Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1136
Views
0
Helpful
1
Replies

Management Port

Go to solution
anitachoi3
Level 1
Level 1

‎08-28-2013 07:45 AM

Hi Expert,

According to the Cisco document as below that it can telnet to another network equipment via the management port inside the "management network" (or outband management network).

http://www.cisco.com/en/US/docs/routers/asr1000/configuration/guide/chassis/Management_Ethernet.html
in "Telnetting over the Management Ethernet Interface" section.

I would like to seek for your advice to rectify my understanfing if I am wrong.

For example, there are three Cisco equipment, asr 1002, asa 5520 and 3750X, the management port of three devices are connected to management network segment 172.16.1.0/26.

Management interface of asr 1002: 172.16.1.20

Management interface of asa 5520: 172.16.1.22

Management interface of 3750X: 172.16.1.22

If administrator sitting on asr1002, he can telnet to cisco 3750X's management port using following command

router# telnet 172.16.1.22 /vrf Mgmt-intf

Is it the correct interpretation regarding the meaning of above document in section "telnetting...." ?

The 2nd question is:

Does it support "ssh"?

The 3rd question is:

the snmp trap, log and authen should go throug the "management port" or "inband interface"? which one is better or general practice

Thanks

Anita

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame

‎08-28-2013 05:06 PM

Those devices with a separate Ethernet management port usually have a separate routing instance (Virtual Routing and Forwarding or VRF) that it uses. How it is setup varies by device.

If they support telnet, they will also support ssh from the management interface (assmuing you have an image with crypto and have generated rsa key etc.). The ASA does not support either telnet or ssh as a client (i.e. initiating from the ASA). The routers and switches will according to the restrictions for "transport output", if any, in your "line vty" section of the configuration. For incoming traffic you similarly make "transport input " setting or, for the ASA, set those addresses allowed to telnet, ssh or http (ASDM uses https) into the appliance.

Best practice is to use the dedicated management port where available for both incoming and outgoing management features (snmp traps, syslogs, AAA source interface,etc.). Best practice is also to disable telnet everywhere.

View solution in original post

0 Helpful
1 Reply 1

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame

‎08-28-2013 05:06 PM

Those devices with a separate Ethernet management port usually have a separate routing instance (Virtual Routing and Forwarding or VRF) that it uses. How it is setup varies by device.

If they support telnet, they will also support ssh from the management interface (assmuing you have an image with crypto and have generated rsa key etc.). The ASA does not support either telnet or ssh as a client (i.e. initiating from the ASA). The routers and switches will according to the restrictions for "transport output", if any, in your "line vty" section of the configuration. For incoming traffic you similarly make "transport input " setting or, for the ASA, set those addresses allowed to telnet, ssh or http (ASDM uses https) into the appliance.

Best practice is to use the dedicated management port where available for both incoming and outgoing management features (snmp traps, syslogs, AAA source interface,etc.). Best practice is also to disable telnet everywhere.

0 Helpful
Customers Also Viewed These Support Documents