Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
741
Views
0
Helpful
4
Replies

Proper usage of the Management port

Go to solution
Damian Cleveland
Level 1
Level 1

‎06-23-2014 11:49 AM - edited ‎03-07-2019 07:48 PM

Hello all,

 

If inband access to a switch is already secured with SSH, ACLs and TACACS+, should I bother with setting up Management port access?

I understand(correct me if I'm wrong) that this is out-of-band management, but I fail to see what this resource provides in a secure environment.

I should add that the 2960Xs are internet edge switches, if this is any consolation.

looking forward to the replies.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame

‎06-23-2014 03:09 PM

The management port is especially useful on an Internet edge switch.

For one thing, it uses a separate VRF (Virtual Routing and Forwarding) instance - the Management VRF. This allows you to operate your external switch as layer 2 only for all the Internet facing ports, giving zero Layer 3 exposure and thus zero control plane exposure to the Internet.

Even if that security isn't an attractive or compelling feature for you, having the separate VRF can also be useful as it provides access to the switch via this out of band type of connection independent of the primary or default VRF. This can be useful in the event of network issues not allowing you to reach your switch via the in band interface (typically an SVI on a subnet associated with one of the data VLANs)

View solution in original post

0 Helpful
4 Replies 4

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame

‎06-23-2014 03:09 PM

The management port is especially useful on an Internet edge switch.

For one thing, it uses a separate VRF (Virtual Routing and Forwarding) instance - the Management VRF. This allows you to operate your external switch as layer 2 only for all the Internet facing ports, giving zero Layer 3 exposure and thus zero control plane exposure to the Internet.

Even if that security isn't an attractive or compelling feature for you, having the separate VRF can also be useful as it provides access to the switch via this out of band type of connection independent of the primary or default VRF. This can be useful in the event of network issues not allowing you to reach your switch via the in band interface (typically an SVI on a subnet associated with one of the data VLANs)

0 Helpful

Go to solution
Damian Cleveland
Level 1
Level 1
In response to Marvin Rhoads

‎06-23-2014 03:09 PM

This is great.

Thank you very much.

0 Helpful

Go to solution
Gregory Korten
Level 1
Level 1

‎06-25-2014 03:31 PM

Thanks for the info on this working on similar at work...

Is this considered a Cisco SAFE practice?

 

 

0 Helpful

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame
In response to Gregory Korten

‎06-25-2014 04:33 PM

Generally, yes. Please refer to this link which recommends use of OOB management in the context of a SAFE architecture.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card