Configuring Management Interfaces

Configuring Management Interfaces

Configuring Management Interfaces

Configuring Out-of-Band Management Access, page 1

Configuring Inband Management Access, page 3

Configuring Out-of-Band Management Access

To configure out-of-band (OOB) management access for controllers, leaf switches, or spine switches, these steps must be performed:

• Configure the OOB management IP address and gateway on the management interface

• Allow access from the necessary external subnets

• Allow the necessary protocols on the management ports

Before You Begin

The APIC out-of-band management connection link must be 1 Gbps.

Procedure

Step 1

Command or Action configure

Purpose

Enters configuration mode.

Step 2

Example:

apic1#

configure

{controller apic-number-or-range | switch

node-id[-node-id-or-range]}

Specifies the controller or switch to be configured.

You can enter a range of controllers or switches using dashes or commas.

Example:

apic1(config)#

controller 1-3

Cisco APIC NX-OS Style Command-Line Interface Configuration Guide

1

Configuring Management Interfaces

Configuring Out-of-Band Management Access

Step 3

Step 4

Step 5

Step 6

Step 7

Step 8

Step 9

Step 10

Step 11

Command or Action Purpose interface mgmt0

The mgmt0 interface provides out-of-band management, which enables you to manage the device by its IPv4 address.

Example:

apic1(config-controller)#

interface mgmt0

ip address addr/mask gateway addr

Example:

apic1(config-controller-if)#

ip address-range 172.23.48.16/21 gateway

172.23.48.1

Configures the IP address and gateway for OOB management. If you specified more than one controller or switch, the command becomes ip

address-range and IP addresses are assigned sequentially beginning with the address specified in this command.

Note

The APIC management interface does not support an IPv6 address and cannot connect to an external IPv6 server through this interface.

exit

Example:

apic1(config-controller-if)#

exit exit

Example:

apic1(config-controller)#

exit tenant mgmt

System Management policies are configured under a special tenant called mgmt.

Example:

apic1(config)#

tenant mgmt external-l3 epg default oob-mgmt

Enters the configuration mode of the out-of-band management EPG.

Example:

apic1(config-tenant)#

external-l3 epg default oob-mgmt

match ip addr/mask

Example:

apic1(config-tenant-l3ext-epg)#

match ip 192.0.20.0/24

Provides access control for out-of-band management interface to external management subnets.

exit

Example:

apic1(config-tenant-l3ext-epg)#

exit access-list oob-default

Configures the access list filter for the OOB default policy.

Example:

apic1(config-tenant)#

access-list oob-default

2

Cisco APIC NX-OS Style Command-Line Interface Configuration Guide

Configuring Management Interfaces

Configuring Inband Management Access

Step 12

Step 13

Command or Action match tcp dest 443

Purpose

Allows access on the management interface for

HTTPS traffic (TCP/443).

Example:

apic1(config-tenant-acl)#

match tcp dest 443 match tcp dest 22

Allows access on the management interface for

SSH traffic (TCP/22).

Example:

apic1(config-tenant-acl)#

match tcp dest 22

Examples

This example shows how to configure out-of-band management access for three APIC controllers. In this example, the three controllers are assigned sequential IP addresses, with controller 1 at 172.23.48.16/21, controller 2 at 172.23.48.17/21, and controller 3 at 172.23.48.18/21.

apic1#

configure

apic1(config)#

controller 1-3

apic1(config-controller)#

interface mgmt0

apic1(config-controller-if)#

ip address-range 172.23.48.16/21 gateway 172.23.48.1

apic1(config-controller-if)#

exit

apic1(config-controller)#

exit

apic1(config)#

tenant mgmt

apic1(config-tenant)#

external-l3 epg default oob-mgmt

apic1(config-tenant-l3ext-epg)#

match ip 192.0.20.0/24

apic1(config-tenant-l3ext-epg)#

exit

apic1(config-tenant)#

access-list oob-default

apic1(config-tenant-acl)#

match tcp dest 443

apic1(config-tenant-acl)#

match tcp dest 22

This example shows how to configure out-of-band management access for a leaf or spine switch.

