Source Interface for Management Traffic

By default, the ACOS device uses data interfaces as the source for management traffic. This chapter describes how you can configure the management interface and loopback interfaces to act as the source for management traffic instead of using data interfaces.

The following topics are covered:

     Using the Management Interface as the Source for Management Traffic

     Using a Loopback Interface as the Source for Management Traffic

Using the Management Interface as the Source for Management Traffic

This section contains the following:

     Understanding Route Tables

     Keeping the Management and Data Interfaces in Separate Networks

     Management Routing Options

     Configuring the Management Interface as Source for Automated Management Traffic

     Configuring the Management Interface as Source Interface for Manually Generated Management Traffic

Understanding Route Tables

By default, the ACOS device attempts to use a route from the main route table for management connections originated on the ACOS device. You can enable the ACOS device to use the management route table to initiate management connections instead.

This section describes the ACOS device’s two route tables, for data and management traffic, and how to configure the device to use the management route table.

The ACOS device uses separate route tables for management traffic and data traffic.

     Management route table – Contains all static routes whose next hops are connected to the management interface. The management route table also contains the route to the device configured as the management default gateway.

     Main route table – Contains all routes whose next hop is connected to a data interface. These routes are sometimes referred to as data plane routes. Entries in this table are used for load balancing and for Layer 3 forwarding on data ports.

This route table also contains copies of all static routes in the management route table, excluding the management default gateway route.

You can configure the ACOS device to use the management interface as the source interface for automated management traffic. In addition, on a case-by-case basis, you can enable use of the management interface and management route table for various types of management connections to remote devices.

The ACOS device automatically will use the management route table for reply traffic on connections initiated by a remote host that reaches the ACOS device on the management port. For example, this occurs for SSH or HTTP connections from remote hosts to the ACOS device.

NOTE:                               Static routes whose next hop is the management interface are duplicated in the man­agement route table.

Keeping the Management and Data Interfaces in Separate Networks

It is recommended to keep the management interface and the data interfaces in separate networks. If both tables have routes to the same destination subnet, some operations such as pinging may have unexpected results. An exception is the default route (0.0.0.0/0), which can be in both tables.

To display the routes in the management route table, use the show ip route management command.

To display the data plane routes, use the show ip route mgmt or show ip fib commands.

Management Routing Options

You can configure the ACOS device to use the management interface as the source interface for the following management protocols, used for automated management traffic:

     SYSLOG

     SNMPD

     NTP

     RADIUS

     TACACS+

     SMTP

For example, when use of the management interface as the source interface for control traffic is enabled, all log messages sent to remote log servers are sent through the management interface. Likewise, the management route table is used to find a route to the log server. The ACOS device does not attempt to use any routes from the main route table to reach the server, even if a route in the main route table could be used.

In addition, on a case-by-case basis, you can enable use of the management interface and management route table for the following types of management connections to remote devices:

     Upgrade of the ACOS software

     SSH or Telnet connection to a remote host

     Import or export of files

     Export of show techsupport output

     Reload of black/white lists

     SSL loads (keys, certificates, and Certificate Revocation Lists)

     Copy or restore of configurations

     Backups

Configuring the Management Interface as Source for Automated Management Traffic

By default, use of the management interface as the source interface for automated management traffic is disabled.

To enable it, use the ip control-apps-use-mgmt-port command at the configuration level for the management inter­face:

ACOS(config)# interface management

ACOS(config-if:management)# ip control-apps-use-mgmt-port

 

Configuring the Management Interface as Source Interface for Manually Generated Management Traffic

To use the management interface as the source interface for manually generated management traffic, use the use-mgmt-port option as part of the command string. This option is available with certain file management commands, including the import command:

ACOS(config)# import ssl-cert-key bulk ?

 use-mgmt-port      Use management port as source port

 tftp:              Remote file path of tftp: file system(Format: tftp://host/file)

 ftp:               Remote file path of ftp: file system(Format:

                    ftp://[user@]host[:port]/file)

 scp:               Remote file path of scp: file system(Format:

                    scp://[user@]host/file)

 sftp:              Remote file path of sftp: file system(Format:

                    sftp://[user@]host/file)

 NAME<length:1-31> profile name for remote url

 

Using a Loopback Interface as the Source for Management Traffic

You can configure the ACOS device to use a loopback interface IP address to be used as the source interface for manage­ment traffic originated by the device.

This section contains the following related information:

     Loopback Interface Management Traffic Types

     Loopback Interface Implementation Notes

     Loopback Interface Limitations

     Configuring a Loopback Interface for Management Traffic

Loopback Interface Management Traffic Types

You can enable use of a specific loopback interface as the source for one or more of the following management traffic types:

     FTP

     NTP

     RCP

     SNMP

     SSH

     SYSLOG

     Telnet

     TFTP

     Web

FTP, RCP, and TFTP apply to file export and import, such as image upgrades and system backups.

Telnet and SSH apply to remote login from the ACOS device to another device. They also apply to RADIUS and TACACS+ traf­fic. SSH also applies to file import and export using SCP.

Web applies to GUI login.

Loopback Interface Implementation Notes

Some notes to consider for loopback interfaces:

     Loopback interface IP address – The loopback interface you specify when configuring this feature must have an IP address configured on it. Otherwise, this feature does not take effect.

     Management interface – If use of the management interface as the source for management traffic is also enabled, the loopback interface takes precedence over the management interface. The loopback interface’s IP address will be used instead of the management interface’s IP address as the source for the management traffic. In conjunction, the use-mgmt-port CLI option will have no effect.

     Ping traffic – Configuration for use of a loopback interface as the source for management traffic does not apply to ping traffic. By default, ping packets are sourced from the best interface based on the ACOS route table. You can over­ride the default interface selection by specifying a loopback or other type of interface as part of the ping command. (See the Command Line Interface Reference for syntax information.)

Loopback Interface Limitations

The current release has the following limitations related to this feature:

     Floating loopback interfaces are not supported.

     IPv6 interfaces are not supported.

Configuring a Loopback Interface for Management Traffic

The following commands configure an IP address on loopback interface 2:

ACOS(config)# interface loopback 2

ACOS(config-if:loopback:2)# ip address 10.10.10.66 /24

ACOS(config-if:loopback:2)# exit

The following command configures the ACOS device to use loopback interface 2 as the source interface for management traffic of all types listed above:

ACOS(config)# ip mgmt-traffic traffic-type all source-interface loopback 2

 

 

Table of Contents

Index

Glossary

-Search-

Back