This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- Extreme Networks
- Community List
- Technical Discussions
- Network Architecture & Design
- Access Switches (XA 14xx) in band mgmt solution
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Access Switches (XA 14xx) in band mgmt solution
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
07-02-2021 11:30 PM
Hi,
We are testing the XA access swithces to extend our fabric to remote sites, or for more advanced users who work from home who need more than just a VPN connection.
Currently, we are running 8.3.1 on the two XA devices. One is at the office, it’s the responder, and one at home. both are behind NAT.
At home, we are testing DHCP configuration that is new on 8.3.1 because normally internet links, or home users will have DHCP. Although we have some issues, we managed get the home XA to get an ip address from home router, and set the tunnelsourceaddress in the logical link to use the DHCP IP using “TunnelSourceType”.
This works. However, the issue now is that I am not able to access the HOME XA from our corporate network to manage, or for the home XA to reach our corporate radius server (NAC CONTROL).
I tried to redistribute DIRECT routes on ISIS from both XAs so they can route to each other but it seems my CLIPS that are used for TunnelSourceAddresses are not being re-distributed.
Here is my config for the XA at Office (Which is connected to corporate fabric):
NOTE: Omitted standard obvious ISIS config stuff to keep this short.
#Responder XA which receives IPSEC Tunnels from remote sites/home.
spbm 1 ip enable
interface Vlan 160
ip address 10.1.160.227 255.255.255.0 2
exit
interface loopback 1
ip address 1 10.1.1.226/255.255.255.255
exit
router isis
sys-name "OFFICE-XA"
ip-tunnel-source-address 10.1.1.226
ipsec tunnel-source-address 10.1.160.227
is-type l1
logical-intf isis 1 dest-ip 10.1.1.227 mtu 1500 name "TOHOME"
isis
isis hello-auth type hmac-sha-256
isis spbm 1
isis enable
auth-key ******
ipsec esp aes256gcm16-sha256
ipsec responder-only
ipsec
exit
as for the XA at home or at the remote site, which is behind NAT:
ip vrf underlay vrfid 1
spbm 1 ip enable
#Home User connect their network to port 1/4 in this example
vlan create 4048 type port-mstprstp 0
vlan members 4048 1/4 portmember
interface Vlan 4048
vrf underlay
mgmt vlan 4048
mgmt dhcp-client vlan
interface loopback 1
ip address 1 10.1.1.227/255.255.255.255 vrf underlay name "TEST1"
exit
router isis
ip-tunnel-source-address 10.1.1.227 vrf underlay
is-type l1
logical-intf isis 2 dest-ip 10.1.1.226 mtu 1500 name "TO-OFFICE"
isis
isis hello-auth type hmac-sha-256
isis spbm 1
isis enable
auth-key ******
ipsec esp aes256gcm16-sha256
#X.Y.Z.Y is the Internet IP that gets NATTED to 10.1.160.227
ipsec remote-nat-ip X.Y.Z.Y
ipsec tunnel-source-address type dhcp vrf underlay
There could be a better way to design this, and I am not sure what is the best way to get this working as above, behind NAT, and IPSEC, DHCP and also be able to manage the home XA.
Any ideas, please let me know. Willing to re-configure to a better architecture if needs be.
Thanks,
Solved! Go to Solution.
1 ACCEPTED SOLUTION
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
07-28-2021 02:59 PM
Yeah, I do tend to play with bleeding edge stuff, as I try to make things work for us, and provide feedback in tickets when needed.
DHCP was one of those things that was very necessary to deploy the XAs as most Internet access is usually DHCP and we would ship this device to a branch office configured to plug and play, so DHCP is important. DHCP still has some issues, but I understand it may take time to get it to work perfectly.
Thanks for the info. Yes, figured this out couple of days ago as I worked more on 8.2 vsp releases.
I also had to redistribute ISIS direct on both ends to add the routes needed.
I was curious why a vrf was added though for this setup, and why DHCP was added in mgmt, and then logical link would use a mgmt IP. instead of adding DHCP to a vlan (in non mgmt) and then make logical link use it.
Thanks,
2 REPLIES 2
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
07-28-2021 02:59 PM
Yeah, I do tend to play with bleeding edge stuff, as I try to make things work for us, and provide feedback in tickets when needed.
DHCP was one of those things that was very necessary to deploy the XAs as most Internet access is usually DHCP and we would ship this device to a branch office configured to plug and play, so DHCP is important. DHCP still has some issues, but I understand it may take time to get it to work perfectly.
Thanks for the info. Yes, figured this out couple of days ago as I worked more on 8.2 vsp releases.
I also had to redistribute ISIS direct on both ends to add the routes needed.
I was curious why a vrf was added though for this setup, and why DHCP was added in mgmt, and then logical link would use a mgmt IP. instead of adding DHCP to a vlan (in non mgmt) and then make logical link use it.
Thanks,
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
07-28-2021 02:01 PM
So, you are playing with freshly new features from release VOSS 8.3.1.
I think the answer to your problem is simply to configure a “mgmt” clip which will then be reachable in the fabric overlay (not underlay). Use:
mgmt clip [vrf <vrf name>]
ip address x.x.x.x/32
enable
exitThis would be a different CLIP from the ones you already configured.
