Hi Leo,

Thanks for replying.

Can I check with you the following ->

q1) does all the switches come with ethernet management port ?

q2) Can i say switches with no "physical" ethernet management port as in-band management switch ?

q3) You mentioned that - "Management port do NOT understand default-gateway command"  -> does this apply to the out-of-band management port only ?  because If i am connecting from another subnet/internet, definitely the switch must be able to return the packets to me via a gateway isn't it ?

Can i connect to an external (out-of-band) management port remotely ? if yes, then how come a default gateway is not needed ?

q4) "This is why the most important thing to configure in the Management port is a unique IP address.  IP address for the Management port should NOT be the same as your normal LAN traffic."

For inband management port, can i set the interface to use another subnet/ip aside from the normal LAN traffic ? 
Does this means I can pull a cable from another network into the switch as shown below in red line
 

Hence for the inband management traffic, it will belong to another VLAN(e.g. VLAN1) and the normal LAN/production traffic in another VLAN, is it possible ?

Regards,
Noob

q1) does all the switches come with ethernet management port ?

Management port started appearing on the 3560E/3750E.  Any switches that came after that, including Nexus and various supervisor cards, now sport a Management port.

q2) Can i say switches with no "physical" ethernet management port as in-band management switch ?

Never heard or seen an "in-band mangement" is so I can't answer that.

Does this means I can pull a cable from another network into the switch as shown below in red line

The Management port is a totally separate PHYSICAL network to work efficiently.  This is because the Management port does NOT understand what the concept of default-gateway is.   Let me explain a little bit further.  Let's just say you have two separate physical network:  Your corporate LAN is 10.0.0./8 and you've got your Management port LAN, an OoBM, to be using 192.168.0.0/16.  

When using the OoBM IP address to your management port, you have the option to specify the IP address on the FastEthernet0 interface or DHCP-assigned.  Whatever the case maybe, that all you need to do.  Again, no default-gateway configured.  Take note, that you'll need to RIP OUT the concept that the Management port is a switch port.  IT IS NOT.  The Management port is a "dumb" port with an IP address.  So this means any traffic to/from the Management port only goes to ONE PORT.  It doesn't flood ports because there is no other ports.  Management port doesn't keep a CAM or ARP table.  Management port do NOT understand VLAN.  The traffic goes up the cable connected to the Management port and up a switch.  Now that switch holds all the information because it is a switch.  

So you're drawing above could potentially work but it totally defeats the purpose of the Management port.  Some might even argue WHY bothering connecting the Management port in the first place.  The same argument also makes it difficult to implement a totally separate OoBM network because of the inherit cost accompanied.  

Hi Leo,

Thanks for the reply.

q2) Can i say switches with no "physical" ethernet management port as in-band management switch ?

Never heard or seen an "in-band mangement" is so I can't answer that.

q1) what I meant are those traditional switches with no physical ethernet management port, and have to set the management IP as a VLAN interface as shown earlier.  What do you call the management of those switches ?

When using the OoBM IP address to your management port, you have the option to specify the IP address on the FastEthernet0 interface or DHCP-assigned.  Whatever the case maybe, that all you need to do.  Again, no default-gateway configured.  Take note, that you'll need to RIP OUT the concept that the Management port is a switch port.  IT IS NOT.  The Management port is a "dumb" port with an IP address.  So this means any traffic to/from the Management port only goes to ONE PORT.  It doesn't flood ports because there is no other ports.  Management port doesn't keep a CAM or ARP table.  Management port do NOT understand VLAN.  The traffic goes up the cable connected to the Management port and up a switch.  Now that switch holds all the information because it is a switch.  

Q2) You mentioned that there is no need to set any default gateway for the external management port. In that case how does management traffic actually transverse up to another network from the management port ? (assuming i am accessing the management port via another remote network ?) -- can I ?

So you're drawing above could potentially work but it totally defeats the purpose of the Management port.  Some might even argue WHY bothering connecting the Management port in the first place.  The same argument also makes it difficult to implement a totally separate OoBM network because of the inherit cost accompanied.  

q3) My drawing above is about using the logical vlan interface ip for managment, but lets assume the physical port on the switch connected by the redline is an external ethernet management port,

Can you elaborate abit further in what point/how it will defeat the purpose of management port  ? As I have set it to be on a separate physical network . (is it because it is still connected to the same router ?) or is it because the management port should be connected to a switch then a router ?

