07-19-2015 04:49 AM - edited 03-10-2019 12:27 AM
Hi,
I have 3850 configured as edge switch where I run BGP on it. I did not connect MGMT port to our internal mgmt network because of the security concerns. So my concern is if switch somehow gets hacked from the outside (we don't run SSH or HTTP server on it) will the attacker gain access to the MGMT port or not? Is MGMT interface on a separate data plane so there is no possible way to gain controller over with from switch ports? I couldn't find this info in admin guide so i am asking if someone of you knows :).
Thank you!
Solved! Go to Solution.
07-21-2015 06:21 AM
The Catalyst 3850 management port, like that of many other of the more modern Cisco switches, uses a completely separate Virtual Routing and Forwarding (VRF) instance.
As long as you don't expose any Layer 3 interfaces (routed ports or Switch Virtual Interfaces (SVIs)) to the external world, your management plane is completely isolated. If the switch did have external-facing L3 interfaces and was completely compromised, you could log into the switch and then initiate sessions (from the switch itself) to internally reachable hosts that can be accessed via the management VRF.
For details on the switch's internal architecture, please see Cisco Live presentation BRKARC-3438. Note on slide 30+ how they show the "EMP" (Ethernet Management Port) as directly connected to the switch CPU and not sharing the forwarding controller(s) that govern the data ports.
Also note the configuration guide which states:
The switch cannot route packets from the Ethernet management port to a network port, and the reverse.
07-21-2015 06:21 AM
The Catalyst 3850 management port, like that of many other of the more modern Cisco switches, uses a completely separate Virtual Routing and Forwarding (VRF) instance.
As long as you don't expose any Layer 3 interfaces (routed ports or Switch Virtual Interfaces (SVIs)) to the external world, your management plane is completely isolated. If the switch did have external-facing L3 interfaces and was completely compromised, you could log into the switch and then initiate sessions (from the switch itself) to internally reachable hosts that can be accessed via the management VRF.
For details on the switch's internal architecture, please see Cisco Live presentation BRKARC-3438. Note on slide 30+ how they show the "EMP" (Ethernet Management Port) as directly connected to the switch CPU and not sharing the forwarding controller(s) that govern the data ports.
Also note the configuration guide which states:
The switch cannot route packets from the Ethernet management port to a network port, and the reverse.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide