Segmented Management Interface

  • 9 October 2020
  • 4 replies

I see that VOSS 8.2.0 is released and there is now a Segmented Management Interface which says “the Management plane (management protocols) is separated from the Control Plane (routing plane) from a process and data-path perspective”.  There are three interface options that can now be used:

• Out-of-Band (OOB) management IP address (IPv4 and/or IPv6)
• In-band Loopback/circuitless IP (CLIP) management IP address (IPv4 and/or IPv6)
• In-band management VLAN IP address (IPv4 and/or IPv6)

I started configuring switches to use a CLIP address in the GRT for management, but now there is an option to use a CLIP address in any VRF including the GRT.  I distribute routes from the GRT to a Management VRF so I could share the management routing table within a L3VSN.

So the question is:

Should I leave the CLIP in the GRT or move it to a VRF?  How would this affect IP shortcuts?


4 replies

Userlevel 3

Hi Terrel

the idea is to move management into a VRF, if you would like to have a management VRF. In the other case - route redistribution works if you use IS-IS accept policies, but it would not work to do InterVRF routing local on a box as those routes are not injected into ISIS.


Thanks for the reply Roger.  I was using a Management VRF with v8.1.x on all my VSP’s, and then use a L3VSN to exchange routes between the VSP’s.  I believe from reading 8.2 docs (and trying to configure a VSP7400) that I need to create a second IP address on a loopback interface for isis ip-source-address which is required for L3VSNs and IP shortcuts to work.  Can you confirm this is correct for IP shortcuts and L3VSNs, and does that mean that the loopback address can’t be used to manage the switch?


Userlevel 4

The ISIS source IP address becomes somewhat optional in 8.2. You don’t need it for IP Shortcuts and L3VSNs to work anymore. If you specified it as your “migrate-to-mgmt” during the upgrade to 8.2.x then it will have been converted into the new segmented mgmt clip (in GRT) and your VSP will no longer have an ISIS Source IP. In this case you will see some messages warning you about this in the log. To restore the ISIS Source IP simply create a new clip and re-assign it after the upgrade to 8.2.x (or you can do this upfront by creating a 2nd clip and assigning it as ISIS source IP before the upgrade to 8.2.x). The downside is that you can no longer have the same clip IP as GRT mgmt and ISIS Source IP. But the ISIS Source IP in itself was not hugely useful, it is simply the default source IP which will get used if you ping (or IP traceroute) in the GRT a destination which is reachable via an IP ISIS route; but you can manually provide a different source IP on the ping command if you like anyway.

Thanks for the additional info Ludo, so just to clarify…

  • When the mgmt clip is in the GRT then the ip-source-address (and loopback) is not required?
  • What if the mgmt clip is in a vrf, or vlan?  Is the second IP address required?