1.9 Use Dedicated 'mgmt' Interface and VRF for Administrative Functions

Information

Vendors provisioning dedicated management interfaces is a widespread practice, and gives some significant security advantages when implementing:

SSH access

SNMP polling

Syslog logging

SNMP traps

NTP requests

This practice facilitates implementation of segmented, access controlled Management VLANs or VRFs, which acts as a significant deterrent to attackers. It provides management access outside of the regular data plane operations. Also, if there is a routing or switching issue that might interfere with in-band access, the management interface is very often not affected by this and is still acceptable.

Rationale:

Administration via the mgmt interface bypasses the default routing and switching processing on the switch. This means that any routing issues or switching problems on the device itself will not affect access to the mgmt0 interface. Note however that in most cases the uplink from the mgmt0 interface is part of the larger switching infrastructure - this should be taken into account when architecting the overall network.

Impact:

Using the MGMT interface and a dedicated Management VRF ensures that production and management traffic can never interfere with each other.

More importantly, this provides a segregated path outside of the production data plane path for management traffic. This is important because often management traffic such as syslog, SNMPv2 and NTP are in clear text. Routing this traffic using the production data paths gives a malicious actor the opportunity to intercept or modify this traffic, which facilitates several opportunities for reconnaissance or active attacks by modifying this data.

Solution

First configure the mgmt0 interface:

switch(config)# interface mgmt0
switch(config-if)# ip address 1.2.3.1/24

If needed, add the various routes needed for connectivity for the mgmt interface. Note that this can also be accomplished with a routing protocol implemented for the vrf 'management'

ip route 5.6.7.8 255.255.255.0 1.2.3.254 vrf management

Then, configure the source-interface commands for each target protocol that is implemented:

switch(config)# snmp-server source-interface traps mgmt0
switch(config)# snmp-server source-interface informs mgmt0
switch(config)# snmp-server host 1.2.3.4 source-interface loopback0
switch(config)# ntp source-interface mgmt0
switch(config)# logging source-interface mgmt0

Default Value:

By default, the source-interface is not configured for any protocol. All protocols originate from the interface that is closest to it's target in the vrf 'default'.

See Also

https://workbench.cisecurity.org/benchmarks/6524

Item Details

Category: CONFIGURATION MANAGEMENT, MAINTENANCE

References: 800-53|CM-7, 800-53|MA-4, CSCv7|11.6, CSCv7|11.7

Plugin: Cisco

Control ID: 8f83f2c2d5441fd055f6136ce85a8ea90a5bdc3440be1278b90916b6fffe80dc