Solved: Re: Nexus 9K Out of Band Management configuration.

dparmar101 · ‎08-01-2024

Hi, I want to implement a out of band management network on a group of 9K switches, 2 cores & 7 access switches, all with a dedicated mgmt port. I have a spare 3850 to which I can connect all the 9K`s to, however I've no idea on how to configure the ports. I know I need new ip addresses, a new vlan. I was told to also use a VRF to keep the out of band network totally segregated from the rest of the production network. Need some assistance/advise on what the mgmt port config would be on the 9K`s & also the other end of the link on the 3850 switch. Below is a network diagram of how the current network is setup.

Many thanks ...... Dparmar.

shambhu.kumar · ‎08-01-2024

Nexus Configuration
=========================
interface mgmt0
ip address 172.10.10.10/24
vrf context management
ip route 0.0.0.0/0 172.10.10.1

show interface mgmt0

copy running-config startup-config

Connect mgmt0 port of nexus to 3850 and configure access port in 3850

============================
3850 Configuration

vlan 10
name OOB

interface GigabitEthernetX/X
switchport access vlan 10
switchport mode access

Core switch Configuration
============================
configure SVI in Core switch
interface vlan 10
ip address 172.10.10.1 255.255.255.0

View solution in original post

shambhu.kumar · ‎08-14-2024

Hello Dinesh

Static route 0.0.0.0/0 172.10.10.1, is configured under vrf management. and pointing to ward your DCI-Core.
SVI (L3 interface) is configured in your DCI-Core under vlan 10 and assigned ip 172.10.10.1. Which is the OOB gateway for all Nexus Switches

Now you assign IP to nexus switch under "interface mgmt0" and access Nexus switch login with This IP.

Connect OOB physical interface of nexus to 3850 switch and make 3850 switch access port with vlan10

Regards
Shambhu Kumar

View solution in original post

Pavel Tarakanov · ‎08-01-2024

On 3850 it will be usual access ports toward mgmt interfaces of Nexus.

How do you plan to gain access to this out-o-band network? Through the same core switches?

In such case, you can configure default gateway for the network on core and extend L2 to 3850. 3850 connect to core with VPC.

If you want separation (on VRF or even physically) please provide more details how you plan to do it or what outcome you expect.

dparmar101 · ‎08-01-2024

HI Pavel,
Thanks for getting in touch. To gain access to the switches it could be via the core switches, this is where our WAN links sit. However that will not be true out of band, so I`m looking to get a DSL line into the data centre, the DSL router would then connect to the 3850.
If we did go via the cores as you have sugegsted, the new mgmt vlan ( ie vlan 99, 10.200.99.1 ) would sit on the cores, the layer 2 named vlan would need to be configured on the 3850. So the default gateway on the 3850 would point to 10.200.99.1, would that be correct ?
I don`t know much about VRF, it was recommended, whether it is necessary or not I`m not sure. But if it is advisable to use a VRF, then I`d like to make use of it.
So, I would put each mgmt interface into that VRF, if that makes sense ?
Cheers .......... Dinesh.

Pavel Tarakanov · ‎08-01-2024

> so I`m looking to get a DSL line into the data centre, the DSL router would then connect to the 3850.

In such case, you don't need any VRF/SVI configuration on core switches.

>So the default gateway on the 3850 would point to 10.200.99.1, would that be correct ?

3850 will be L2 only and default gateway will be on Core switches.

> I don`t know much about VRF, it was recommended, whether it is necessary or not I`m not sure. But if it is advisable to use a VRF, then I`d like to make use of it.

https://packetlife.net/blog/2009/apr/30/intro-vrf-lite/

>So, I would put each mgmt interface into that VRF, if that makes sense ?

In NX-OS mgmt0 already put in dedicated "management" interface.

shambhu.kumar · ‎08-01-2024

Nexus Configuration
=========================
interface mgmt0
ip address 172.10.10.10/24
vrf context management
ip route 0.0.0.0/0 172.10.10.1

show interface mgmt0

copy running-config startup-config

Connect mgmt0 port of nexus to 3850 and configure access port in 3850

============================
3850 Configuration

vlan 10
name OOB

interface GigabitEthernetX/X
switchport access vlan 10
switchport mode access

Core switch Configuration
============================
configure SVI in Core switch
interface vlan 10
ip address 172.10.10.1 255.255.255.0

dparmar101 · ‎08-01-2024

Hi Shambhu, thanks for the reply, that configuration does makes sense to me ; )

Just one question, is it just the one line required for the vrf, no other vrf config is requried ? I`m guessing the "context management", is just a name given to the VRF ?

Many thanks...........Dinesh.

shambhu.kumar · ‎08-01-2024

Yes, management is vrf name. This is the running configuration.

MHM Cisco World · ‎08-14-2024

Using vrf to separate mgmt vlan is good idea but I have some notes:-

1- all SW use IP in same vlan (same vrf) here you don't need static route and here you can only access all SW from PC connect in same vlan

2- I want to access mgmt vlan from other subnet

Here start issue'

Ypu need to config one SW with static route and then make leak vrf-global

Otherwise ypu can not access mgmt vlan from any other subnet

MHM

dparmar101 · ‎08-14-2024

Hi Shambhu,

I have another question please, if you don`t mind. Under the nexus config section, you have put in a static route ip route 0.0.0.0/0 172.10.10.1, This is confusing me, why is this necessary ? Will this static route not all other routing ?

thanks ....Dinesh.

shambhu.kumar · ‎08-14-2024

Hello Dinesh

Static route 0.0.0.0/0 172.10.10.1, is configured under vrf management. and pointing to ward your DCI-Core.
SVI (L3 interface) is configured in your DCI-Core under vlan 10 and assigned ip 172.10.10.1. Which is the OOB gateway for all Nexus Switches

Now you assign IP to nexus switch under "interface mgmt0" and access Nexus switch login with This IP.

Connect OOB physical interface of nexus to 3850 switch and make 3850 switch access port with vlan10

Regards
Shambhu Kumar

dparmar101 · ‎08-14-2024

I`ve just checked under the vrf mgmt & yes you can add the static route, many thanks Shambhu !!!

Dinesh....

M02@rt37 · ‎08-01-2024

Hello @dparmar101

First, define a VLAN that will be used for the management network on your 3850 switch.

Assign IP addresses to the management interfaces of each switch within the management VLAN subnet.

Next, set up a VRF for the management network to ensure it's segregated from the production network and configure the management ports on the 9K switches to use the new management VLAN and VRF.

Finally, connect the MGMT ports of the 9K switches to the 3850 and configure the interfaces to be part of the management VLAN and VRF.

Best regards
.ı|ı.ı|ı. If This Helps, Please Rate .ı|ı.ı|ı.