Management Layer Access

The management layer of Tunnel Concentrator handles functions related to managing the application. The management layer uses a NAT from the underlying host with a predefined internal address of 10.0.2.2/24, which is bound to the management layer of Tunnel Concentrator, and which cannot be seen from the external network. As a result, the management layer, by default, is not directly exposed for access.

To access the Management User Interface on Tunnel Concentrator, a VRRP address must be configured on one of the data ports of the Universal Compute Platform. This VRRP address can be used as a mapped alias to the application interface, allowing access to the Tunnel Concentrator user interface using that address. User interface access is required during the initial installation process in order to read the instance Activation ID and apply the corresponding Activation license.

Note

After the instance is activated and management by ExtremeCloud IQ has started, the VRRP-mapped alias can be removed because the configuration is exchanged programmatically via the Inlets connection.

Note

We recommend that you configure the Universal Compute Platform's default gateway through one of the available data ports.

Traffic that originates from the host, for example Inlets connections to higher layer management frameworks such as ExtremeCloud IQ, crosses this application interface linkage to the host, which creates a direct dependency between accessing the Tunnel Concentrator instance and the routing settings on the underlying Universal Compute Platform host. Management traffic must flow through the Universal Compute Platform routing table to determine the path for network access.

Note

The use of Inter-Cluster Connect (ICC) interfaces for network management is strongly discouraged. Although the ICC(s) can be seen as allowing for out-of-band physical management interface, they can only be leveraged with extreme care.

User Interface Access to Management Functions

Following activation, the Tunnel Concentrator instance interacts with redirector (hac.extremeiq.com) to discover the management Regional Data Center (RDC). After onboarding to ExtremeCloud IQ is complete, all functional management and configuration is performed from ExtremeCloud IQ.

Management Access to User Interface

Note

Once the Tunnel Concentrator instance is managed by ExtremeCloud IQ, the VRRP-IP alias becomes optional, and is required only if you intend to access the user interface of the instance. However, as ExtremeCloud IQ is fully managing the instance state, this access is no longer required and can be removed. You can remove the binding from the port interface configuration window in Universal Compute Platform by removing the VRRP configuration.

Inlets Access for ExtremeCloud IQ Management

When Tunnel Concentrator is managed by ExtremeCloud IQ, the management configuration is exchanged using an Inlets connection. The connection relies on network configurations from the underlying Universal Compute Platform host (for example, the default gateway and interfaces) to discover the Regional Data Center (RDC) on which the management account resides. The Inlets connection originates within the Tunnel Concentrator application and uses the redirector at (hac.extremecloudiq.com) to connect to the RDC.

The following image illustrates the traffic path that for access to the management layer using ExtremeCloud IQ and the Inlets tunnel.

Management Stack to ExtremeCloud IQ using Inlets