New Cisco Routers and Switches come with a dedicated Ethernet port which unique purpose is to provide management access to the device via SSH or Telnet. This interface is isolated in its own VRF called “Mgmt-vrf’. Placing the management Ethernet interface in its own VRF has the following effects on the Management Ethernet interface:
- Many features must be configured or used inside the VRF, so the CLI may be different for certain Management Ethernet functions on other routers.
- Prevents transit traffic from traversing the device. Because all of the SPA interfaces and the Management Ethernet interface are automatically in different VRFs, no transit traffic can enter the Management Ethernet interface and leave a SPA interface, or vice versa.
- Improved security of the interface. Because the Mgmt-intf VRF has its own routing table as a result of being in its own VRF, routes can only be added to the routing table of the Management Ethernet interface if explicitly entered by a user.
- The Management Ethernet interface VRF supports both IPv4 and IPv6 address families.
That means the static default route should not interfere with Routing in the Global Routing Table or any other VRF configured, that management traffic is isolated in its own VRF. The configuration for the Management Interface cannot be modified in terms of VRF, you can only assign an IP address to it and a Static Default Route to allow connectivity.
The purpose is to connect that interface to an isolated IP network that can guarantee “always on” access to the device only for management purposes.
However, it is not a must to use that interface for management. You can still configure your device to accept SSH and Telnet sessions on the Global Routing Table or any other VRF (in other words, coming from any other interface).
For Cisco Catalyst switch 3850, the Gigabit Ethernet Management interface is automatically part of its own VRF. This VRF, which is named “Mgmt-intf,” is automatically configured and is dedicated to the Management Ethernet interface; no other interfaces can join this VRF. Therefore, this VRF does not participate in the MPLS ××× VRF or any other network-wide VRF. The Mgmt-intf VRF supports loopback interface.
Basic Configuration on Mgmt-vrf
Here is basic related Management Interface Configuraiton:
vrf definition Mgmt-vrf ! address-family ipv4 exit-address-family ! address-family ipv6 exit-address-family
interface GigabitEthernet0/0 vrf forwarding Mgmt-vrf ip address 10.9.2.15 255.255.255.0 negotiation auto !
Static Route
ip route vrf Mgmt-vrf 0.0.0.0 0.0.0.0 10.9.2.26
Line VTY Access
Common configuration for VTY Lines
access-list 101 permit ip 10.9.2.0 0.255.255.255 any log line vty 0 4 access-class 101 in exec-timeout 4 30 logging synchronous login authentication VTYAUTH transport input ssh line vty 5 15 access-class 101 in exec-timeout 4 30 logging synchronous login authentication VTYAUTH transport input ssh !
Unfortunately, ping to 10.9.2.15 is working fine But not ssh. SW refused configuration
Solutions:
line vty 0 4 access-class 101 in vrf-also exec-timeout 4 30 logging synchronous login authentication VTYAUTH transport input ssh line vty 5 15 access-class 101 in vrf-also exec-timeout 4 30 logging synchronous login authentication VTYAUTH transport input ssh !
NTP
ntp server vrf Mgmt-vrf 10.9.1.242 ntp server vrf Mgmt-vrf 10.9.6.5
原文地址:http://blog.51cto.com/jettcai/2159233