Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1223
Views
0
Helpful
7
Replies

Port-Channel / Security issue

Go to solution
multiplexer002
Level 1
Level 1

‎10-12-2017 08:09 AM - edited ‎03-08-2019 12:20 PM

Hello,

 

I have a question considering if is security wise to allow traffic from a user vlan to pass through a port-channel that is used for management traffic. 

 

Can you describe the pros and cons of doing it or not. 

 

Best Regards

John

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Mark Malone
VIP Alumni
VIP Alumni
In response to multiplexer002

‎10-13-2017 12:40 AM

Hi
As Joseph has stated makes no difference if its a po , the fact your using a fex as mgmt. platform its not isolated anyway so its inband mgmt. traffic rather than out of band so its all mixing anyway in the 5k where its being processed , trunk , access or po is indifferent to it as its vlan based mgmt. traffic. out of band is obviously more secure as its basically a parallel mgmt. network isolated form data plane of prod traffic but inband works too fine

View solution in original post

0 Helpful
7 Replies 7

Go to solution
Mark Malone
VIP Alumni
VIP Alumni

‎10-12-2017 08:37 AM - edited ‎10-12-2017 08:39 AM

Hi

Your MGMT and Production traffic are going to mix on the data plane of the router/switch even though there  isolated on the wire by different vlans , best practice is to have it segregated completely in dedicated mgmt port and switch

 

I have oob implemented but on dedicated switches connected to the firewalls using only their oob ports completly isolating mgmt traffic , although in some cases i have had no choice but to use a vlan in areas where it just was not cost efficient to run extra dedicated cabling and some devices had not got specific mgmt ports , if you do this you should have the fw service the mgmt protocls so there is some form of protection in place , then source all mgmt traffic locally on the device out that particular vlan or mgmt port ,if its a vlan i would use acls on the vlan interface to make sure the traffic is using that vlan only , we specified a acl for in an out traffic under the vlan interfaces on the devices that had no dedicated mgmt ports

 

This doc explains bets [ractice a bit for oob

 

https://www.cisco.com/c/en/us/td/docs/solutions/Enterprise/Security/SAFE_RG/SAFE_rg/chap9.html#wp1054536

"The OOB management network is implemented at the headquarters using dedicated switches that are independent and physically disparate from the data network"

 

so is it wise well sometimes it cant be avoided but if you can avoid it do it would be my personal opinion because running mgmt traffic through a vlan is not really oob but budget and other constraints can make that decision for you anyway

0 Helpful

Go to solution
multiplexer002
Level 1
Level 1
In response to Mark Malone

‎10-12-2017 01:48 PM

Hi Mark,

 

We have a couple of FEX2224 just for mgmt traffic in a vpc configuration with 2 Nexus 5596 but there is a need to use a port from one of these mgmt FEX just to allow traffic for a data vlan. 

This port will be an orphan port. 

Will the vpc domain allow this traffic to pass from the port-channel that passes the mgmt traffic?

0 Helpful

Go to solution
Mark Malone
VIP Alumni
VIP Alumni
In response to multiplexer002

‎10-13-2017 12:40 AM

Hi
As Joseph has stated makes no difference if its a po , the fact your using a fex as mgmt. platform its not isolated anyway so its inband mgmt. traffic rather than out of band so its all mixing anyway in the 5k where its being processed , trunk , access or po is indifferent to it as its vlan based mgmt. traffic. out of band is obviously more secure as its basically a parallel mgmt. network isolated form data plane of prod traffic but inband works too fine
0 Helpful

Go to solution
Joseph W. Doherty
Hall of Fame
Hall of Fame

‎10-12-2017 09:59 AM

I'm unaware on any additional security concerns using a port-channel. I.e., using a port-channel, or not, likely doesn't change the security pros and cons.
0 Helpful

Go to solution
multiplexer002
Level 1
Level 1
In response to Joseph W. Doherty

‎10-12-2017 12:16 PM - edited ‎10-12-2017 12:22 PM

Hi Joseph,

 

So there is vlan isolation in any case as is for vlan hopping if the port is not consider as trunk and not configured to participate in DTP.

 

Am I right?

 

Thanks in advance.

 

Best Regards

John

0 Helpful

Go to solution
multiplexer002
Level 1
Level 1
In response to Joseph W. Doherty

‎10-12-2017 12:16 PM

Hi Joseph,

 

So there is vlan isolation in any case.

 

Am I right?

 

Thanks in advance.

 

Best Regards

John

0 Helpful

Go to solution
Meheretab Mengistu
Level 7
Level 7
In response to multiplexer002

‎10-12-2017 01:10 PM

Hi John,

Mark has provided great explanation regarding management traffic isolation using OOB mgmt interface.

Basically Port-Channels are used to have redundant links and higher bandwidth. Out of that, they are like individual access or trunk ports. So, if you configured the port-channel interface as a trunk port, it will carry multiple VLANs (one of them could be management vlan) which are isolated networks (and will not talk to each other unless you have a layer3 device.)

HTH,
Meheretab
HTH,
Meheretab
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card