Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
7745
Views
5
Helpful
1
Replies

MGMT port on 3850 switch

Go to solution
Damir Reic
Level 1
Level 1

‎07-19-2015 04:49 AM - edited ‎03-10-2019 12:27 AM

Hi,

I have 3850 configured as edge switch where I run BGP on it. I did not connect MGMT port to our internal mgmt network because of the security concerns. So my concern is if switch somehow gets hacked from the outside (we don't run SSH or HTTP server on it) will the attacker gain access to the MGMT port or not? Is MGMT interface on a separate data plane so there is no possible way to gain controller over with from switch ports? I couldn't find this info in admin guide so i am asking if someone of you knows :).

 

Thank you!

1 person had this problem
Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame

‎07-21-2015 06:21 AM

The Catalyst 3850 management port, like that of many other of the more modern Cisco switches, uses a completely separate Virtual Routing and Forwarding (VRF) instance.

As long as you don't expose any Layer 3 interfaces (routed ports or Switch Virtual Interfaces (SVIs)) to the external world, your management plane is completely isolated. If the switch did have external-facing L3 interfaces and was completely compromised, you could log into the switch and then initiate sessions (from the switch itself) to internally reachable hosts that can be accessed via the management VRF. 

For details on the switch's internal architecture, please see Cisco Live presentation BRKARC-3438. Note on slide 30+ how they show the "EMP" (Ethernet Management Port) as directly connected to the switch CPU and not sharing the forwarding controller(s) that govern the data ports.

Also note the configuration guide which states:

The switch cannot route packets from the Ethernet management port to a network port, and the reverse. 

 

View solution in original post

1 Reply 1

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame

‎07-21-2015 06:21 AM

The Catalyst 3850 management port, like that of many other of the more modern Cisco switches, uses a completely separate Virtual Routing and Forwarding (VRF) instance.

As long as you don't expose any Layer 3 interfaces (routed ports or Switch Virtual Interfaces (SVIs)) to the external world, your management plane is completely isolated. If the switch did have external-facing L3 interfaces and was completely compromised, you could log into the switch and then initiate sessions (from the switch itself) to internally reachable hosts that can be accessed via the management VRF. 

For details on the switch's internal architecture, please see Cisco Live presentation BRKARC-3438. Note on slide 30+ how they show the "EMP" (Ethernet Management Port) as directly connected to the switch CPU and not sharing the forwarding controller(s) that govern the data ports.

Also note the configuration guide which states:

The switch cannot route packets from the Ethernet management port to a network port, and the reverse. 

 

Customers Also Viewed These Support Documents