10-08-2020 10:28 PM
I see that VOSS 8.2.0 is released and there is now a Segmented Management Interface which says “the Management plane (management protocols) is separated from the Control Plane (routing plane) from a process and data-path perspective”. There are three interface options that can now be used:
• Out-of-Band (OOB) management IP address (IPv4 and/or IPv6)
• In-band Loopback/circuitless IP (CLIP) management IP address (IPv4 and/or IPv6)
• In-band management VLAN IP address (IPv4 and/or IPv6)
I started configuring switches to use a CLIP address in the GRT for management, but now there is an option to use a CLIP address in any VRF including the GRT. I distribute routes from the GRT to a Management VRF so I could share the management routing table within a L3VSN.
So the question is:
Should I leave the CLIP in the GRT or move it to a VRF? How would this affect IP shortcuts?
Terrel.
03-17-2021 09:08 AM
The VSP 8600 is behind in Firmware/Features to other VSPs.
Segmented Management Interface is available from VOSS 8.2. This isn’t available for the VSP8600 yet.
So, yes you need a CLIP for management and shortcut routing in the GRT.
03-16-2021 09:07 PM
Revisiting this thread…
I have been configuring VSP7400’s without the ip-source-address, and created the loopback-ip in the management VRF, and everything is working great.
I am now configuring a VSP8600 on VOSS 8.0.1.0 and have created the Segmented management CLIP the same way, but when I try to enable ISIS it says ”Error: When SPBM ip shortcut is enabled, ISIS ip source-address should be configured.” and I can’t enable ISIS. I tried to use the Mgmt-clip for the ip source-address, but it says “Error: Must be IP address of circuitless interface.”
Does this mean I need to create another clip in the GRT? What does that mean for IP shortcuts?
Any thoughts?
Thanks,
Terrel.
11-11-2020 07:43 PM
The ISIS Source IP address should be configured whether or not the mgmt CLIP is in GRT or a VRF.
Basically, before 8.2, the ISIS Source IP and the CLIP GRT management were the same.
But from 8.2 onward they can no longer be the same.
As I said before, the ISIS Source IP in itself is not hugely useful and 8.2 will now quite happily let you run IP Shortcuts and L3VSNs even if you did not set one (this was not the case before 8.2). But if you run SPB with “spbm ip enable” and you did not set a ISIS Source IP the VSP will complain with warning messages in the log file.
The Admin Guide states:
You must configure a new loopback interface isis ip-source address if you migrate the
current ISIS IP address to the CLIP Management Instance when the IP address is the same as a
previously configured IP shortcut.
The other point raised by Peter, is that the mgmt vlan can only be reached from that VLAN. The intention of mgmt vlan is to manage a VSP which is acting as L2 only. If you create a mgmt vlan on a VSP which is acting as a L3 IP router, then you will observe that the mgmt vlan IP cannot be reached from other IP subnets.
The Admin Guide does mention this:
Packets sent to the VLAN Management Instance IP address must ingress the switch from a VLAN
port (or contain the VLAN ID) associated with the VLAN Management Instance. The system does
not route packets between the VOSS routing VLAN and the VLAN Management Instance.
So, if your VSP is doing L3, use mgmt clip
Whereas if your VSP is doing only L2, use mgmt VLAN
11-11-2020 08:00 AM
I looks like you need to specify it also.
The Guide is not so good in this case, because in the examples there is a net-id and not a IP set.
I’m currently also doing test in my lab for a customer migration.
I’ve set the mgmt as vlan-IP in a user defined VRF. From the VLAN I can access switch-host. But from other vlan inside or ouside the vrf I can’t access the switch-host. I currently can’t see a issue.
10-09-2020 07:54 PM
Thanks for the additional info Ludo, so just to clarify…
Terrel