https://community.extremenetworks.com/t5/network-architecture-design/access-switches-xa-14xx-in-band-mgmt-solution/m-p/71198#M2581 <P>So, you are playing with freshly new features from release VOSS 8.3.1.</P><P>I think the answer to your problem is simply to configure a “mgmt” clip which will then be reachable in the fabric overlay (not underlay). Use:</P><PRE><CODE>mgmt clip [vrf &lt;vrf name&gt;]<BR /> ip address x.x.x.x/32<BR /> enable<BR />exit</CODE></PRE><P>This would be a different CLIP from the ones you already configured.</P> Wed, 28 Jul 2021 21:01:18 GMT Ludovico_Steven 2021-07-28T21:01:18Z https://community.extremenetworks.com/t5/network-architecture-design/access-switches-xa-14xx-in-band-mgmt-solution/m-p/71197#M2580 <P>Hi,</P><P>We are testing the XA access swithces to extend our fabric to remote sites, or for more advanced users who work from home who need more than just a VPN connection.</P><P>Currently, we are running 8.3.1 on the two XA devices. One is at the office, it’s the responder, and one at home. both are behind NAT.</P><P>At home, we are testing DHCP configuration that is new on 8.3.1 because normally internet links, or home users will have DHCP. Although we have some issues, we managed get the home XA to get an ip address from home router, and set the tunnelsourceaddress in the logical link to use the DHCP IP using “TunnelSourceType”.</P><P>&nbsp;</P><P>This works. However, the issue now is that I am not able to access the HOME XA from our corporate network to manage, or for the home XA to reach our corporate radius server (NAC CONTROL).</P><P>I tried to redistribute DIRECT routes on ISIS from both XAs so they can route to each other but it seems my CLIPS that are used for TunnelSourceAddresses are not being re-distributed.</P><P>Here is my config for the XA at Office (Which is connected to corporate fabric):</P><P>NOTE: Omitted standard&nbsp; obvious ISIS config stuff to keep this short.</P><PRE><CODE>#Responder XA which receives IPSEC Tunnels from remote sites/home.<BR />spbm 1 ip enable<BR /><BR />interface Vlan 160<BR />ip address 10.1.160.227 255.255.255.0 2<BR />exit<BR /><BR /> interface loopback 1<BR />ip address 1 10.1.1.226/255.255.255.255<BR />exit<BR /><BR />router isis<BR />sys-name "OFFICE-XA"<BR />ip-tunnel-source-address 10.1.1.226<BR />ipsec tunnel-source-address 10.1.160.227<BR />is-type l1<BR /><BR /><BR /><BR />logical-intf isis 1 dest-ip 10.1.1.227 mtu 1500 name "TOHOME"<BR />isis<BR />isis hello-auth type hmac-sha-256<BR />isis spbm 1<BR />isis enable<BR />auth-key ******<BR />ipsec esp aes256gcm16-sha256<BR />ipsec responder-only<BR />ipsec<BR />exit<BR /><BR /></CODE></PRE><P>&nbsp;</P><P>as for the XA at home or at the remote site, which is behind NAT:</P><P>&nbsp;</P><PRE><CODE>ip vrf underlay vrfid 1<BR /><BR />spbm 1 ip enable<BR /><BR />#Home User connect their network to port 1/4 in this example<BR /><BR />vlan create 4048 type port-mstprstp 0<BR />vlan members 4048 1/4 portmember<BR /><BR />interface Vlan 4048<BR />vrf underlay<BR /><BR />mgmt vlan 4048<BR />mgmt dhcp-client vlan<BR /><BR />interface loopback 1<BR />ip address 1 10.1.1.227/255.255.255.255 vrf underlay name "TEST1"<BR />exit<BR /><BR />router isis<BR />ip-tunnel-source-address 10.1.1.227 vrf underlay<BR />is-type l1<BR /><BR />logical-intf isis 2 dest-ip 10.1.1.226 mtu 1500 name "TO-OFFICE"<BR />isis<BR />isis hello-auth type hmac-sha-256<BR />isis spbm 1<BR />isis enable<BR />auth-key ******<BR />ipsec esp aes256gcm16-sha256<BR /><BR />#X.Y.Z.Y is the Internet IP that gets NATTED to 10.1.160.227<BR />ipsec remote-nat-ip X.Y.Z.Y<BR />ipsec tunnel-source-address type dhcp vrf underlay<BR /><BR /></CODE></PRE><P>There could be a better way to design this, and I am not sure what is the best way to get this working as above, behind NAT, and IPSEC, DHCP and also be able to manage the home XA.</P><P>Any ideas, please let me know. Willing to re-configure to a better architecture if needs be.</P><P>Thanks,</P> Sat, 03 Jul 2021 06:30:45 GMT https://community.extremenetworks.com/t5/network-architecture-design/access-switches-xa-14xx-in-band-mgmt-solution/m-p/71197#M2580 Chad5 2021-07-03T06:30:45Z https://community.extremenetworks.com/t5/network-architecture-design/access-switches-xa-14xx-in-band-mgmt-solution/m-p/71198#M2581 <P>So, you are playing with freshly new features from release VOSS 8.3.1.</P><P>I think the answer to your problem is simply to configure a “mgmt” clip which will then be reachable in the fabric overlay (not underlay). Use:</P><PRE><CODE>mgmt clip [vrf &lt;vrf name&gt;]<BR /> ip address x.x.x.x/32<BR /> enable<BR />exit</CODE></PRE><P>This would be a different CLIP from the ones you already configured.</P> Wed, 28 Jul 2021 21:01:18 GMT https://community.extremenetworks.com/t5/network-architecture-design/access-switches-xa-14xx-in-band-mgmt-solution/m-p/71198#M2581 Ludovico_Steven 2021-07-28T21:01:18Z https://community.extremenetworks.com/t5/network-architecture-design/access-switches-xa-14xx-in-band-mgmt-solution/m-p/71199#M2582 <P>Yeah, I do tend to play with bleeding edge stuff, as I try to make things work for us, and provide feedback in tickets when needed.</P><P>DHCP was one of those things that was very necessary to deploy the XAs as most Internet access is usually DHCP and we would ship this device to a branch office configured to plug and play, so DHCP is important. DHCP still has some issues, but I understand it may take time to get it to work perfectly.</P><P>&nbsp;</P><P>Thanks for the info. Yes, figured this out couple of days ago as I worked more on 8.2 vsp releases.</P><P>I also had to redistribute ISIS direct on both ends to add the routes needed.</P><P>I was curious why a vrf was added though for this setup, and why DHCP was added in mgmt, and then logical link would use a mgmt IP. instead of adding DHCP to a vlan (in non mgmt) and then make logical link use it.</P><P>&nbsp;</P><P>Thanks,</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P> Wed, 28 Jul 2021 21:59:28 GMT https://community.extremenetworks.com/t5/network-architecture-design/access-switches-xa-14xx-in-band-mgmt-solution/m-p/71199#M2582 Chad5 2021-07-28T21:59:28Z