By default, the ACOS device uses data interfaces as the source for management traffic. This chapter describes how you can configure the management interface and loopback interfaces to act as the source for management traffic instead of using data interfaces.
The following topics are covered:
This section contains the following:
By default, the ACOS device attempts to use a route from the main route table for management connections originated on the ACOS device. You can enable the ACOS device to use the management route table to initiate management connections instead.
This section describes the ACOS device’s two route tables, for data and management traffic, and how to configure the device to use the management route table.
The ACOS device uses separate route tables for management traffic and data traffic.
• Management route table – Contains all static routes whose next hops are connected to the management interface. The management route table also contains the route to the device configured as the management default gateway.
• Main route table – Contains all routes whose next hop is connected to a data interface. These routes are sometimes referred to as data plane routes. Entries in this table are used for load balancing and for Layer 3 forwarding on data ports.
This route table also contains copies of all static routes in the management route table, excluding the management default gateway route.
You can configure the ACOS device to use the management interface as the source interface for automated management traffic. In addition, on a case-by-case basis, you can enable use of the management interface and management route table for various types of management connections to remote devices.
The ACOS device automatically will use the management route table for reply traffic on connections initiated by a remote host that reaches the ACOS device on the management port. For example, this occurs for SSH or HTTP connections from remote hosts to the ACOS device.
NOTE: Static routes whose next hop is the management interface are duplicated in the management route table.
It is recommended to keep the management interface and the data interfaces in separate networks. If both tables have routes to the same destination subnet, some operations such as pinging may have unexpected results. An exception is the default route (0.0.0.0/0), which can be in both tables.
To display the routes in the management route table, use the show ip route management command.
To display the data plane routes, use the show ip route mgmt or show ip fib commands.
You can configure the ACOS device to use the management interface as the source interface for the following management protocols, used for automated management traffic:
For example, when use of the management interface as the source interface for control traffic is enabled, all log messages sent to remote log servers are sent through the management interface. Likewise, the management route table is used to find a route to the log server. The ACOS device does not attempt to use any routes from the main route table to reach the server, even if a route in the main route table could be used.
In addition, on a case-by-case basis, you can enable use of the management interface and management route table for the following types of management connections to remote devices:
• Upgrade of the ACOS software
• SSH or Telnet connection to a remote host
• Import or export of files
• Export of show techsupport output
• Reload of black/white lists
• SSL loads (keys, certificates, and Certificate Revocation Lists)
• Copy or restore of configurations
By default, use of the management interface as the source interface for automated management traffic is disabled.
To enable it, use the ip control-apps-use-mgmt-port command at the configuration level for the management interface:
To use the management interface as the source interface for manually generated management traffic, use the use-mgmt-port option as part of the command string. This option is available with certain file management commands, including the import command:
ACOS(config)# import ssl-cert-key bulk ?
use-mgmt-port Use management port as source port
tftp: Remote file path of tftp: file system(Format: tftp://host/file)
ftp: Remote file path of ftp: file system(Format:
scp: Remote file path of scp: file system(Format:
sftp: Remote file path of sftp: file system(Format:
NAME<length:1-31> profile name for remote url
You can configure the ACOS device to use a loopback interface IP address to be used as the source interface for management traffic originated by the device.
This section contains the following related information:
You can enable use of a specific loopback interface as the source for one or more of the following management traffic types:
FTP, RCP, and TFTP apply to file export and import, such as image upgrades and system backups.
Telnet and SSH apply to remote login from the ACOS device to another device. They also apply to RADIUS and TACACS+ traffic. SSH also applies to file import and export using SCP.
Web applies to GUI login.
Some notes to consider for loopback interfaces:
• Loopback interface IP address – The loopback interface you specify when configuring this feature must have an IP address configured on it. Otherwise, this feature does not take effect.
• Management interface – If use of the management interface as the source for management traffic is also enabled, the loopback interface takes precedence over the management interface. The loopback interface’s IP address will be used instead of the management interface’s IP address as the source for the management traffic. In conjunction, the use-mgmt-port CLI option will have no effect.
• Ping traffic – Configuration for use of a loopback interface as the source for management traffic does not apply to ping traffic. By default, ping packets are sourced from the best interface based on the ACOS route table. You can override the default interface selection by specifying a loopback or other type of interface as part of the ping command. (See the Command Line Interface Reference for syntax information.)
The current release has the following limitations related to this feature:
• Floating loopback interfaces are not supported.
• IPv6 interfaces are not supported.
The following commands configure an IP address on loopback interface 2:
The following command configures the ACOS device to use loopback interface 2 as the source interface for management traffic of all types listed above: