Solved: Mgmt VRF Nexus

Federico Coto Fajardo · ‎08-27-2018

Hi quick question.

How to have two Gateways for management?

For example:

vrf context management
ip route 0.0.0.0/0 mgmt0 1.1.1.1
ip route 12.12.12.0/24 mgmt0 1.1.1.2

The above idea is to have both 1.1.1.1 and 1.1.1.2 be able to manage the Nexus.

The first statement works (default route), but the second route just add a non-recursive static route.

ADP_89 · ‎08-28-2018

"ip route 24.26.76.0/23 24.26.76.1":

The next hop 24.26.76.1 is not in the same subnet as your management interface is. This is the reason why traffic gets forwarded first to 24.26.74.1

Your nexus management interface will be only able to forward packets to hosts/routers in the same subnet 24.26.74.0/23 (24.26.74.0 -- 24.26.75.255). If you specify a gateway outside of the local broadcast domain, like you did with 24.26.76.1, it will recursively lookup at the best path to reach it(in this case the default gateway).

Does it make sense to you?

ADP

View solution in original post

nazimkha · ‎08-27-2018

I do not understand your use case.
Do we want to connect to the Nexus switch with 1.1.1.1 or 1.1.1.2 or use source as 1.1.1.1 and 1.1.1.2 to login to nexus ?

Federico Coto Fajardo · ‎08-27-2018

Use source as 1.1.1.1 and 1.1.1.2 to login to Nexus.

You know how normally you have a single Management device that logs in to the Nexus?

vrf context management
ip route 0.0.0.0/0 mgmt0 1.1.1.1

How do you add more?

ADP_89 · ‎08-28-2018

The "ip route " command under the vrf context simply puts a route entry into the routing table and provides forwarding directions to packets leaving the management interface. It is not used to allow management traffic from the gateways. You might be confused by the ASA command "ssh X.X.X.X Y.Y.Y.Y interface" where you allow the X.X.X.X/Y subnet to manage the firewall.

If you want to define which IPs are allowed to access the Nexus management you need to create an ACL and then apply it to the line vty or the other management daemons.

E.g:

ip access-list MGMT
10 permit ip 1.1.1.1/32 any
20 permit ip 1.1.1.2/32 any

line vty
access-class MGMT in

snmp-server community *** use-ipv4acl MGMT

HTH

Federico Coto Fajardo · ‎08-28-2018

The problem that we're having is actually a routing problem, the problem is that the default route is overriding the static route. Currently the default is set to send all traffic to 1.1.1.1 which is the existing gateway, upstream however on the same connection exists 1.1.1.2 as the gateway for the new /23 we are using.

The issue is that even though these exist on the same link, the N3K is sending traffic to the .1.1 first, which then internally routes to its gateway .1.2 on the same subnet. Shouldn’t the “ip route” statement route all of the /23 to the .1.1 first without hitting the 1.2? This is not necessarily an ACL issue as I see it, it’s something on the routing/forwarding plane I can’t identify.

Actual configuration:

vrf context management
ip route 0.0.0.0/0 mgmt0 1.1.1.1
ip route 1.1.1.0/23 mgmt0 1.1.1.2

ADP_89 · ‎08-28-2018

Ok this makes more sense now.

Can you paste a "show ip interface mgmt 0" and a " sh ip route vrf management detail "

Thanks,

ADP

Federico Coto Fajardo · ‎08-28-2018

This is the real config. Just IPs changed for your reference.

ADP_89 · ‎08-28-2018

"ip route 24.26.76.0/23 24.26.76.1":

The next hop 24.26.76.1 is not in the same subnet as your management interface is. This is the reason why traffic gets forwarded first to 24.26.74.1

Your nexus management interface will be only able to forward packets to hosts/routers in the same subnet 24.26.74.0/23 (24.26.74.0 -- 24.26.75.255). If you specify a gateway outside of the local broadcast domain, like you did with 24.26.76.1, it will recursively lookup at the best path to reach it(in this case the default gateway).

Does it make sense to you?

ADP

Federico Coto Fajardo · ‎08-28-2018

Yes that makes sense since it only has 74.1 in the routing table it’s relying on the adjacent routers and recursive lookup like you said. So this should be simply solved with defining a static route within the mgmt. VRF right? Just adding the mgmt0 interface into the route command correct?

ADP_89 · ‎08-28-2018

If your 74.1 router (default gateway of the management interface) has a way to reach the 76.0/23 network you don't need any other configuration.

The default route " ip route 0.0.0.0/0 mgmt0 24.26.74.1" will be enough. Make sure that the hosts on the 76.0/23 know how to reach the 74.0/23.

If this is not ok provide a quick diagram of the network so we can see where the subnets are and to which routers are connected.

Thanks,

ADP

Federico Coto Fajardo · ‎08-28-2018

This makes perfect sense. Thank you so much!