- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
08-27-2018 07:33 AM
Hi quick question.
How to have two Gateways for management?
For example:
vrf context management
ip route 0.0.0.0/0 mgmt0 1.1.1.1
ip route 12.12.12.0/24 mgmt0 1.1.1.2
The above idea is to have both 1.1.1.1 and 1.1.1.2 be able to manage the Nexus.
The first statement works (default route), but the second route just add a non-recursive static route.
Solved! Go to Solution.
- Labels:
-
Data Center Networking
Accepted Solutions
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
08-28-2018 08:54 AM
"ip route 24.26.76.0/23 24.26.76.1":
The next hop 24.26.76.1 is not in the same subnet as your management interface is. This is the reason why traffic gets forwarded first to 24.26.74.1
Your nexus management interface will be only able to forward packets to hosts/routers in the same subnet 24.26.74.0/23 (24.26.74.0 -- 24.26.75.255). If you specify a gateway outside of the local broadcast domain, like you did with 24.26.76.1, it will recursively lookup at the best path to reach it(in this case the default gateway).
Does it make sense to you?
ADP
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
08-27-2018 09:08 PM
Do we want to connect to the Nexus switch with 1.1.1.1 or 1.1.1.2 or use source as 1.1.1.1 and 1.1.1.2 to login to nexus ?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
08-27-2018 09:10 PM
Use source as 1.1.1.1 and 1.1.1.2 to login to Nexus.
You know how normally you have a single Management device that logs in to the Nexus?
vrf context management
ip route 0.0.0.0/0 mgmt0 1.1.1.1
How do you add more?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
08-28-2018 04:07 AM
The "ip route " command under the vrf context simply puts a route entry into the routing table and provides forwarding directions to packets leaving the management interface. It is not used to allow management traffic from the gateways. You might be confused by the ASA command "ssh X.X.X.X Y.Y.Y.Y interface" where you allow the X.X.X.X/Y subnet to manage the firewall.
If you want to define which IPs are allowed to access the Nexus management you need to create an ACL and then apply it to the line vty or the other management daemons.
E.g:
ip access-list MGMT
10 permit ip 1.1.1.1/32 any
20 permit ip 1.1.1.2/32 any
line vty
access-class MGMT in
snmp-server community *** use-ipv4acl MGMT
HTH
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
08-28-2018 07:52 AM
The problem that we're having is actually a routing problem, the problem is that the default route is overriding the static route. Currently the default is set to send all traffic to 1.1.1.1 which is the existing gateway, upstream however on the same connection exists 1.1.1.2 as the gateway for the new /23 we are using.
The issue is that even though these exist on the same link, the N3K is sending traffic to the .1.1 first, which then internally routes to its gateway .1.2 on the same subnet. Shouldn’t the “ip route” statement route all of the /23 to the .1.1 first without hitting the 1.2? This is not necessarily an ACL issue as I see it, it’s something on the routing/forwarding plane I can’t identify.
Actual configuration:
vrf context management
ip route 0.0.0.0/0 mgmt0 1.1.1.1
ip route 1.1.1.0/23 mgmt0 1.1.1.2
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
08-28-2018 08:21 AM
Ok this makes more sense now.
Can you paste a "show ip interface mgmt 0" and a " sh ip route vrf management detail "
Thanks,
ADP
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
08-28-2018 08:41 AM - edited 08-28-2018 09:58 AM
This is the real config. Just IPs changed for your reference.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
08-28-2018 08:54 AM
"ip route 24.26.76.0/23 24.26.76.1":
The next hop 24.26.76.1 is not in the same subnet as your management interface is. This is the reason why traffic gets forwarded first to 24.26.74.1
Your nexus management interface will be only able to forward packets to hosts/routers in the same subnet 24.26.74.0/23 (24.26.74.0 -- 24.26.75.255). If you specify a gateway outside of the local broadcast domain, like you did with 24.26.76.1, it will recursively lookup at the best path to reach it(in this case the default gateway).
Does it make sense to you?
ADP
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
08-28-2018 09:12 AM
Yes that makes sense since it only has 74.1 in the routing table it’s relying on the adjacent routers and recursive lookup like you said. So this should be simply solved with defining a static route within the mgmt. VRF right? Just adding the mgmt0 interface into the route command correct?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
08-28-2018 09:21 AM
If your 74.1 router (default gateway of the management interface) has a way to reach the 76.0/23 network you don't need any other configuration.
The default route " ip route 0.0.0.0/0 mgmt0 24.26.74.1" will be enough. Make sure that the hosts on the 76.0/23 know how to reach the 74.0/23.
If this is not ok provide a quick diagram of the network so we can see where the subnets are and to which routers are connected.
Thanks,
ADP
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
08-28-2018 09:49 AM
This makes perfect sense. Thank you so much!
