How to configure management interface on Cisco 2960X / 3650 / 3850 / 4500X switch

Cisco switch management port interface

The Cisco management port interface could be located at the back or front of the switch and has a yellow band around it like the picture below:

It is a layer 3 (routed) port and is typically named Fa0/0 or Gi0/0 with full duplex and autonegotiation.

Management Port in a stack

When the switches are in a stack, the interfaces can be plugged into a hub or a switch and will be active on the stack master switch as shown below:

Although the picture shows the ports connected to a hub, a switch will also work as long as the ports are all on the same VLAN. Upon a stack master failure, the management port will automatically migrate to the next master.

How to configure the port

For 2960X

interface Fa0
 description MGMT Port
 ip address x.x.x.x
 no shut
ip default-gateway (default gw)

For 3650, 3850

The management port is a routed interface so the IP is assigned like a router port.

interface GigabitEthernet0/0
 description MGMT Port
 vrf forwarding Mgmt-vrf
 ip address x.x.x.x
 no shut

The Cisco switch creates a management vrf (virtual route forwarding) routing table by default, so you will need to put the default gateway for that interface in the management vrf routing table.

ip route vrf Mgmt-vrf (default gw)

To display the management port’s routing table issue the following:

show ip route vrf Mgmt-vrf

Optional Configuration

Depending on the features you use, below are optional configurations that you need to configure for each feature to use the management interface – Mgmt-vrf

Configure AAA authentication

Your radius and tacacs+ servers will need to be configured to use the Mgmt-vrf

aaa group server radius RADIUS
server name x.x.x.x
ip vrf forwarding Mgmt-vrf
aaa group server tacacs+ TACACS
server name x.x.x.x
ip vrf forwarding Mgmt-vrf

Configure VTY access-list

If you are using access-lists on your SSH server, you will also need to configure it to use Mgmt-vrf

line vty 0 15
 access-class ACL in vrf-also
 transport input ssh

Configure NTP server

Your NTP servers will need to be configured to your the Mgmt-vrf

ntp server vrf Mgmt-vrf x.x.x.x 

Configure Netflow

flow exporter EXPORTER
destination x.x.x.x vrf Mgmt-vrf
Related Posts with Thumbnails