Ethernet Management Interface VRF

New Cisco Routers and Switches come with a dedicated Ethernet port which unique purpose is to provide management access to the device via SSH or Telnet. This interface is isolated in its own VRF called “Mgmt-vrf’. Placing the management Ethernet interface in its own VRF has the following effects on the Management Ethernet interface:

  1. Many features must be configured or used inside the VRF, so the CLI may be different for certain Management Ethernet functions on other routers.
  2. Prevents transit traffic from traversing the device. Because all of the SPA interfaces and the Management Ethernet interface are automatically in different VRFs, no transit traffic can enter the Management Ethernet interface and leave a SPA interface, or vice versa.
  3. Improved security of the interface. Because the Mgmt-intf VRF has its own routing table as a result of being in its own VRF, routes can only be added to the routing table of the Management Ethernet interface if explicitly entered by a user.
  4. The Management Ethernet interface VRF supports both IPv4 and IPv6 address families.

That means the static default route should not interfere with Routing in the Global Routing Table or any other VRF configured, that management traffic is isolated in its own VRF. The configuration for the Management Interface cannot be modified in terms of VRF, you can only assign an IP address to it and a Static Default Route to allow connectivity.

The purpose is to connect that interface to an isolated IP network that can guarantee “always on” access to the device only for management purposes.

However, it is not a must to use that interface for management. You can still configure your device to accept SSH and Telnet sessions on the Global Routing Table or any other VRF (in other words, coming from any other interface).

For Cisco Catalyst switch 3850, the Gigabit Ethernet Management interface is automatically part of its own VRF. This VRF, which is named “Mgmt-intf,” is automatically configured  and is dedicated to the Management Ethernet interface; no other interfaces can join this VRF. Therefore, this VRF does not participate in the MPLS ××× VRF or any other network-wide VRF. The Mgmt-intf VRF supports loopback interface.

Basic Configuration on Mgmt-vrf
Here is basic related Management Interface Configuraiton:

vrf definition Mgmt-vrf
 !
 address-family ipv4
 exit-address-family
 !
 address-family ipv6
 exit-address-family
interface GigabitEthernet0/0
 vrf forwarding Mgmt-vrf
 ip address 10.9.2.15 255.255.255.0
 negotiation auto
!

        Static Route

ip route vrf Mgmt-vrf 0.0.0.0 0.0.0.0 10.9.2.26

        Line VTY Access

Common configuration for VTY Lines

access-list 101 permit ip 10.9.2.0 0.255.255.255 any log

line vty 0 4
 access-class 101 in 
 exec-timeout 4 30
 logging synchronous
 login authentication VTYAUTH
 transport input ssh

 line vty 5 15
 access-class 101 in 
 exec-timeout 4 30
 logging synchronous
 login authentication VTYAUTH
 transport input ssh
!

Unfortunately, ping to 10.9.2.15 is working fine But not ssh. SW refused configuration

Solutions:

line vty 0 4 access-class 101 in vrf-also
 exec-timeout 4 30
 logging synchronous
 login authentication VTYAUTH
 transport input ssh
line vty 5 15 access-class 101 in vrf-also
 exec-timeout 4 30
 logging synchronous
 login authentication VTYAUTH
 transport input ssh
!

NTP 

ntp server vrf Mgmt-vrf 10.9.1.242
ntp server vrf Mgmt-vrf 10.9.6.5

原文地址:http://blog.51cto.com/jettcai/2159233

时间: 2024-10-13 20:59:06

Ethernet Management Interface VRF的相关文章

IPMI (Intelligent Platform Management Interface)

4.3. ipmitool - utility for controlling IPMI-enabled devices 4.3.1. ipmitool 4.3.1.1. ubuntu 确定硬件是否支持 IPMI [email protected]:~$ sudo dmidecode |grep -C 5 IPMI [sudo] password for neo: Handle 0x2000, DMI type 32, 11 bytes System Boot Information Statu

LWIP network interface 网卡 初始化 以 STM32 为例子 后面会有 用 2G 或者4G 模块 用 PPP拨号的 形式 虚拟出网卡 所以先以 这个为 前提

LWIP   network interface   网卡 初始化    以  STM32  为例子  后面会有 用  2G 或者4G 模块 用 PPP拨号的 形式  虚拟出网卡  所以先以 这个为  前提 LWIP   有 一个 结构体 是 描述 物理 接口 的  即  netif Struct, 大神朱工 对这个 有个 详细的 解释 :http://blog.csdn.net/zhzht19861011/article/details/6690534 LWIP  官网  对 这个  结构体

Move resources allocated using unmanaged interface to managed devm interface

转载:http://blog.csdn.net/swingboard/article/details/27207497   So today let’s talk about devm functions as that is what I have been upto the past couple of weeks. Yes, should have finished the task by now but due to some reasons was not active a coupl

Linux下Power Management开发总结

本文作为一个提纲挈领的介绍性文档,后面会以此展开,逐渐丰富. 关于Linux省电: 保持CPU处于工作状态时: 1. 设备使能RPM,不使用的设备动态关闭. 2. cpufreq动态调节CPU/GPU的频率电压,以达到降低功耗的目的. 3. cpuidle让CPU进入idle状态,或者深睡. 4. cpu hotplug对不使用的CPU进行动态热插拔. CPU进入睡眠状态: 1. suspend,如果整个系统无事可干进入suspend,包括两种suspend idle和suspend to ra

Cisco IOS Debug Command Reference E through H

debug eap through debug he-module subslot periodic debug eap : to display information about Extensible Authentication Protocol(EAP)(in privileged EXEC mode) no debug eap debug ecfmpal : to enable debugging of the data path of the Ethernet Connectivit

Brocade学习笔记

1. re-enabling the telnet service switch(config)#no telnet server shutdown(config)#rbridge-id 3#no telnet server shutdown 2. Establishing an ssh connection#ssh -l admin 10.20.51.68#ssh -l admin -m hmac-md5 -c aes128-cbc 10.20.51.68use -m and -c optio

阿里云搭建VPN

目标: 主机A有外网权限.内网权限: 主机B只有内网权限. 希望在主机A上能搭VPN,作为跳板机器,在本地主机能够直接访问主机B. 尝试1: 在主机A上搭pptpd. 尝试了两天,搜索无数,无论如何访问不了主机B.怀疑阿里云做了限制,检查Mac和IP是否相符 尝试2: 在主机B上搭建OpenVPN.搞定! 参见:http://docs.linuxtone.org/ebooks/VPN/openvpn%E9%9B%86%E5%90%88.pdf 写的相当详细 在Mac上配客户端的过程: 1.安装T

配置双机

配置/etc/security/limits文件 执行此任务可以在“/etc/security/limits”文件中设置default的各种限制参数. 操作步骤 以root用户登录双机中主节点. 编辑“/etc/security/limits”文件. #vi /etc/security/limits 修改文件中以下内容: default: fsize =-1 core =-1 cpu =-1 data =-1 rss =-1 stack =200000 nofiles =-1 -1表示无限制.

tcpdump详解

转自:http://www.cnblogs.com/ggjucheng/archive/2012/01/14/2322659.html 用简单的话来定义tcpdump,就是:dump the traffic on a network,根据使用者的定义对网络上的数据包进行截获的包分析工具. tcpdump可以将网络中传送的数据包的"头"完全截获下来提供分析.它支持针对网络层.协议.主机.网络或端口的过滤,并提供and.or.not等逻辑语句来帮助你去掉无用的信息. 实用命令实例 默认启动