Showing results for 
Search instead for 
Did you mean: 

Secure OOB Management Design, for various categories of Management traffic



I am working on OOB Management design for connectivity of management of various categories of Data Center traffic such as DMZ (e.g. Internet routers), Servers, Network, Application, Security (KMS, HSM, etc.) and PCI.


I looked for Cisco best practices recommendations for physical connectivity or switching design of OOB but no luck.


1: Please provide useful and supporting link that can be used as a reference and can guide on OOB connectivity/switching and Firewall design for various categories of MGT traffic.

2: Please also providing recommendations and opinions on the options mentioned in the attached diagram.



2 Replies 2

any opinion from experts?


I don't there is an reference guide for your exact scenario, but it seems like TrustSec segementation would be a good fit.

Use an FTD pair between the Core and Agg as in your diagrams, the connecting endpoints requiring segmentation would be connected to the same switch stack and just use the SGT to permit/deny communication between the endpoints using an SGACL. You'd need ISE to classify the endpoints, assign an SGT and manage the SGACL - although you could manually configure on the switch, but not really advised nor scalable.


Any communication to/from the SOC block/monitoring systems could be routed via the FTD and controlled according to the FTD Access Control Policies.


TrustSec reference materials:-



Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Review Cisco Networking products for a $25 gift card