You can use this interface type for management of Layer 2 switches or for Zero-Touch onboarding of newly deployed devices.
For more information on Zero-Touch onboarding, see Zero Touch Capabilities.
Note
The VLAN Segmented Management Instance is not supported on VSP 8600 Series.
The following list defines the abilities of this interface type:
You can assign a Management Instance IP address to an inband VLAN.
You can associate only one VLAN ID with a VLAN Management Instance IP address.
The DHCP Client can request an IPv4 address for the VLAN Management Instance interface.
The interface resides on the physical VLAN segment, behaving as a host for sending and receiving IPv4 ARP and IPv6 ND messages.
You must configure a default or static route to reach the next-hop gateway; no routing protocol information is used to access off-link (other subnets) networks.
For the VLAN Management Instance to take route priority when used in conjunction with the CLIP Management Instance, you must configure a default route for the VLAN Management Instance with a value lower than 100, or configure static routes for direct communication over the VLAN Management Instance and management networks.
No internal routing occurs between the VLAN Management Instance and other non Management Instance VLANs. The VLAN Management Instance does not route to or from the GRT. Packets must ingress on one of the ports in the VLAN Management Instance.
Packets sent to the VLAN Management Instance IP address must ingress the switch from a VLAN or NNI port (or contain the VLAN ID) associated with the VLAN Management Instance. The system does not route packets between the VOSS routing VLAN and the VLAN Management Instance.
If you configure the same VLAN ID for VOSS routing and for the VLAN Management Instance, the VOSS routing stack transmits and receives all ARP, ND, and ICMP packets. In this scenario, the packets are only counted and shown in the VOSS routing KHI port statistics. The management statistics and KHI management statistics do not count or show the packets.
You can bind the VLAN Management Instance to an I-SID, which bridges all management traffic to a single I-SID in a Fabric network. Also, other normal VLAN related operations such as VLAN port member changes are valid.
Bridged management traffic must ingress on the VLAN or I-SID.
The VLAN Management Instance can be routed by upstream routers.
IPv4 and IPv6 address co-existence for both a VOSS routing VLAN and VLAN Management Instance is supported, however you must manually match both IP address configurations between the VLANs.
If you configure the VLAN Management Instance with a manual IPv4 address and a DHCP IPv4 address first, you cannot add a IPv4 address to a VOSS routing VLAN.
If you configure the VLAN Management Instance with an IPv6 address first, you can only add one IPv6 global address to a VOSS routing VLAN.
The following restrictions apply when a VLAN Management Instance coexists with a port-based VLAN or with a brouter port:
If you want a dual stack IPv4 and IPv6 coexistence between a VOSS VLAN and VLAN Management Instance, you must configure the same IPv4 and IPv6 addresses on the VLAN Management Instance and on the VOSS VLAN.
You cannot configure the VLAN Management Instance with both IPv4 and IPv6 and configure the VOSS VLAN with IPv4 or IPv6 only.
If you disable VOSS routing for IPv4, then you must disable routing for IPv6, and vice versa.
The following example shows how the VLAN Management Instance can be configured to share the same IP address as a routing port-based VLAN.
You can configure the VOSS VLAN first and then configure the VLAN Management Instance or vice versa. You can remove or add the coexistence at anytime.
Note
With the coexistence between VOSS routing stack and the VLAN Management Instance, packets sent to the VLAN Management Instance IP address must ingress the switch from a VLAN port (or contain the VLAN ID) associated with the VLAN Management Instance. The system does not route packets between the VOSS routing VLAN and the VLAN Management Instance.
vlan create 10 type port-mstprstp 0 vlan members add 10 1/1 interface vlan 10 ip address 192.0.2.0/24 exit mgmt vlan 10 ip address 192.0.2.0/24 ip route 0.0.0.0/0 next-hop 192.0.2.1 enable
vlan create 10 type port-mstprstp 0 vlan members add 10 1/1 interface vlan 10 ipv6 interface address 2001:DB8::/32 ipv6 interface enable exit mgmt vlan 10 ipv6 address 2001:DB8::/32 ipv6 route 0::0/0 next-hop 2001::1 enable
For XA1400 Series branch deployments, the VOSS routing IP stack requires the VLAN Management Instance to work in coexistence mode where both the management IP stack and the routing IP stack share the same IP address and default routes. This configuration is required if you need to use the management IP as IPsec source address.
You can manually configure the coexistence as in the preceding example, or you can use the propagate-to-routing command to propagate the management VLAN IP and static routes from the management IP stack to the VOSS routing IP stack on the same VLAN ID. If you do not include the VRF name, the system uses the existing VRF of the VOSS routing VLAN.
mgmt vlan 10 enable exit mgmt dhcp-client vlan mgmt vlan propagate-to-routing vrf vrf24
The following example shows how the VLAN Management Instance can be configured to share the same IP address as a brouter interface.
You must configure the brouter interface before you enable the VLAN Management Instance. When the VLAN Management Instance is enabled, you must disable the VLAN Management Instance before you disable the brouter port.
IPv4
interface GigabitEthernet 1/1 no shutdown brouter port 1/1 vlan 10 subnet 192.0.2.0/24 mgmt vlan 10 ip address 192.0.2.0/24 enable
IPv6
interface GigabitEthernet 1/1 no shutdown ipv6 interface vlan 10 ipv6 interface address 2001:DB8::/32 ipv6 interface enable mgmt vlan 10 ipv6 address 2001:DB8::/32 enable