Solved: Nexus inband management

ksherwood · ‎11-29-2011

Hi,

we have e requirement for a Nexus 5000 switch to be accessed and managed inband, ie the Management interface can't be connected to the rest of our networks management VLAN because the switch is remote and only connected via fibre. We have enabled the interface VLAN feature and configured an interface VLAN but can't seem to PING the IP address configured on it ? Does anyone have any idea why or has an example config for this situation.

Thanks in advance.

Kevin.

Jerry Ye · ‎11-29-2011

Like I said before, you need the default route in the global table. Configuring a route in vrf context management is not going to work nor assigning VLAN 91 in management VRF (this is not allowed).

Please do the following and re-test:

vrf context management

no ip route 0/0 131.185.91.1

exit

ip route 0/0 131.185.91.1

HTH,

jerry

View solution in original post

Jerry Ye · ‎11-29-2011

It is because you are missing this command:

aaa authentication login default group VTY_LOGIN

Regards,

jerry

View solution in original post

Reza Sharifi · ‎11-29-2011

Hi,

If you are trying to use the 5K as a layer-3 device, then you need to install layer 3 daughter card.

http://www.cisco.com/en/US/prod/collateral/switches/ps9441/ps9670/data_sheet_c78-618603.html

HTH

Jerry Ye · ‎11-29-2011

Do you have a route? You should still able to point a default route out from the global table without the L3 daughter card with interface VLAN.

Regards,

jerry

Amit Singh · ‎11-29-2011

What is the exact Nexus 5K model that you have? Is it 5010/5020 or 55xx?

5010/5020 are the L2 switches only. You can create a VLAN interface and then use a default route to upstream gateway for the in-band management. You need to enable feature " telnet " or " ssh" for the inband management.

For out of band management, your Management interface will be in its own VRF. You can take the management interface on N5K and loop it back to one of the ethernet port on the Nexus 5000 as well and have that dedciated vlan for management only. It should work that way. I have used that in the past and worked for me.

HTH,

-amit singh

ksherwood · ‎11-29-2011

Guys,

I have a 5020 and have configured a route under the "vrf context management", something like this:

vrf context management

ip route 0.0.0.0/0 131.185.91.1

vpc domain 1

peer-keepalive destination 131.185.91.153

!

interface vlan 91

ip address 131.185.91.154 255.255.255.0

Is the context management the route I need or do I need an independant route for the VLAN ?

Kevin.

Jerry Ye · ‎11-29-2011

Like I said before, you need the default route in the global table. Configuring a route in vrf context management is not going to work nor assigning VLAN 91 in management VRF (this is not allowed).

Please do the following and re-test:

vrf context management

no ip route 0/0 131.185.91.1

exit

ip route 0/0 131.185.91.1

HTH,

jerry

ksherwood · ‎11-29-2011

Thanks Jerry, you were correct. I configured a normal route and that worked. I was leaning towards this answer as my previous post suggested but it is always nice to have some sound advice.

Thanks

Kevin.

Jerry Ye · ‎11-29-2011

Not a problem, I am glad that this solve your problem.

Regards,

jerry

ksherwood · ‎11-29-2011

Jerry,

any idea why my TACACS authentication isn't working ? I've added the device in my server x.x.x.x

tacacs-server key "removed"

ip tacacs source-interface Vlan91

tacacs-server host x.x.x.x

aaa group server tacacs+ VTY_LOGIN

server x.x.x.x

source-interface Vlan91

Kevin.

Jerry Ye · ‎11-29-2011

It is because you are missing this command:

aaa authentication login default group VTY_LOGIN

Regards,

jerry

ksherwood · ‎11-29-2011

Thankyou Jerry,

you are correct again. Nice work.

Kevin.