ExtremeSwitching (VSP)

 View Only
Expand all | Collapse all

Segmented Management Interface

  • 1.  Segmented Management Interface

    Posted 10-08-2020 22:28

    I see that VOSS 8.2.0 is released and there is now a Segmented Management Interface which says “the Management plane (management protocols) is separated from the Control Plane (routing plane) from a process and data-path perspective”.  There are three interface options that can now be used:

    • Out-of-Band (OOB) management IP address (IPv4 and/or IPv6)
    • In-band Loopback/circuitless IP (CLIP) management IP address (IPv4 and/or IPv6)
    • In-band management VLAN IP address (IPv4 and/or IPv6)

    I started configuring switches to use a CLIP address in the GRT for management, but now there is an option to use a CLIP address in any VRF including the GRT.  I distribute routes from the GRT to a Management VRF so I could share the management routing table within a L3VSN.

    So the question is:

    Should I leave the CLIP in the GRT or move it to a VRF?  How would this affect IP shortcuts?


  • 2.  RE: Segmented Management Interface

    Posted 10-09-2020 11:56

    Hi Terrel

    the idea is to move management into a VRF, if you would like to have a management VRF. In the other case - route redistribution works if you use IS-IS accept policies, but it would not work to do InterVRF routing local on a box as those routes are not injected into ISIS.


  • 3.  RE: Segmented Management Interface

    Posted 10-09-2020 16:01

    Thanks for the reply Roger.  I was using a Management VRF with v8.1.x on all my VSP’s, and then use a L3VSN to exchange routes between the VSP’s.  I believe from reading 8.2 docs (and trying to configure a VSP7400) that I need to create a second IP address on a loopback interface for isis ip-source-address which is required for L3VSNs and IP shortcuts to work.  Can you confirm this is correct for IP shortcuts and L3VSNs, and does that mean that the loopback address can’t be used to manage the switch?


  • 4.  RE: Segmented Management Interface

    Posted 10-09-2020 18:59

    The ISIS source IP address becomes somewhat optional in 8.2. You don’t need it for IP Shortcuts and L3VSNs to work anymore. If you specified it as your “migrate-to-mgmt” during the upgrade to 8.2.x then it will have been converted into the new segmented mgmt clip (in GRT) and your VSP will no longer have an ISIS Source IP. In this case you will see some messages warning you about this in the log. To restore the ISIS Source IP simply create a new clip and re-assign it after the upgrade to 8.2.x (or you can do this upfront by creating a 2nd clip and assigning it as ISIS source IP before the upgrade to 8.2.x). The downside is that you can no longer have the same clip IP as GRT mgmt and ISIS Source IP. But the ISIS Source IP in itself was not hugely useful, it is simply the default source IP which will get used if you ping (or IP traceroute) in the GRT a destination which is reachable via an IP ISIS route; but you can manually provide a different source IP on the ping command if you like anyway.

  • 5.  RE: Segmented Management Interface

    Posted 10-09-2020 19:54

    Thanks for the additional info Ludo, so just to clarify…

    • When the mgmt clip is in the GRT then the ip-source-address (and loopback) is not required?
    • What if the mgmt clip is in a vrf, or vlan?  Is the second IP address required?


  • 6.  RE: Segmented Management Interface

    Posted 11-11-2020 08:00

    I looks like you need to specify it also.

    The Guide is not so good in this case, because in the examples there is a net-id and not a IP set.


    I’m currently also doing test in my lab for a customer migration.

    I’ve set the mgmt as vlan-IP in a user defined VRF. From the VLAN I can access switch-host. But from other vlan inside or ouside the vrf I can’t access the switch-host. I currently can’t see a issue.

  • 7.  RE: Segmented Management Interface

    Posted 11-11-2020 19:43

    The ISIS Source IP address should be configured whether or not the mgmt CLIP is in GRT or a VRF.

    Basically, before 8.2, the ISIS Source IP and the CLIP GRT management were the same.

    But from 8.2 onward they can no longer be the same.

    As I said before, the ISIS Source IP in itself is not hugely useful and 8.2 will now quite happily let you run IP Shortcuts and L3VSNs even if you did not set one (this was not the case before 8.2). But if you run SPB with “spbm ip enable” and you did not set a ISIS Source IP the VSP will complain with warning messages in the log file.

    The Admin Guide states:

    You must configure a new loopback interface isis ip-source address if you migrate the
    current ISIS IP address to the CLIP Management Instance when the IP address is the same as a
    previously configured IP shortcut.


    The other point raised by Peter, is that the mgmt vlan can only be reached from that VLAN. The intention of mgmt vlan is to manage a VSP which is acting as L2 only. If you create a mgmt vlan on a VSP which is acting as a L3 IP router, then you will observe that the mgmt vlan IP cannot be reached from other IP subnets.

    The Admin Guide does mention this:

    Packets sent to the VLAN Management Instance IP address must ingress the switch from a VLAN
    port (or contain the VLAN ID) associated with the VLAN Management Instance. The system does
    not route packets between the VOSS routing VLAN and the VLAN Management Instance.


    So, if your VSP is doing L3, use mgmt clip

    Whereas if your VSP is doing only L2, use mgmt VLAN

  • 8.  RE: Segmented Management Interface

    Posted 03-16-2021 21:07


    Revisiting this thread…

    I have been configuring VSP7400’s without the ip-source-address, and created the loopback-ip in the management VRF, and everything is working great.

    I am now configuring a VSP8600 on VOSS and have created the Segmented management CLIP the same way, but when I try to enable ISIS it says ”Error: When SPBM ip shortcut is enabled, ISIS ip source-address should be configured.” and I can’t enable ISIS.  I tried to use the Mgmt-clip for the ip source-address, but it says “Error: Must be IP address of circuitless interface.”

    Does this mean I need to create another clip in the GRT?  What does that mean for IP shortcuts?

    Any thoughts?






  • 9.  RE: Segmented Management Interface

    Posted 03-17-2021 09:08

    The VSP 8600 is behind in Firmware/Features to other VSPs.

    Segmented Management Interface is available from VOSS 8.2. This isn’t available for the VSP8600 yet.


    So, yes you need a CLIP for management and shortcut routing in the GRT.

  • 10.  RE: Segmented Management Interface

    Posted 03-17-2021 18:31

    Actually according to the Admin Guide segmented management is available on the VSP8600 with VOSS 

    https://documentation.extremenetworks.com/VOSS/VSP8600/SW/80x/AdminVSP8600_8.0_ADG.pdf - Page 402.

    I will be testing this later today, but has anybody else tried this?


  • 11.  RE: Segmented Management Interface

    Posted 03-18-2021 23:01

    The release notes say “The first management application to use the Management Instance is NTPv4.” and I tested and ssh doesn’t work.

  • 12.  RE: Segmented Management Interface

    Posted 03-19-2021 09:41

    Hi Terrel,

    as this Doc is from oct 2020, I’m not sure if this is true.

    From the doc Segmented Management Interface will be available for the VSP7400 at VOSS 8.0. This isn’t true.

    You could enter some migration commands on pre VOSS 8.2. that the mgmt will automate changed during upgrade to 8.2. (in my tests, that didn’t work well)



  • 13.  RE: Segmented Management Interface

    Posted 03-19-2021 17:39

    Thanks, I also had issues with VSP8400 migrating to the Segmented Management so I wanted to get it running before putting the VSP8600’s in production.  I will work with Extreme to get an ETA.