7200VXR - NPE-G2 FastEthernet Management Interface

Robert Ho · ‎05-01-2012

Is there a keyword that we use under the interface to specify that it is purely management?

We need to assure that the subnet and any node on that subnet is not shared with the default routing table.

Also, how do we set the gateway for the management interface if the node we are sourcing the ssh session from is on a different private subnet?

Thanks for the help

-robert

Giuseppe Larosa · ‎05-02-2012

Hello Robert,

you could use a VRF object for example Management and you could associate the involved interface to it.

something like

ip vrf Management

rd 1:100

!

int fas0/0

ip vrf forwarding Management

ip address X.X.X.X 255.255.255.Y

! note when associating an interface to a vrf existing IP address is removed so you need to reconfigure it a it is shown above

you can then add static routes that will be installed in vrf Management routing table using the following syntax:

ip route vrf Management 10.10.10.0 255.255.255.0 X.X.X.Z

where X.X.X.Z is the default gateway in X.X.X.0 IP subnet the same to which the interface IP address belongs

you need to provide a router on the path to the management node

to be noted some of recent switches like C4948 or C4900M are sent with a built in management VRF.

WARNING: you should verify that you are able to access in SSH and SNMP your device when the interface is associated to the proposed VRF.

I strongly recommend to perform testing before deploying in production or at least to make an attempt in a declared maintenance time window.

Hope to help

Giuseppe

Robert Ho · ‎05-03-2012

we have to add the VRF keyword under VTY

unfortunately, this exposes SSH/Telnet access to the router for all customers tied to a VRF (using the same private IP scheme)