I have a CRS312-4C+8XG. By default, all the ports are bridged together, including the management port. I’m trying to figure out how to separate/isolate the management port. So far, I’ve figure out how to move it to its own bridge and how to move the management IP address to that port. However, I appear the be able to access the management console through both ether1 and ether9 (the management port).
How do I disable management access on a particular port?
How I would approach it (surely can be done more elegantly) :
Firewall
-allow input access on the port which you want to allow. I’m assuming you’re using winbox and standard port TCP/ 8291 ?
-drop access for all interfaces not equal to ether9 for TCP/8291.
Caveat: use SAFE MODE when configuring this and make sure you are connected to that one interface.
If you goof up with the config, safe mode will revert back.
Otherwise you may lock yourself out of your device…
Management port on bridge?
The management port is usually alone and completely isolated.
until not differently programmed, you can access terminal or winbox from any interface
You must do not reasoning about how to disable management access on a particular port,
But how to enable management only from management port…
This is likely what I’ll be doing, barring some purpose-built solution. (For example, consumer wifi routers usually have an option to prevent management access from wifi connections. That configuration is usually separate from the any firewall configuration.)
Physically, there is a port marked “management” but, as far as I can tell, its only practical difference is that it’s slower than the other ports (1GbE vs 10GbE). I would have expected that a port marked “management” would be the only port with access to the management console.
I’ve looked through the management interface and I’m not seeing something that seems like it is purpose-built for controlling which ports have management access. Sure, one could use the firewall to control that but I have doubts as to whether that is the proper tool for the job.