Management Port

Note

The Management Router for management port configuration is only supported on VSP 8600 Series. For all other platforms, see Segmented Management.

The management port is a 10/100/1000 Mbps Ethernet port that you can use for an Out-of-Band (OOB) management connection to the switch. To remotely access the switch using the management port, you must configure an IP address for the OOB management port.

Management Router VRF

A separate VRF called Management Router (MgmtRouter) is reserved for the OAM (mgmt) port. The configured IP subnet must be globally unique because the management protocols, for example, SNMP, Telnet, and FTP, can go through in-band or out-of-band ports. The VRF ID for the Management Router is 512.

The switch never switches or routes transit packets between the Management Router VRF port and the Global Router VRF, or between the Management Router VRF and other VRF ports.

The switch honors the VRF of the ingress packet; however, in no circumstance does the switch enable routing between the Management VRF and Global Router VRF. The switch does not support the configuration if you have an out-of-band management network with access to the same networks present in the GRT routing table.

Note

IPv6 is not supported on MgmtRouter.

Non-virtualized client management applications

Do not define a default route in the Management Router VRF. A route originating from the switch and used for non-virtualized client management applications, such as Telnet, Secure Shell (SSH), and FTP will always match a default route defined in the Management Router VRF.

If you want out-of-band management, define a specific static route in the Management Router VRF to the IP subnet where your management application resides. When you specify a static route in the Management Router VRF, it enables the client management applications originating from the switch to perform out-of-band management without affecting in-band management. This enables in-band management applications to operate in the Global Router VRF.

Non-virtualized client management applications originating from the switch, such as Telnet, SSH, and FTP, follow the behavior listed below:

Look at the Management Router VRF route table
If no route is found, the applications will proceed to look in the Global Router VRF table

Non-virtualized client management applications include:

DNS
FTP client with the copy command
NTP
rlogin
RADIUS authentication and accounting
SSH
SNMP clients in the form of traps
SYSLOG
TACACS+
Telnet
TFTP client

For management applications that originate outside the switch, the initial incoming packets establish a VRF context that limits the return path to the same VRF context.

Virtualized management applications

Virtualized management applications, such as ping and traceroute, operate using the specified VRF context. To operate ping or traceroute you must specify the desired VRF context. If not specified, ping defaults to the Global Router VRF. For example, if you want to ping a device through the out-of-band management port you must select the Management Router VRF.

Note

IPv6 is not supported on MgmtRouter.

Switch:1(config)#ping 192.0.2.1 vrf MgmtRouter
192.0.2.1 is alive

Ping test for IPv6:

Switch:1(config)#ping 2001:db8::1 vrf vrfRED
2001:db8::1 is alive

Traceroute test for IPv4:

Switch:1#traceroute 192.0.2.1 vrf MgmtRouter

Traceroute test for IPv6:

Switch:1#traceroute 2001:db8::1 vrf vrfRED