It will be deeply appreciated if you can provide a simple illustration of what should the actual setup be like.

Thank you.
Regards,
Noob

What do you call the management of those switches ?

Management VLAN.

In that case how does management traffic actually transverse up to another network from the management port ? 

Ok, take a wired client with one cable.  The client has an IP address and a subnet mask.  Now where is the traffic going?  One way.  Up the cable.  Same goes with the Management port.  The traffic only goes one way and it's out the cable.  

Ok, take a wired client with one cable.  The client has an IP address and a subnet mask.  Now where is the traffic going?  One way.  Up the cable.  Same goes with the Management port.  The traffic only goes one way and it's out the cable.  

Hi Leo,

Do you mean a point to point connection of directly connecting a client to the management port  ?

Meaning the client and the management port are in the same subnet.

Am i right ?

Regards,
Noob

Do you mean a point to point connection of directly connecting a client to the management port  ?

Meaning the client and the management port are in the same subnet.

Separate the notion that the switch Management port and Access port in one unit.  Think of the appliance's Management port as a completely separate unit with a logical connection to the rest of the appliance.  Think of it like a console port with an IP address.  

We have a 3750G switch that talks to all our switches using the Management port.  As I've described above, the Management ports have a DHCP IP address dished out by the 3750G.  The 3750G pushes configs and IOS down the Management port.  

The Management port all go into one VLAN (not VLAN 1) and the Management VLAN is being hosted by the 3750G.  

That is as simple as I can describe things.  

Hi Leo,

Sorry if you find it hard to explain to me.

I have understood to think of the ethernet management port as a separate entity from the original switch.

Maybe with the help of the diagram below, can you let me know if i have understood correctly ?

*please assume connected port is a management port separated from the normal switch ports

q1) does the ethernet management port need to be connected to another switch ?

I have thought of it as a device on the network and it is mentioned by you previously that it will be connected to a switch

"he traffic goes up the cable connected to the Management port and up a switch.  Now that switch holds all the information because it is a switch.  "

q2) In the current setup then, terminal B will be able to access the management port - am i right ?

q3) you mentioned that the management port is not able to set any gateway, (which is the router fe0/5 - 192.168.0.3 in my illustration), in that case do you mean that terminal A will not be able to access the management port remotely and it can only be accessible locally ?

Please do correct me if my understanding is wrong.

Thank you so much for your advices.

Regards,

Noob

Q1:  Management port, as recommended, should be connected to a physically separate network. 

Q2:  If done right, yes.  Because he logs into the OoBM router.  From the OoBM he can either telnet or SSH into the Management port. 

Q3:  I think I've answered this in Q2.

Hi Leo,

Thanks for the prompt reply. 

q1) When you mean a physically separate network, the "physical" here refers to all networking equipments, cables, paths, and even ips addresses right ? so is my diagram correct then ? cause i have provided a seperate switch, router and subnet for the management interface

q2) over here, i am referencing to terminal b, which is directly connecting to the management port via the l2 switch. hence terminal b is able to connect to the management port directly without going through the router.

q3) so in the sense, we still have to login into the router (to be in the same network) and then ssh/telnet to the management port. There is no way to access the management port over the network/through the network.

why is it done this way ? why can't the management port have a gateway ?
 

Regards,

Noob

Hi Leo,
 

So sorry, I miss out on your reply totally. In fact, i was hoping that you could reply by re-visting this thread again and is glad to see your response.

Thanks.

q2) over here, i am referencing to terminal b, which is directly connecting to the management port via the l2 switch. hence terminal b is able to connect to the management port directly without going through the router.

Not going to work.  My production network would now know how to get into the OoBM network.  In my line of work, I will make sure they are physically separated because putting both the production and OoBM network in the same physical network is totally stupid.  

q1) on my diagram above, there is absolutely no production network or equipments involved, all the equipments and network are solely for management purposes. So I really do not understand why you mentioned that Terminal B 192.168.0.2 is not able to reach the management port of 192.168.0.1 through the L2 switch , can you elaborate abit further ?

Regards,
Noob

Hi Leo!,

Thanks for the reply.

q1) The Router just below the cloud can be use for advertising , am i right ?

q2) Also, as mentioned by you previously, terminal A (.5.1) will still have to login into the router to connect to the management port (as there is no gateway setting on the management port for it) - does it still applies ?

Thanks!