Objective: To separate management traffic from data/customer traffic on your Cisco Catalyst 4500 L3 Switch
Preferably, Data and Management are into 2 separate network domains.
Pre-requisite:
UTP cable to connect to management port (via FastEthernet 1) and the other end is connected to a network switch to access the OOB management gateway
Tested on Cisco IOS Version 15.1 (Cisco Catalyst 4948E)
* * Management IP Configuration* *
1. Configure the vrf for management
vrf definition management
!
address-family ipv4
exit-address-family
!
address-family ipv6
exit-address-family
2. Set the physical IP address of the management port. For the case of Catalyst 4500 (e.g.4948), the port will be configured on interface FastEthernet 1
interface FastEthernet1
description Connection to OOB Management Switch
vrf forwarding management
ip address 10.10.10.45 255.255.255.0
speed auto
duplex auto
end
ip route vrf management 0.0.0.0 0.0.0.0 10.10.10.1 name MANAGEMENT
Tacacs Server2 IP = 10.55.55.57
AAA:
aaa authentication login VTY group tacacs+ line
aaa authentication enable default group tacacs+ enable
aaa authorization commands 1 default group tacacs+ none
aaa authorization commands 15 default group tacacs+ none
aaa accounting exec default start-stop group tacacs+
aaa accounting commands 1 default start-stop group tacacs+
aaa accounting commands 15 default start-stop group tacacs+
Tacacs+ :
ip tacacs source-interface FastEthernet 1
tacacs server TACACS1
address ipv4 10.55.55.56
key 7 00B0A024D346E1E0605
tacacs server TACACS2
address ipv4 10.55.55.57
key 7 00B0A024D346E1E0605
The configuration below will only work for vrf, updated config below:
AAA & Tacacs+:
aaa new-model
aaa local authentication attempts max-fail 5
aaa group server tacacs+ FNT
server-private 10.55.55.56 key 7 026419091115495C1AE0F0A3
server-private 10.55.55.57 key 7 142126A102D1B0253E3D3316
ip vrf forwarding management
aaa authentication login VTY group FNT line
aaa authentication enable default group FNT enable
aaa authorization commands 1 default group FNT none
aaa authorization commands 15 default group FNT none
aaa accounting exec default start-stop group tacacs+
aaa accounting commands 1 default start-stop group tacacs+
aaa accounting commands 15 default start-stop group tacacs+
**SSH Configuration**
Authorized IP to SSH in: 10.20.20.20
ACL:
access-list 111 permit ip host 10.20.20.20 anyaccess-list 111 deny ip any any log
ip ssh version 2
line vty 0 4
access-class 111 in vrf-also
exec-timeout 5 0
password 7 0710A0103585550925
login authentication VTY
transport input ssh
SNMP Polling Server = 10.20.20.20 / 27
SNMP Community = MyP0llingP455
access-list 99 permit 10.20.20.20 0.0.0.31access-list 99 deny any log
snmp-server community MyP0llingP455 RO 99
snmp-server source-interface traps fastEthernet 1
snmp-server host 10.30.30.30 vrf management traps trapcommunity123
logging source-interface FastEthernet1logging host 10.50.50.50 vrf management
access-list 11 remark to Block NTP Requests
access-list 11 deny any
access-list 44 remark NTP Peers
access-list 44 permit 10.40.40.40
access-list 44 deny any
NTP:
ntp source fastEthernet 1
ntp access-group peer 44
ntp access-group serve 11
ntp access-group serve-only 11
ntp access-group query-only 11
ntp update-calendar
ntp server vrf management10.40.40.40
Be First to Comment