Disable in-band management on M4300-28G

Question

I want to disable any in-band management possibility on my M4300-28G and leave only OOB management.

Currently I'm using the switch as a router and set the management vlan to 999 which is a vlan that does not have a valid IP address, and despite that, Managemnet Web GUI, telnet, and ssh are accesible from every vlan on the switch that has an IP address... don't understand why.

LaurentMa · Answer

Hi Team, if you don't want to see the TCP ports opened any more (Rest API and AV UI) please stop the applications and un-install them. You can re-install them later in the CLI if needed.
&nbsp;
User:adminPassword:********(M4300-28G) &gt;enable
(M4300-28G) #show application
OpEN application table contains 3 entries.
Name StartOnBoot AutoRestart CPU Sharing Max Memory Preload Version---------------- ----------- ----------- ----------- ---------- ------- -------------------AVUI Yes Yes 0 0 Yes 2.2.3.11RestAgent Yes Yes 0 0 Yes 2.0.1.32discAgent Yes Yes 0 0 Yes 1.0.0.3
(M4300-28G) #application stop AVUI
Application stopped.
(M4300-28G) #application stop RestAgent
Application stopped.
(M4300-28G) #config
(M4300-28G) (Config)#no application install AVUI
(M4300-28G) (Config)#no application install RestAgent
(M4300-28G) (Config)#exit
(M4300-28G) #save

schumaku · Answer

This is the intended default behavior for the in-band management..
&nbsp;
The in-band CPU management access can be disabled, limiting the access to the the switch CPU for GUI, telnet etc. via the OOB service port if you have a separate management network. Further on you can deploy Management ACLs for protecting inband access (for instance, restricting HTTP GUI access to certain IP addresses or subnets, restricting Telnet to certain other IP addresses, etc.).
&nbsp;

Alain_Sanchez · Answer

How can I disable in-band CPU management access? I have Management Source Interface set to Service Port yet I still have in-band access to management.

Also, I don't understand why I can access switch management from every single vlan of the switch with an IP address if I explicitly selected a Managenment VLAN. What's the point of having an in-band management vlan if I can access the switch from every vlan with routing enabled?

schumaku · Answer

&nbsp;
&nbsp;
Alain_Sanchez&nbsp;wrote:
How can I disable in-band CPU management access?

These are no consumer class devices with simple on-off controls for many reasons.
&nbsp;
Alain_Sanchez&nbsp;wrote:
I have Management Source Interface set to Service Port yet I still have in-band access to management.

Well, you have enabled OOB, this does not imply any in-band vectors will be disabled.
&nbsp;
Alain_Sanchez&nbsp;wrote:
Also, I don't understand why I can access switch management from every single vlan of the switch with an IP address if I&nbsp;explicitly selected a Managenment VLAN.

A kind of an industry standard on business switches and routers.
&nbsp;
Alain_Sanchez&nbsp;wrote:
What's the point of having an in-band management vlan if I can access the switch from every vlan with routing enabled?

In-band and out-of-band is fully concurrent.
&nbsp;
Put up access controls for all vectors you want to allow or deny.

LaurentMa · Answer

HI&nbsp;Alain_Sanchez&nbsp;,
&nbsp;
You should restrict Management Access using Access Control.
https://www.netgear.com/support/product/M4300.aspx#docs
-&nbsp;for instance the Web GUI User Manual&nbsp;https://www.downloads.netgear.com/files/GDC/M4300/M4300_M4300-96X_UM_EN.pdf
starting page 544.
&nbsp;
This way, any unapproved origin IP/service will be discarded by the CPU (we call it Management CPU ACL)
&nbsp;
I hope it will help you,
Regards,
Laurent Masia

Forum Discussion

Disable in-band management on M4300-28G

9 Replies

Related Content

m4300-28g

M4300-28G

M4300 stacking between M4300-28G and M4300-12X12F

Netgear M4300-28G to Cisco connection

M4300-28G-PoE+ & Tivo

NETGEAR Academy

ProSupport for Business