Information
Vendors provisioning dedicated management interfaces is a widespread practice, and gives some significant security advantages when implementing:
SSH access
SNMP polling
Syslog logging
SNMP traps
NTP requests
This practice facilitates implementation of segmented, access controlled Management VLANs or VRFs, which acts as a significant deterrent to attackers. It provides management access outside of the regular data plane operations. Also, if there is a routing or switching issue that might interfere with in-band access, the management interface is very often not affected by this and is still acceptable.
Rationale:
Administration via the mgmt interface bypasses the default routing and switching processing on the switch. This means that any routing issues or switching problems on the device itself will not affect access to the mgmt0 interface. Note however that in most cases the uplink from the mgmt0 interface is part of the larger switching infrastructure - this should be taken into account when architecting the overall network.
Impact:
Using the MGMT interface and a dedicated Management VRF ensures that production and management traffic can never interfere with each other.
More importantly, this provides a segregated path outside of the production data plane path for management traffic. This is important because often management traffic such as syslog, SNMPv2 and NTP are in clear text. Routing this traffic using the production data paths gives a malicious actor the opportunity to intercept or modify this traffic, which facilitates several opportunities for reconnaissance or active attacks by modifying this data.
Solution
First configure the mgmt0 interface:
switch(config)# interface mgmt0
switch(config-if)# ip address 1.2.3.1/24
If needed, add the various routes needed for connectivity for the mgmt interface. Note that this can also be accomplished with a routing protocol implemented for the vrf 'management'
ip route 5.6.7.8 255.255.255.0 1.2.3.254 vrf management
Then, configure the source-interface commands for each target protocol that is implemented:
switch(config)# snmp-server source-interface traps mgmt0
switch(config)# snmp-server source-interface informs mgmt0
switch(config)# snmp-server host 1.2.3.4 source-interface loopback0
switch(config)# ntp source-interface mgmt0
switch(config)# logging source-interface mgmt0
Default Value:
By default, the source-interface is not configured for any protocol. All protocols originate from the interface that is closest to it's target in the vrf 'default'.