Management Port Configuration on Cisco IOS Catalyst 4500 (SSH,SNMP,NTP,AAA,Syslog)

Objective: To separate management traffic from data/customer traffic on your Cisco Catalyst 4500 L3 Switch

Preferably, Data and Management are into 2 separate network domains.

UTP cable to connect to management port (via FastEthernet 1) and the other end is connected to a network switch to access the OOB management gateway
Tested on Cisco IOS Version 15.1

Management IP Configuration

1. Configure the vrf for management

vrf definition management
address-family ipv4
address-family ipv6

2. Set the physical IP address of the management port. For the case of Catalyst 4500 (e.g.4948), the port will be configured on interface FastEthernet 1

interface FastEthernet1
description Connection to OOB Management Switch
vrf forwarding management
ip address
speed auto
duplex auto

3. Configure vrf static default route to the management gateway
Gateway =
ip route vrf management name MANAGEMENT
**AAA Configuration**
Tacacs Server1 IP =

Tacacs Server2 IP =


aaa authentication login VTY group tacacs+ line
aaa authentication enable default group tacacs+ enable
aaa authorization commands 1 default group tacacs+ none
aaa authorization commands 15 default group tacacs+ none
aaa accounting exec default start-stop group tacacs+
aaa accounting commands 1 default start-stop group tacacs+
aaa accounting commands 15 default start-stop group tacacs+

Tacacs+ :
ip tacacs source-interface FastEthernet 1
tacacs server TACACS1
address ipv4
key 7 00B0A024D346E1E0605
tacacs server TACACS2
address ipv4
key 7 00B0A024D346E1E0605

**SSH Configuration*
Authorized IP to SSH in:

access-list 111 permit ip host any
access-list 111 deny ip any any log

ip ssh version 2

line vty 0 4
access-class 111 in vrf-also
exec-timeout 5 0
password 7 0710A0103585550925
login authentication VTY
transport input ssh
**SNMP Configuration**
SNMP Polling Server = / 27
SNMP Trap Server =
SNMP Community = MyP0llingP455
Trap Community = trapcommunity123
access-list 99 permit
access-list 99 deny any log
SNMP Polling:

snmp-server community MyP0llingP455 RO 99

SNMP Traps:

snmp-server source-interface traps fastEthernet 1
snmp-server host vrf management traps trapcommunity123

**Syslog Configuration**
Remote Syslog Server IP =
logging source-interface FastEthernet1
logging host vrf management
**NTP Configuration**
NTP Server IP =
ACL: (Optional for Security)
access-list 11 remark to Block NTP Requests
access-list 11 deny any
access-list 44 remark NTP Peers
access-list 44 permit
access-list 44 deny any


ntp source fastEthernet 1
ntp access-group peer 44
ntp access-group serve 11
ntp access-group serve-only 11
ntp access-group query-only 11
ntp update-calendar
ntp server vrf management10.40.40.40

Note: Netflow traffic should not go through the management ports because of the traffic volume and may cause high CPU utilization. Also take note, that can OOB configuration can also be done using loopback interface, but will not be covered in this tutorial.

Be First to Comment

Leave a Reply

Your email address will not be published. Required fields are marked *