Accessing the management interface remotely on a L3 switch *tricky*

SJ K · ‎08-22-2016

Hi,

I am setting up a new 2960XR switch (with ip routing on) and I have several questions which I hope the wonderful folks here can shed some advice on

q1) can a management interface/ip on FE0 (fa0/1 in picture below) be access remotely from another network ?
(e.g. Assume all routing is setup properly in the routers - can my PC at 192.168.0.1 access the Management interface of Switch 1 at 192.168.8.2)

q2) if the answer the above is a Yes, and since my 2960XR is a L3 switch, does that means I need to create a static route in Switch1

ip route 192.168.0.0 255.255.255.0 192.168.8.1 ? --> and traffic to the management port will return via the port itself to router0 at 192.168.8.1 ?

q3) if the answer above is a Yes, consider the below diagram where Router0 has a new connection from Fa0/1 to Fa0/2 at the switch0 depicted by the thick black arrow and the network between them is 192.168.9.0/24.

Fa0/2 of Switch1 is configured as part of Vlan9 and Vlan9 is setup with an SVI -192.168.9.2. End devices connected to switch1 on Vlan9 has their gateway set to point to the SVI at 192.168.9.2.

Now bearing in mind the static route created earlier

ip route 192.168.0.0 255.255.255.0 192.168.8.1 (set for the return traffic for traffic to the management interface)

If PC0 were to access a device in VLAN9 (e.g. 192.168.9.10) and 192.168.9.10 has its gateway set at the VLAN9 svi 192.168.9.2, the return traffic from 192.168.9.10 to 192.168.0.1 (PC0) will be stuck at switch1 isn't it ?

pc0 (192.168.0.1) -> deviceatV9 (192.168.9.10)

deviceatV9 (192.168.9.10) ---> vlan9SVI at Switch1 (192.168.9.2) ---> switch1 has a route to 192.168.0.0 through its management interface

*but the management interface cannot be use to route other traffic through it

If i change the earlier route for the return traffic to 192.168.0.0 to

ip route 192.168.0.0 255.255.255.0 192.168.9.1

If i access the switch management ip 192.168.8.2 from PC0, can the return traffic from the management interface go through the normal network port at VLAN9 via the above route ? -- seems like a no also

From the doc -> The switch cannot route packets from the Ethernet management port to a network port, and the reverse.

How do i make traffic originating from PC0 to go via management route it is accessing management ip and go via the vlan9 network route if it is accessing vlan 9 ?

Regards,
Noob

Hector Gustavo Serrano Gutierrez · ‎08-27-2016

Hello SJ K,

New Cisco Routers and Switches come with a dedicated Ethernet port which unique purpose is to provide management access to the device via SSH or Telnet.

Usually, that interface is isolated in its own VRF called "Mgmt-intf'. That means the static default route should not interfere with Routing in the Global Routing Table or any other VRF configured, that mangement traffic is isolated in its own VRF. The configuration for the Management Interface cannot be modified in terms of VRF, you can only assign an IP address to it and a Static Default Route to allow connectivity.

The purpose is to connect that interface to an isolated IP network that can guarantee "always on" access to the device only for management purposes.

However, it is not a must to use that interface for management. You can still configure your device to accept SSH and Telnet sessions on the Global Routing Table or any other VRF (in other words, coming from any other interface).

Here some information about Management Interface.

Using the Management Ethernet Interface

I hope this helps.

Best Regards.

SJ K · ‎08-27-2016

Hi Hector,

I am glad you replied.

I am using a cisco 2960X and 2960XR switches, does the management interface comes with its own routing table ? (how do i check ?)

It seems like the management interface and the other network interfaces are sharing 1 routing table though.

Regards,
Noob

Hector Gustavo Serrano Gutierrez · ‎08-28-2016

Let's check the interface's configuration and the VRF table:

show running-config interface FastEthernet0
show vrf brief

In the case the Management interface is sharing the Global Routing Table, I would recommend to manually isolate it in its own VRF (is possible).

Best Regards.

SJ K · ‎08-28-2016

Hi Hector

interface FastEthernet0
description Mgmt
ip address 192.168.6.99 255.255.255.0
end

There is no "show vrf " command.

I am on Cisco 2960X and Cisco2960XR. How do I isolate it in its own VRF ?

Regards,
Noob

Hector Gustavo Serrano Gutierrez · ‎08-28-2016

Try with:

ip vrf mgmt
!
int Fa0
ip vrf forwarding mgmt
ip address 192.168.6.99 255.255.255.0
!

Best Regards.

itech · ‎08-28-2016

Having similar issue

SJ K · ‎08-29-2016

Hi Hector,

DSW#conf t
Enter configuration commands, one per line. End with CNTL/Z.
DSW(config)#ip vrf ?
% Unrecognized command
DSW(config)#int fa0
DSW(config-if)#ip vrf ?
% Unrecognized command

The ip vrf command are not recognised. Do you want me to forcefully load it in the config ?

Regards,
Noob

adrian.oshea · ‎10-21-2016

doubt you're running the correct version of code (IP LAN/Base), VRF config is only support on => IP Services.