cancel
Showing results for 
Search instead for 
Did you mean: 

Access Switches (XA 14xx) in band mgmt solution

Access Switches (XA 14xx) in band mgmt solution

Chad5
New Contributor III

Hi,

We are testing the XA access swithces to extend our fabric to remote sites, or for more advanced users who work from home who need more than just a VPN connection.

Currently, we are running 8.3.1 on the two XA devices. One is at the office, it’s the responder, and one at home. both are behind NAT.

At home, we are testing DHCP configuration that is new on 8.3.1 because normally internet links, or home users will have DHCP. Although we have some issues, we managed get the home XA to get an ip address from home router, and set the tunnelsourceaddress in the logical link to use the DHCP IP using “TunnelSourceType”.

 

This works. However, the issue now is that I am not able to access the HOME XA from our corporate network to manage, or for the home XA to reach our corporate radius server (NAC CONTROL).

I tried to redistribute DIRECT routes on ISIS from both XAs so they can route to each other but it seems my CLIPS that are used for TunnelSourceAddresses are not being re-distributed.

Here is my config for the XA at Office (Which is connected to corporate fabric):

NOTE: Omitted standard  obvious ISIS config stuff to keep this short.

#Responder XA which receives IPSEC Tunnels from remote sites/home.
spbm 1 ip enable

interface Vlan 160
ip address 10.1.160.227 255.255.255.0 2
exit

interface loopback 1
ip address 1 10.1.1.226/255.255.255.255
exit

router isis
sys-name "OFFICE-XA"
ip-tunnel-source-address 10.1.1.226
ipsec tunnel-source-address 10.1.160.227
is-type l1



logical-intf isis 1 dest-ip 10.1.1.227 mtu 1500 name "TOHOME"
isis
isis hello-auth type hmac-sha-256
isis spbm 1
isis enable
auth-key ******
ipsec esp aes256gcm16-sha256
ipsec responder-only
ipsec
exit

 

as for the XA at home or at the remote site, which is behind NAT:

 

ip vrf underlay vrfid 1

spbm 1 ip enable

#Home User connect their network to port 1/4 in this example

vlan create 4048 type port-mstprstp 0
vlan members 4048 1/4 portmember

interface Vlan 4048
vrf underlay

mgmt vlan 4048
mgmt dhcp-client vlan

interface loopback 1
ip address 1 10.1.1.227/255.255.255.255 vrf underlay name "TEST1"
exit

router isis
ip-tunnel-source-address 10.1.1.227 vrf underlay
is-type l1

logical-intf isis 2 dest-ip 10.1.1.226 mtu 1500 name "TO-OFFICE"
isis
isis hello-auth type hmac-sha-256
isis spbm 1
isis enable
auth-key ******
ipsec esp aes256gcm16-sha256

#X.Y.Z.Y is the Internet IP that gets NATTED to 10.1.160.227
ipsec remote-nat-ip X.Y.Z.Y
ipsec tunnel-source-address type dhcp vrf underlay

There could be a better way to design this, and I am not sure what is the best way to get this working as above, behind NAT, and IPSEC, DHCP and also be able to manage the home XA.

Any ideas, please let me know. Willing to re-configure to a better architecture if needs be.

Thanks,

1 ACCEPTED SOLUTION

Chad5
New Contributor III

Yeah, I do tend to play with bleeding edge stuff, as I try to make things work for us, and provide feedback in tickets when needed.

DHCP was one of those things that was very necessary to deploy the XAs as most Internet access is usually DHCP and we would ship this device to a branch office configured to plug and play, so DHCP is important. DHCP still has some issues, but I understand it may take time to get it to work perfectly.

 

Thanks for the info. Yes, figured this out couple of days ago as I worked more on 8.2 vsp releases.

I also had to redistribute ISIS direct on both ends to add the routes needed.

I was curious why a vrf was added though for this setup, and why DHCP was added in mgmt, and then logical link would use a mgmt IP. instead of adding DHCP to a vlan (in non mgmt) and then make logical link use it.

 

Thanks,

 

 

 

View solution in original post

2 REPLIES 2

Chad5
New Contributor III

Yeah, I do tend to play with bleeding edge stuff, as I try to make things work for us, and provide feedback in tickets when needed.

DHCP was one of those things that was very necessary to deploy the XAs as most Internet access is usually DHCP and we would ship this device to a branch office configured to plug and play, so DHCP is important. DHCP still has some issues, but I understand it may take time to get it to work perfectly.

 

Thanks for the info. Yes, figured this out couple of days ago as I worked more on 8.2 vsp releases.

I also had to redistribute ISIS direct on both ends to add the routes needed.

I was curious why a vrf was added though for this setup, and why DHCP was added in mgmt, and then logical link would use a mgmt IP. instead of adding DHCP to a vlan (in non mgmt) and then make logical link use it.

 

Thanks,

 

 

 

Ludovico_Steven
Extreme Employee

So, you are playing with freshly new features from release VOSS 8.3.1.

I think the answer to your problem is simply to configure a “mgmt” clip which will then be reachable in the fabric overlay (not underlay). Use:

mgmt clip [vrf <vrf name>]
ip address x.x.x.x/32
enable
exit

This would be a different CLIP from the ones you already configured.

GTM-P2G8KFN