Solved

segmented management on 5520 running VOSS

C
  • Chi
  • Participator
  • 5 replies

Hi, has anybody gotten a 5520 running VOSS and acting as a router with two routed interfaces (VLANs with IPs) to have the segmented management VLAN be accessible from both sides of the router?  I created VLANs A and B on the 5520, assigned (public, routable) IPs to them, and then created a segmented management VLAN, and gave it an IP on the same subnet as VLAN A, with VLAN A’s IP address as it’s default route.

I can SSH to the segmented management VLAN address, but ONLY when I’m physically connected to anything on VLAN A side of the router, including devices going through another router that connects the VLAN A.  Anything on VLAN B or connected to the VLAN B side, cannot SSH to the segmented management VLAN address.

icon

Best answer by LionelH 8 March 2021, 14:05

Hello,

 

I found my mistake, Router ISIS SPBM Ip wasn’t activate with IP shortcut as source.

 

Now Clip are working fine around the network.

 

Regards,

View original

10 replies

Paul A. Leroux
Rank
Userlevel 5

With segmented mgmt with a VLAN the IP is treated just as a mgmt address.  Not a routed address.  You need to make sure that you give the MGMT VLAN IP a default route.

 

4901:1(mgmt:vlan)#ip route ?
  {A.B.C.D/X}  Ip address/subnet mask
  {A.B.C.D}    IP address
4901:1(mgmt:vlan)#ip route

 

 

Paul A. Leroux
Rank
Userlevel 5

better example

 

mgmt vlan 192 

ip address 192.168.2.7/24

ip route 0.0.0.0/0 next-hop 192.168.2.1 weight 200

enable

exit

 

C

Yes, I gave the VLAN A IP address as the default route for the segmented management VLAN interface.  I could only SSH to the seg mgmt IP from the VLAN A IP and other networks connected to the VLAN A side.  I could not SSH from the VLAN B IP nor any other network connected to the VLAN B side

Paul A. Leroux
Rank
Userlevel 5

can you dump the config for us please?

M
Userlevel 6
Badge +1

Chi,

From the doc:

The mgmt IP and the VLAN A IP must match if I not mistaking.

The default gateway is the one defined on your switch and not the VLAN A’s IP

Mig

Mig
Paul A. Leroux
Rank
Userlevel 5

just a thought….

 

if your network is routed, just use a CLIP for mgmt.

 


mgmt clip vrf GlobalRouter
ip address 172.17.49.1/32
enable

 

 

Ludovico Stevens
Rank
Userlevel 5

The point raised is that a mgmt VLAN IP cannot be reached if the same VSP is required to IP route the packet to the mgmt VLAN. This is documented as a limitation. The point is that if the VSP is acting as an IP router, then you should not be using a mgmt vlan IP but a mgmt clip instead.

See the attached slides, slide 19.

1 Attachment
Ciao
L

Hello,

I’m in the exact same situation.

We have 2 VOSS VSP4900 acting as network core and L3 for all our VLAN.

We cannot access the VSP in the Vlan as before.

I understand we must now use CLIP mgmt, but is somebody know how to configure CLIP MGMT Interface ?

It as to be /32, and how the CLIP Mgmt IP can be reach from other Vlan ?

Thanks for explanation,

Regards,

L

Hello,

 

I found my mistake, Router ISIS SPBM Ip wasn’t activate with IP shortcut as source.

 

Now Clip are working fine around the network.

 

Regards,

C

just a thought….

 

if your network is routed, just use a CLIP for mgmt.

 


mgmt clip vrf GlobalRouter
ip address 172.17.49.1/32
enable

 

 

Both sides of the router have publicly routable IP addresses, so I would need to get another IP from the ISP and have them route to it.  But the end customer doesn’t really want to do that.

Reply