01-15-2020 06:58 AM
Seeking input of setting up an out of band network using a switch that is not connected to the main network to management network switches outside of my core switch. It is a requirement to have an out of band management switch that is not on my main network . I'm new to this and have been researching, but am looking for thoughts from anyone who has done this before.
Thanks
Solved! Go to Solution.
01-15-2020 07:20 AM - edited 01-15-2020 07:32 AM
Hi
couple of ways to do it , we passed it through our PA firewalls , you can use the physical MGMT ports on each switch or a dedicated vlan if no mgmt port available , connect them all back to the mgmt switch by Ethernet , giving each port matching vlan as per the subnet applied on physical interface , connect the management switch to a firewall , firewall should have an ip interface same space as the mgmt network and have full reach ability to it
From 1 of my DC nexus switches connects back to a mgmt switch
interface mgmt0
description OOB.TRUSTED.SERVER
vrf member management
ip address x.x.x.x/23
vrf context management
ip domain-name xxxxx.com
ip name-server x.x.x.x x.x.x.x
ip route 0.0.0.0/0 firewall IP
From the mgmt switch its connected too
interface GigabitEthernet1/0/7
description xxxxxxxxxx to N5K-C5612 mgmt0
switchport access vlan 1226
switchport mode access
interface Vlan1226 ----------------same subnet as mgmt port
description oob.trusted
ip address x.x.x.x.255.255.254.0
ip route 0.0.0.0 0.0.0.0 firewall IP here
01-15-2020 07:03 AM
01-15-2020 07:20 AM - edited 01-15-2020 07:32 AM
Hi
couple of ways to do it , we passed it through our PA firewalls , you can use the physical MGMT ports on each switch or a dedicated vlan if no mgmt port available , connect them all back to the mgmt switch by Ethernet , giving each port matching vlan as per the subnet applied on physical interface , connect the management switch to a firewall , firewall should have an ip interface same space as the mgmt network and have full reach ability to it
From 1 of my DC nexus switches connects back to a mgmt switch
interface mgmt0
description OOB.TRUSTED.SERVER
vrf member management
ip address x.x.x.x/23
vrf context management
ip domain-name xxxxx.com
ip name-server x.x.x.x x.x.x.x
ip route 0.0.0.0/0 firewall IP
From the mgmt switch its connected too
interface GigabitEthernet1/0/7
description xxxxxxxxxx to N5K-C5612 mgmt0
switchport access vlan 1226
switchport mode access
interface Vlan1226 ----------------same subnet as mgmt port
description oob.trusted
ip address x.x.x.x.255.255.254.0
ip route 0.0.0.0 0.0.0.0 firewall IP here
01-15-2020 07:57 AM
Thanks for the info sir.
Question, I am operating on a network that is completely closed. Can this be done without the use of a firewall? Its just a simple homerun to the management switch. No remote connection required, except with exception of a LAN connection to my desktop.
01-15-2020 08:12 AM
01-16-2020 07:13 AM
Thanks for the assistance, this really worked.
Question, so I have RADIUS as my authentication method of access, should I still be using this method even though is an OBM switch? It is working.
01-16-2020 07:51 AM
01-23-2020 11:18 AM
Okay got things to work without RADIUS authentication by way of the local username and password as well. Removed the main network connection and it defaulted to the local logon.
Also, on the vty for this new 9300 switch we have, had to include "vrf-also" at the end of my access-class statement.
#access-class NAME in vrf-also
Thanks again for your assistance.
01-23-2020 12:32 PM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide