Hi,
We are about to buy some Mikrotik routers and I want to use the dedicated 10/100 Ethernet port for Out-of-Band Management.
I was looking for the default configuration of this interface but I couldn’t find anything.
Several posts regarding how to configure a regular ether_X_ interface just for managemente purpose, but nothing specific to the dedicated 10/100 Ethernet Mgmt port that comes with several models like CCR2116, CRS326 o CRS354.
I appreciate if someone can share the experience with this dedicated management port.
Thanks in advance!
All ports can be WAN/LAN/Trunk/OOB… in default configuration you can manage by any port, plus console as serial cable…
Next is configuration proper configuration and you can do only one port for OOB only.
Most importantly, for the CRS’s of the 3xx series (probably valid for other models too, check your model’s specific hardware block-diagram!)
all the 10Gig ports are in a single switch-fabric, inside the switch-chip, they forward packets not necessarily going trough the CPU (hw acceleration/hw bridge)
the port marked 'MGMT" has a separate dedicated PHY, and is connected directly to the CPU of the switch
so you should NEVER group them with the other ports in the same bridge
this should be better documented in the wiki.
i have seem multiple cases of performance issues with CRS317’s that were configured (wrongly) with the MGMT port in the same “bridge” as all the other ports
MGMT port is a special snowflake port. treat it as such.
Exactly, in the block diagrams for CRS354 or CCR2116 the MGMT port is directly connected to the CPU. It shouldn’t be treated as a regular ethernet port grouped in the default bridge. That’s why I’m asking for the configuration of this MGMT interface.
I didn’t find anything related to this in the wiki or this forum.
MGMT is as “not pass a Trunk here, use as OOB” but in default configuration you can access this unit from other vlans etc.
If you want to MGMT be only access port to device, only be it, then you should do in different place of RouterOS to only that port have rule as “Mac-Telnet” / “WinBox” Firewall etc.
CRS 317 mgmt port is part of switching chip no problem including it on bridge, off course better to only use it for management purposes
I think you are refering to other model
Indeed, CRS317 has a separate PHY into the same switch chip, while other models have a direct-to-CPU MGMT port.
I got confused, my apologies.
But that brings another topic: when vlan-filtering is enabled (and MGMT is on the “bridge”), you can lock yourself out of the switch
All the more reason to not put the “MGMT” port in there in the first place
We really need a Wiki entry on “Leaving the MGMT port alone by default”, and only messing with it once the consequences are understood.
The default configuration is misleading and problematic, in my view.
Thanks all for your comments.
I agree, the Wiki should have a topic about the native MGMT port and all the variants.
Even if MGMT port is connected to switch chip, if it’s not configured as bridge port, bridge VLAN settings don’t apply.
Simply enabling vlan-filtering on bridge without any other (explicit) vlan settings won’t break MGMT access as all bridge ports (bridge interface included) have implicit setting of pvid=1. So yes, it is easy to lock self out, but it does take some explicit settings to make it happen.