Out of band management and VRF routing

Graham Murison · ‎10-16-2023

We are building a new network and actually will have a management network for the first time. Historically we are quite small and I was using inband management, but seen some decent growth of the last 5 years.

My original design won't work due to overlapping subnet. I had vlan for this management network, but realized that the management interface is L3. (C3850 IPServices).

sw-aggr-01#sh ip int br | incl 10.96.50
Vlan50 10.96.50.1 YES NVRAM up up
GigabitEthernet0/0 10.96.50.5 YES manual up up

sw-fl2-aggr-01#sh ip route

Gateway of last resort is 10.0.5.1 to network 0.0.0.0

S* 0.0.0.0/0 [1/0] via 10.0.5.1
10.0.0.0/8 is variably subnetted, 17 subnets, 4 masks
C 10.0.5.0/30 is directly connected, Vlan5
L 10.0.5.2/32 is directly connected, Vlan5
S 10.96.50.0/24 is directly connected, Vlan50

sw-fl2-aggr-01#sh ip route vrf Mgmt-vrf

Routing Table: Mgmt-vrf

Gateway of last resort is 10.0.5.1 to network 0.0.0.0

S* 0.0.0.0/0 [1/0] via 10.0.5.1
10.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C 10.96.50.0/24 is directly connected, GigabitEthernet0/0
L 10.96.50.5/32 is directly connected, GigabitEthernet0/0

I am trying to figure of the best way to route to this through our firewall to audit traffic. Anything outside 10.96.50.0/24 goes through the firewall.

My only thought at this point is moving all switch management function to another Vlan (Vlan 55 for example)
I want to keep the data and management plains separate as a best practice if I am able to design that way.

Any other suggestions from the gurus?