https://community.extremenetworks.com/t5/extremecloud-iq-site-engine/eos-out-of-band-management/m-p/44105#M5849 Question: if you set an ip address on an interface as management and then disable ip-forwarding on that interface does that restrict management access to that address? Wed, 20 Apr 2016 19:13:00 GMT Curtis_Parish1 2016-04-20T19:13:00Z https://community.extremenetworks.com/t5/extremecloud-iq-site-engine/eos-out-of-band-management/m-p/44102#M5846 In the process of configuring / designing an Out-Of-Band management network in EOS.<BR /> <BR /> Will need to make this as secure as possible so things like SNMP, SSH, Syslog, HTTPS and Netflow for / via NetSight are all done out of band on the management network only. All the switches in use are either S or K series.<BR /> <BR /> My first thoughts are that I would have to do this with Policy and ACL's, but it would be preferential to use a separate VRF. <BR /> <BR /> So my questions are:<BR /> <UL> <LI>What would the best why to ago about this in the most secure manner? </LI><LI>Perhaps there is a better method in EOS? </LI><LI>If I was to use a VRF for management (and my point in using it), is I could then just enable the management protocols on the management VRF and turn them off on the default VRF. (I don't believe its possible, but it would provide the simplest and most secure set-up, perhaps still in conjunction with policy and ACL's)</LI></UL>Many thanks in advance.<BR /> <BR /> Tue, 19 Apr 2016 20:00:00 GMT https://community.extremenetworks.com/t5/extremecloud-iq-site-engine/eos-out-of-band-management/m-p/44102#M5846 Anonymous 2016-04-19T20:00:00Z https://community.extremenetworks.com/t5/extremecloud-iq-site-engine/eos-out-of-band-management/m-p/44103#M5847 Hi Martin,<BR /> <BR /> I don't think you can disable SNMP, SSH, etc. in a VRF.<BR /> <BR /> To lock down management access you should look into the host ACL ("ip host-access <ACL>"). You can (and should) use an extended ACL, so you can allow just the interface IP you want to use for management. With a host ACL you need to consider and allow all layer 3 protocols (VRRP, OSPF, BGP, ...) you intend to use.<BR /> <BR /> Erik<BR /></ACL> Wed, 20 Apr 2016 12:30:00 GMT https://community.extremenetworks.com/t5/extremecloud-iq-site-engine/eos-out-of-band-management/m-p/44103#M5847 Erik_Auerswald 2016-04-20T12:30:00Z https://community.extremenetworks.com/t5/extremecloud-iq-site-engine/eos-out-of-band-management/m-p/44104#M5848 Thanks for the reply.<BR /> <BR /> Think my plan will be to use a VRF for management and use ACL's either side to stop and control IP traffic for containment, with the use of 'ip host-access' that you have helpfully provided.<BR /> <BR /> Many thanks.<BR /> Wed, 20 Apr 2016 13:32:00 GMT https://community.extremenetworks.com/t5/extremecloud-iq-site-engine/eos-out-of-band-management/m-p/44104#M5848 Anonymous 2016-04-20T13:32:00Z https://community.extremenetworks.com/t5/extremecloud-iq-site-engine/eos-out-of-band-management/m-p/44105#M5849 Question: if you set an ip address on an interface as management and then disable ip-forwarding on that interface does that restrict management access to that address? Wed, 20 Apr 2016 19:13:00 GMT https://community.extremenetworks.com/t5/extremecloud-iq-site-engine/eos-out-of-band-management/m-p/44105#M5849 Curtis_Parish1 2016-04-20T19:13:00Z https://community.extremenetworks.com/t5/extremecloud-iq-site-engine/eos-out-of-band-management/m-p/44106#M5850 I do not think that is sufficient.<BR /> <BR /> There are two GTAC Knowledge articles regarding restricting management access:<BR /> <OL> <LI><A href="https://gtacknowledge.extremenetworks.com/articles/How_To/How-To-Configure-an-ACL-on-a-S-K-Series-to-Allow-Access-to-only-One-Interface" target="_blank" rel="nofollow noreferrer noopener">https://gtacknowledge.extremenetworks.com/articles/How_To/How-To-Configure-an-ACL-on-a-S-K-Series-to...</A> </LI><LI><A href="https://gtacknowledge.extremenetworks.com/articles/How_To/How-to-create-host-access-list-on-S-Series-to-prevent-unauthorized-login-attempts/" target="_blank" rel="nofollow noreferrer noopener">https://gtacknowledge.extremenetworks.com/articles/How_To/How-to-create-host-access-list-on-S-Series...</A> </LI></OL>As far as I remember any reachable active interface can be used for management unless an ACL restricts access. The host ACL controls access via any interface.<BR /> Wed, 20 Apr 2016 19:59:00 GMT https://community.extremenetworks.com/t5/extremecloud-iq-site-engine/eos-out-of-band-management/m-p/44106#M5850 Erik_Auerswald 2016-04-20T19:59:00Z https://community.extremenetworks.com/t5/extremecloud-iq-site-engine/eos-out-of-band-management/m-p/44107#M5851 Here is a brief KB article, but maybe it is of use to you: <A href="https://gtacknowledge.extremenetworks.com/articles/Q_A/Non-Global-VRF-Loopback-IP-not-responding-to-SNMP-or-SSH" target="_blank" rel="nofollow noreferrer noopener">https://gtacknowledge.extremenetworks.com/articles/Q_A/Non-Global-VRF-Loopback-IP-not-responding-to-...</A><BR /> <BR /> What I take from that: Use the global VRF to perform management, and put your production traffic into a VRF that you create additionally.<BR /> <BR /> Fri, 29 Apr 2016 01:30:00 GMT https://community.extremenetworks.com/t5/extremecloud-iq-site-engine/eos-out-of-band-management/m-p/44107#M5851 jeronimo 2016-04-29T01:30:00Z