Gotcha. Just was seeing if there are other uses out there for this port. Too bad it isn't like the Nexus Sup cmp- mgmt ports. Now that'd be great.

Standfast! The CMP ports are coming on some of the chassis based switches.

I want them on the 3750x. Actually i want them on every switch. 

The firewalls desperately need them.

I notice that in your list you do not include IOS upgrade of the 3750-X through the archive command set.

Question: Is this a supported feature?

My guess is that it is not, as the switches OOB Management Port would go off line on the switch in question due to the fact that it is not a true CMP port, and that the micro code changes on the switch during the upgrade. This would affect the EOOB port.

Could you clarify?

Great points. Unfortunately the EOOB port is worthless in most of the products. It shares the global routing table and/or you can not put it in its own VRF. Once those pain points have been eliminated a design doc can be created and we can start to truly manage our devices over Ethernet and in a secure fashion!

Worthless seems rather strong.  I've worked with clever network engineers that have leveraged these ports well.  I doesn't take a unique routing table (VRF).  It does take a rock solid foundation in networking.


Chris

Depends on the security policy. For the requirements of the government, the port is worthless, no matter how clever you are. I guess since I don't understand networking, all of this it moot. Thanks for straightening me out. I hope you have a solid foundation in understanding sarcasm.

gatlin007 wrote:
Worthless seems rather strong.  I've worked with clever network engineers that have leveraged these ports well.  I doesn't take a unique routing table (VRF).  It does take a rock solid foundation in networking.


Chris

Chris

Be interested to hear how it was done ?

Jon

Collin_Clark wrote:
Great points. Unfortunately the EOOB port is worthless in most of the products. It shares the global routing table and/or you can not put it in its own VRF. Once those pain points have been eliminated a design doc can be created and we can start to truly manage our devices over Ethernet and in a secure fashion!

Collin

I see what you mean here. We have actually been referring i think to 2 different things. I was thinking primarily about a network that is subjected to a virus for example and so the path from your management PC to the device could be unuseable. It was in that sense i was saying VRF's are useless.

Whereas i think you were referring to restricing access to the OOB by using a dedicated vrf wtih only restricted access.

Sorry for being a bit slow on the uptake.

Both i think are relevant considerations and need to be addressed.

Jon

Chris / Collin

I agree that it is an area not covered in great detail.

The key as far as i see it is you need a completely separate network and i mean completely separate from production. So the path from your PC to the OOB port never crosses any physical equipment on production. Even vrfs wouldn't help here. However something like the Nexus would where you can allocate virtual switches within the same chassis and allocate resources to each switch that are not shared. I say would help but it does depend on just what is shared and what isn't.

Trouble obviously is it gets expensive. I've done it within a DC where we had a separate ADSL link into the DC so we were not using the WAN links. But it's not a solution that generally scales without the cost becoming prohibitive.

The other alternative is to use QOS to guarantee some bandwidth but this can be hit and miss to say the least.

Jon

At the last place I worked, we had to manage all of out network devices OOB. Even a separate WAN as no management traffic could be on the same network as the production data network. It stinks!