Solved: Re: Getting from one switch's mgmt port to another switch's mgmt via VPC

Leiocalyx · ‎10-03-2018

Hello everyone,

I have a setup where there are 2 hosts, hostA and hostB which are directly connected to mgmt ports of 2 n3k switches.

HostA is connected to mgmt port of switch1 and hostB is connected to mgmt port switch2.

Both of the mgmt ports have their address in the same subnet. I thought about adding a route in management vrf hoping that I could somehow use the mgmt ports directly to get from one to another, but it doesn't seem to work this way.

ip route 10.203.2.14/32 10.203.2.13/32 vrf management
% Next-hop cannot be local address in same or different vrf

Is there a way to route traffic from switch1 mgmt to switch2 mgmt, so that hostA and hostB both can access switch1 and switch2 somehow?

I know I can add an SVI and ssh there, but I would prefer not to, if that is possible.

casanavep · ‎10-04-2018

A separate management VRF can be created to accomplish this using standard ports on the N3Ks. The built-in MGMT ports are as the other individual eluded to, only for simple OOB MGMT. They actually run on a separate control and data plane allocation from the rest of the the switch, as to ensure administrators could still have emergency access when issues on the traffic control and data plane existed that took down access. Unfortunately, this resource slim MGMT port has very limited functionality, it can have an IP and gateway.... You cannot do typical full routing, use if as a netflow source, or do other resource complex functions. Again, Cisco designed these specific interfaces for this simple functions intentionally, as to ensure they are there to be SSH'd into when you need them. Your requirement appears to require the creation of an alternative management VRF, using standard built-in ports, with all their functionality. The other option is that your MGMT interfaces' gateways be able to handle the routing needed to interconnect all network segments that you need.

Cheers,

P

View solution in original post

nazimkha · ‎10-03-2018

I am not sure why do you need the hosts to communicate over the mgmt ports. The mgmt ports are strictly for Out of band management.
Please share your topology and requirement and will be able to suggest you the best approach

Leiocalyx · ‎10-04-2018

An oob network, yes..

Here's a diagram, sorry if it is not very good:

In this case, if hostA goes up in flames, or is otherwise not functional, there would be no way to access switch1 (only the mgmt0 port is up and has an ip address, there are no SVI to ssh into).

But since the two switches are in a VPC domain, I was hoping I could get to the management port of one through the other..

casanavep · ‎10-04-2018

A separate management VRF can be created to accomplish this using standard ports on the N3Ks. The built-in MGMT ports are as the other individual eluded to, only for simple OOB MGMT. They actually run on a separate control and data plane allocation from the rest of the the switch, as to ensure administrators could still have emergency access when issues on the traffic control and data plane existed that took down access. Unfortunately, this resource slim MGMT port has very limited functionality, it can have an IP and gateway.... You cannot do typical full routing, use if as a netflow source, or do other resource complex functions. Again, Cisco designed these specific interfaces for this simple functions intentionally, as to ensure they are there to be SSH'd into when you need them. Your requirement appears to require the creation of an alternative management VRF, using standard built-in ports, with all their functionality. The other option is that your MGMT interfaces' gateways be able to handle the routing needed to interconnect all network segments that you need.

Cheers,

P

nazimkha · ‎10-04-2018

It's a best practice to connect a layer-2 switch to the management ports of the nexus and also connect the host and management switch to that layer-2 switch.Again there are several ways to do that one would be using front panel ports as pointed out by casanavep

Leiocalyx · ‎10-09-2018

Thanks for the detailed explanation!
I guess I'll just keep it as it is. Anything else will just add to complexity, and there is always an option to just change the (outlying) cables in case something goes wrong.