I have a question considering if is security wise to allow traffic from a user vlan to pass through a port-channel that is used for management traffic.
Can you describe the pros and cons of doing it or not.
Solved! Go to Solution.
Your MGMT and Production traffic are going to mix on the data plane of the router/switch even though there isolated on the wire by different vlans , best practice is to have it segregated completely in dedicated mgmt port and switch
I have oob implemented but on dedicated switches connected to the firewalls using only their oob ports completly isolating mgmt traffic , although in some cases i have had no choice but to use a vlan in areas where it just was not cost efficient to run extra dedicated cabling and some devices had not got specific mgmt ports , if you do this you should have the fw service the mgmt protocls so there is some form of protection in place , then source all mgmt traffic locally on the device out that particular vlan or mgmt port ,if its a vlan i would use acls on the vlan interface to make sure the traffic is using that vlan only , we specified a acl for in an out traffic under the vlan interfaces on the devices that had no dedicated mgmt ports
This doc explains bets [ractice a bit for oob
"The OOB management network is implemented at the headquarters using dedicated switches that are independent and physically disparate from the data network"
so is it wise well sometimes it cant be avoided but if you can avoid it do it would be my personal opinion because running mgmt traffic through a vlan is not really oob but budget and other constraints can make that decision for you anyway
We have a couple of FEX2224 just for mgmt traffic in a vpc configuration with 2 Nexus 5596 but there is a need to use a port from one of these mgmt FEX just to allow traffic for a data vlan.
This port will be an orphan port.
Will the vpc domain allow this traffic to pass from the port-channel that passes the mgmt traffic?
So there is vlan isolation in any case as is for vlan hopping if the port is not consider as trunk and not configured to participate in DTP.
Am I right?
Thanks in advance.