cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

4964
Views
5
Helpful
1
Replies
Highlighted
Beginner

MGMT port on 3850 switch

Hi,

I have 3850 configured as edge switch where I run BGP on it. I did not connect MGMT port to our internal mgmt network because of the security concerns. So my concern is if switch somehow gets hacked from the outside (we don't run SSH or HTTP server on it) will the attacker gain access to the MGMT port or not? Is MGMT interface on a separate data plane so there is no possible way to gain controller over with from switch ports? I couldn't find this info in admin guide so i am asking if someone of you knows :).

 

Thank you!

Everyone's tags (1)
1 ACCEPTED SOLUTION

Accepted Solutions
Hall of Fame Master

The Catalyst 3850 management

The Catalyst 3850 management port, like that of many other of the more modern Cisco switches, uses a completely separate Virtual Routing and Forwarding (VRF) instance.

As long as you don't expose any Layer 3 interfaces (routed ports or Switch Virtual Interfaces (SVIs)) to the external world, your management plane is completely isolated. If the switch did have external-facing L3 interfaces and was completely compromised, you could log into the switch and then initiate sessions (from the switch itself) to internally reachable hosts that can be accessed via the management VRF. 

For details on the switch's internal architecture, please see Cisco Live presentation BRKARC-3438. Note on slide 30+ how they show the "EMP" (Ethernet Management Port) as directly connected to the switch CPU and not sharing the forwarding controller(s) that govern the data ports.

Also note the configuration guide which states:

The switch cannot route packets from the Ethernet management port to a network port, and the reverse. 

 

1 REPLY 1
Hall of Fame Master

The Catalyst 3850 management

The Catalyst 3850 management port, like that of many other of the more modern Cisco switches, uses a completely separate Virtual Routing and Forwarding (VRF) instance.

As long as you don't expose any Layer 3 interfaces (routed ports or Switch Virtual Interfaces (SVIs)) to the external world, your management plane is completely isolated. If the switch did have external-facing L3 interfaces and was completely compromised, you could log into the switch and then initiate sessions (from the switch itself) to internally reachable hosts that can be accessed via the management VRF. 

For details on the switch's internal architecture, please see Cisco Live presentation BRKARC-3438. Note on slide 30+ how they show the "EMP" (Ethernet Management Port) as directly connected to the switch CPU and not sharing the forwarding controller(s) that govern the data ports.

Also note the configuration guide which states:

The switch cannot route packets from the Ethernet management port to a network port, and the reverse.