Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Proper usage of the Management port

Hello all,

 

If inband access to a switch is already secured with SSH, ACLs and TACACS+, should I bother with setting up Management port access?

I understand(correct me if I'm wrong) that this is out-of-band management, but I fail to see what this resource provides in a secure environment.

I should add that the 2960Xs are internet edge switches, if this is any consolation.

looking forward to the replies.

1 ACCEPTED SOLUTION

Accepted Solutions
Hall of Fame Super Silver

The management port is

The management port is especially useful on an Internet edge switch.

For one thing, it uses a separate VRF (Virtual Routing and Forwarding) instance - the Management VRF. This allows you to operate your external switch as layer 2 only for all the Internet facing ports, giving zero Layer 3 exposure and thus zero control plane exposure to the Internet.

Even if that security isn't an attractive or compelling feature for you, having the separate VRF can also be useful as it provides access to the switch via this out of band type of connection independent of the primary or default VRF. This can be useful in the event of network issues not allowing you to reach your switch via the in band interface (typically an SVI on a subnet associated with one of the data VLANs)

4 REPLIES
Hall of Fame Super Silver

The management port is

The management port is especially useful on an Internet edge switch.

For one thing, it uses a separate VRF (Virtual Routing and Forwarding) instance - the Management VRF. This allows you to operate your external switch as layer 2 only for all the Internet facing ports, giving zero Layer 3 exposure and thus zero control plane exposure to the Internet.

Even if that security isn't an attractive or compelling feature for you, having the separate VRF can also be useful as it provides access to the switch via this out of band type of connection independent of the primary or default VRF. This can be useful in the event of network issues not allowing you to reach your switch via the in band interface (typically an SVI on a subnet associated with one of the data VLANs)

New Member

This is great.Thank you very

This is great.

Thank you very much.

New Member

Thanks for the info on this

Thanks for the info on this working on similar at work...

Is this considered a Cisco SAFE practice?

 

 

Hall of Fame Super Silver

Generally, yes. Please refer

Generally, yes. Please refer to this link which recommends use of OOB management in the context of a SAFE architecture.

52
Views
0
Helpful
4
Replies