06-23-2014 11:49 AM - edited 03-07-2019 07:48 PM
Hello all,
If inband access to a switch is already secured with SSH, ACLs and TACACS+, should I bother with setting up Management port access?
I understand(correct me if I'm wrong) that this is out-of-band management, but I fail to see what this resource provides in a secure environment.
I should add that the 2960Xs are internet edge switches, if this is any consolation.
looking forward to the replies.
Solved! Go to Solution.
06-23-2014 03:09 PM
The management port is especially useful on an Internet edge switch.
For one thing, it uses a separate VRF (Virtual Routing and Forwarding) instance - the Management VRF. This allows you to operate your external switch as layer 2 only for all the Internet facing ports, giving zero Layer 3 exposure and thus zero control plane exposure to the Internet.
Even if that security isn't an attractive or compelling feature for you, having the separate VRF can also be useful as it provides access to the switch via this out of band type of connection independent of the primary or default VRF. This can be useful in the event of network issues not allowing you to reach your switch via the in band interface (typically an SVI on a subnet associated with one of the data VLANs)
06-23-2014 03:09 PM
The management port is especially useful on an Internet edge switch.
For one thing, it uses a separate VRF (Virtual Routing and Forwarding) instance - the Management VRF. This allows you to operate your external switch as layer 2 only for all the Internet facing ports, giving zero Layer 3 exposure and thus zero control plane exposure to the Internet.
Even if that security isn't an attractive or compelling feature for you, having the separate VRF can also be useful as it provides access to the switch via this out of band type of connection independent of the primary or default VRF. This can be useful in the event of network issues not allowing you to reach your switch via the in band interface (typically an SVI on a subnet associated with one of the data VLANs)
06-23-2014 03:09 PM
This is great.
Thank you very much.
06-25-2014 03:31 PM
Thanks for the info on this working on similar at work...
Is this considered a Cisco SAFE practice?
06-25-2014 04:33 PM
Generally, yes. Please refer to this link which recommends use of OOB management in the context of a SAFE architecture.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide