private network.
Sorry for the resurrection of an 8 year old thread, but I would like to use the management port on my internal network to handle ssh and ftp as mentioned in this thread. However there doesn't appear to be a separate default gateway for the management port. Am I missing something? Does it share the same routing table and default gateway as the "data" ports? How does the management port know how to get to internal services? And if static routes are configured to point internal services through the mgmt port, isn't there a possibility that unwanted traffic could be routed from the other data interfaces to the management port?
You are correct - there routing tables are shared across all interfaces.
There is only one configurable default gateway as you had noticed.
The other interface's configured to be used, would need to have a static route with the 'gateway' for them configured within the same routing table you see in the GUI > Network > Routing.
If other traffic is indeed routed into the Management interface, then they will leave the default gateway as your comment suspects as well (or any static routes configured for the traffic) - you would only be able to restrict the traffic from the Interface settings by the associated protocols and ports.
Generally from my experience, under more strict network environments - the management interface is configured to only allow HTTPS and SSH (443 and 22) so outside of this, it won't accept any other protocols even if the traffic is routed to that port.