For more information on Zero-Touch onboarding, see Zero Touch Capabilities.
You can configure a Management Instance VLAN on a DvR Leaf node by specifying the I-SID. For more information, see Management I-SID Assignment to DvR Leaf.
Note
XA1400 Series and VSP 8600 Series do not support configuring a Management Instance VLAN on a DvR Leaf node by specifying the I-SID.
Note
The VLAN Segmented Management Instance is not supported on VSP 8600 Series.
The following list defines the abilities of this interface type:
You can assign a Management Instance IP address to an inband VLAN.
You can associate only one VLAN ID with a VLAN Management Instance IP address.
The DHCP Client can request an IPv4 address for the VLAN Management Instance interface.
The interface resides on the physical VLAN segment, behaving as a host for sending and receiving IPv4 ARP and IPv6 ND messages.
You must configure a default or static route to reach the next-hop gateway; no routing protocol information is used to access off-link (other subnets) networks.
For the VLAN Management Instance to take route priority when used in conjunction with the CLIP Management Instance, you must configure a default route for the VLAN Management Instance with a value lower than 100, or configure static routes for direct communication over the VLAN Management Instance and management networks.
No internal routing occurs between the VLAN Management Instance and other non Management Instance VLANs. The VLAN Management Instance does not route to or from the GRT. Packets must ingress on one of the ports in the VLAN Management Instance.
Packets sent to the VLAN Management Instance IP address must ingress the switch from a VLAN or network-to-network interface (NNI) port (or contain the VLAN ID) associated with the VLAN Management Instance. The system does not route packets between the network operating system (NOS) routing VLAN and the VLAN Management Instance.
If you configure the same VLAN ID for NOS routing and for the VLAN Management Instance, the NOS routing stack transmits and receives all ARP, ND, and ICMP packets. In this scenario, the packets are only counted and shown in the NOS routing KHI port statistics. The management statistics and KHI management statistics do not count or show the packets.
You can bind the VLAN Management Instance to an I-SID, which bridges all management traffic to a single I-SID in a Fabric network. Also, other normal VLAN related operations such as VLAN port member changes are valid.
Bridged management traffic must ingress on the VLAN or I-SID.
The VLAN Management Instance can be routed by upstream routers.
IPv4 and IPv6 address coexistence for both a NOS routing VLAN and VLAN Management Instance is supported, however you must manually match both IP address configurations between the VLANs.
If you configure the VLAN Management Instance with a manual IPv4 address and a DHCP IPv4 address first, you cannot add a IPv4 address to a NOS routing VLAN.
If you configure the VLAN Management Instance with an IPv6 address first, you can only add one IPv6 global address to a NOS routing VLAN.
The following restrictions apply when a VLAN Management Instance coexists with a port-based VLAN or with a brouter port:
If you want a dual stack IPv4 and IPv6 coexistence between a NOS VLAN and VLAN Management Instance, you must configure the same IPv4 and IPv6 addresses on the VLAN Management Instance and on the NOS VLAN.
You cannot configure the VLAN Management Instance with both IPv4 and IPv6 and configure the NOS VLAN with IPv4 or IPv6 only.
If you disable NOS routing for IPv4, then you must disable routing for IPv6, and vice versa.
The following example shows how the VLAN Management Instance can be configured to share the same IP address as a routing port-based VLAN.
You can configure the NOS VLAN first, and then configure the VLAN Management Instance, or in reverse order. You can remove or add the coexistence at any time.
Note
With the coexistence between NOS routing stack and the VLAN Management Instance, packets sent to the VLAN Management Instance IP address must ingress the switch from a VLAN port (or contain the VLAN ID) associated with the VLAN Management Instance. The system does not route packets between the NOS routing VLAN and the VLAN Management Instance.
IPv4
vlan create 10 type port-mstprstp 0 vlan members add 10 1/1 interface vlan 10 ip address 192.0.2.0/24 exit mgmt vlan 10 ip address 192.0.2.0/24 ip route 0.0.0.0/0 next-hop 192.0.2.1 enable
IPv6
vlan create 10 type port-mstprstp 0 vlan members add 10 1/1 interface vlan 10 ipv6 interface address 2001:DB8::/32 ipv6 interface enable exit mgmt vlan 10 ipv6 address 2001:DB8::/32 ipv6 route 0::0/0 next-hop 2001::1 enable
For XA1400 Series branch deployments, the NOS routing IP stack requires the VLAN Management Instance to work in coexistence mode where both the management IP stack and the routing IP stack share the same IP address and default routes. This configuration is required if you need to use the management IP as IPsec source address.
You can manually configure the coexistence as in the preceding example, or you can use the propagate-to-routing command to propagate the management VLAN IP and static routes from the management IP stack to the NOS routing IP stack on the same VLAN ID. If you do not include the VRF name, the system uses the existing VRF of the NOS routing VLAN.
IPv4
mgmt vlan 10 enable exit mgmt dhcp-client vlan mgmt vlan propagate-to-routing vrf vrf24
The following example shows how the VLAN Management Instance can be configured to share the same IP address as a brouter interface.
You must configure the brouter interface before you enable the VLAN Management Instance. When the VLAN Management Instance is enabled, you must disable the VLAN Management Instance before you disable the brouter port.
IPv4
interface GigabitEthernet 1/1 no shutdown brouter port 1/1 vlan 10 subnet 192.0.2.0/24 mgmt vlan 10 ip address 192.0.2.0/24 enable
IPv6
interface GigabitEthernet 1/1 no shutdown ipv6 interface vlan 10 ipv6 interface address 2001:DB8::/32 ipv6 interface enable mgmt vlan 10 ipv6 address 2001:DB8::/32 enable