Solved: Out of Band network

abarb002 · ‎01-15-2020

Seeking input of setting up an out of band network using a switch that is not connected to the main network to management network switches outside of my core switch. It is a requirement to have an out of band management switch that is not on my main network . I'm new to this and have been researching, but am looking for thoughts from anyone who has done this before.

Thanks

Mark Malone · ‎01-15-2020

Hi
couple of ways to do it , we passed it through our PA firewalls , you can use the physical MGMT ports on each switch or a dedicated vlan if no mgmt port available , connect them all back to the mgmt switch by Ethernet , giving each port matching vlan as per the subnet applied on physical interface , connect the management switch to a firewall , firewall should have an ip interface same space as the mgmt network and have full reach ability to it

From 1 of my DC nexus switches connects back to a mgmt switch

interface mgmt0
description OOB.TRUSTED.SERVER
vrf member management
ip address x.x.x.x/23

vrf context management
ip domain-name xxxxx.com
ip name-server x.x.x.x x.x.x.x
ip route 0.0.0.0/0 firewall IP

From the mgmt switch its connected too

interface GigabitEthernet1/0/7
description xxxxxxxxxx to N5K-C5612 mgmt0
switchport access vlan 1226
switchport mode access

interface Vlan1226 ----------------same subnet as mgmt port
description oob.trusted
ip address x.x.x.x.255.255.254.0

ip route 0.0.0.0 0.0.0.0 firewall IP here

View solution in original post

Jaderson Pessoa · ‎01-15-2020

Hello

out of band normally is used to manage your network's device/services. It is a traffic that do not participate of your enterprise network.

here your will find a good topic about it: https://learningnetwork.cisco.com/thread/86730

Jaderson Pessoa
*** Rate All Helpful Responses ***

Mark Malone · ‎01-15-2020

Hi
couple of ways to do it , we passed it through our PA firewalls , you can use the physical MGMT ports on each switch or a dedicated vlan if no mgmt port available , connect them all back to the mgmt switch by Ethernet , giving each port matching vlan as per the subnet applied on physical interface , connect the management switch to a firewall , firewall should have an ip interface same space as the mgmt network and have full reach ability to it

From 1 of my DC nexus switches connects back to a mgmt switch

interface mgmt0
description OOB.TRUSTED.SERVER
vrf member management
ip address x.x.x.x/23

vrf context management
ip domain-name xxxxx.com
ip name-server x.x.x.x x.x.x.x
ip route 0.0.0.0/0 firewall IP

From the mgmt switch its connected too

interface GigabitEthernet1/0/7
description xxxxxxxxxx to N5K-C5612 mgmt0
switchport access vlan 1226
switchport mode access

interface Vlan1226 ----------------same subnet as mgmt port
description oob.trusted
ip address x.x.x.x.255.255.254.0

ip route 0.0.0.0 0.0.0.0 firewall IP here

abarb002 · ‎01-15-2020

Thanks for the info sir.

Question, I am operating on a network that is completely closed. Can this be done without the use of a firewall? Its just a simple homerun to the management switch. No remote connection required, except with exception of a LAN connection to my desktop.

Mark Malone · ‎01-15-2020

yes the firewall is just for policy control and in or out access but if you dont care about that you dont need it , its not a requirement its optional

abarb002 · ‎01-16-2020

Thanks for the assistance, this really worked.

Question, so I have RADIUS as my authentication method of access, should I still be using this method even though is an OBM switch? It is working.

Mark Malone · ‎01-16-2020

Yes you should radius/tacacs both fine , and if you have too, AAA works under vrfs too for some switches that are bound to the mgmt vrf in g0/0 or the actual mgmt0 interfaces , then you can source all trafic from that vrf so mgmt traffic is isolated from standard routing table ,providing even more security by separating the traffic from production

example
ntp server x.x.x.x use-vrf management
ntp source-interface mgmt0

abarb002 · ‎01-23-2020

Okay got things to work without RADIUS authentication by way of the local username and password as well. Removed the main network connection and it defaulted to the local logon.

Also, on the vty for this new 9300 switch we have, had to include "vrf-also" at the end of my access-class statement.

#access-class NAME in vrf-also

Thanks again for your assistance.

Mark Malone · ‎01-23-2020

yes that right would be same with tacacs thats because your not ssh/telnet into main RIB table your going in the VRF mgmt table so the mgmt and prod traffic is isolated on the router , the way you want it

This is another good feature to use in live networks only recent in last few years MPP
You can source to go of the router easy enough but how do you ensure you enter through the correct interface MPP allows this , just something to be aware of , prevents long acls on other interfaces if you want to ensure you go in through the correct interface for mgmt traffic

https://www.cisco.com/c/en/us/td/docs/ios/security/configuration/guide/sec_mgmt_plane_prot.html

The Management Plane Protection (MPP) feature in Cisco IOS software provides the capability to restrict the interfaces on which network management packets are allowed to enter a device. The MPP feature allows a network operator to designate one or more router interfaces as management interfaces. Device management traffic is permitted to enter a device only through these management interfaces. After MPP is enabled, no interfaces except designated management interfaces will accept network management traffic destined to the device.