apic1#

configure

apic1(config)#

switch 101

apic1(config-switch)#

interface mgmt0

apic1(config-switch-if)#

ip address 172.23.48.101/21 gateway 172.23.48.1

Configuring Inband Management Access

Configuring Inband Management Access to a Switch from an Outside Network

To configure inband (IB) management access for leaf switches or spine switches, these steps must be performed:

• Configure the inband management IP address and gateway on the inband management interface

• Create or specify a VLAN domain for external inband connectivity

• Add the external management station interface to the VLAN domain

Cisco APIC NX-OS Style Command-Line Interface Configuration Guide

3

Configuring Management Interfaces

Configuring Inband Management Access to a Switch from an Outside Network

• Allow the necessary protocols on the management ports

Procedure

Step 1

Step 2

Step 3

Step 4

Step 5

Step 6

Command or Action configure

Purpose

Enters configuration mode.

Example:

apic1#

configure

switch switch-id-or-range Specifies the switch to be configured. You can enter a range of switches using dashes or commas.

Example:

apic1(config)#

switch 101 interface inband-mgmt0

The inband-mgmt0 interface provides inband management.

Example:

apic1(config-switch)#

interface inband-mgmt0

ip address addr/mask gateway addr

Example:

apic1(config-switch-if)#

ip address

10.13.1.1/24 gateway 10.13.1.254

Configures the IP address and gateway for inband management. If you specified more than one switch, the command becomes ip address-range and IP addresses are assigned sequentially beginning with the address specified in this command.

exit

Example:

apic1(config-switch-if)#

exit exit

Example:

apic1(config-switch)#

exit

Examples

This example shows how to configure inband management for a switch from a management station on an external network..

apic1#

configure

apic1(config)#

switch 101

apic1(config-switch)#

interface inband-mgmt0

apic1(config-switch-if)#

ip address 10.13.1.1/24 gateway 10.13.1.254

apic1(config-switch-if)#

exit

apic1(config-switch)#

exit

4

Cisco APIC NX-OS Style Command-Line Interface Configuration Guide

Configuring Management Interfaces

Configuring Inband Management Access to a Controller from an Outside Network

What to Do Next

• Configure inband (IB) management connectivity to the management station.

• Allow the necessary protocols (HTTPS and SSH) on the inbound management port.

Configuring Inband Management Access to a Controller from an Outside

Network

To configure inband (IB) management access for controllers, these steps must be performed:

• Configure the inband management IP address and gateway on the inband management interface

• Create a VLAN domain for external inband connectivity

• Allow the VLAN on the port connected to the controller

Procedure

Step 1

Step 2

Step 3

Step 4

Step 5

Step 6

Command or Action configure

Purpose

Enters configuration mode.

Example:

apic1#

configure

controller controller-id-or-range Specifies the controller to be configured. You can enter a range of controllers using dashes or commas.

Example:

apic1(config)#

controller 1-3 interface inband-mgmt0

The inband-mgmt0 interface provides inband management.

Example:

apic1(config-controller)#

interface inband-mgmt0

ip address addr/mask gateway addr

Example:

apic1(config-controller-if)#

ip address-range 10.13.1.1/24 gateway

10.13.1.254

vlan vlan-id

Example:

apic1(config-controller-if)#

vlan 10

Assigns a controller VLAN which is enabled on the port connected to the controller. For multiple controllers, all controllers must use the same VLAN.

exit

Configures the IP address and gateway for inband management. If you specified more than one controller or switch, the command becomes

ip address-range and IP addresses are assigned sequentially beginning with the address specified in this command.

Example:

apic1(config-controller-if)#

exit

Cisco APIC NX-OS Style Command-Line Interface Configuration Guide

5

Configuring Management Interfaces

Configuring Inband Management Access to a Controller from an Outside Network

Step 7

Step 8

Step 9

Step 10

Step 11

Step 12

Step 13

Step 14

Step 15

Command or Action exit

Purpose

Example:

apic1(config-controller)#

exit

vlan-domain domain-name Creates and enters the configuration mode for the VLAN domain.

Example:

apic1(config)#

vlan-domain apic-inband

vlan vlan-id Assigns the controller VLAN to the VLAN domain.

Example:

apic1(config-vlan)#

vlan 10 exit

Returns to global configuration mode.

Example:

apic1(config-vlan)#

exit

leaf node-id

Specifies the leaf switch to which the controller connected.

Example:

apic1(config)#

leaf 102

interface slot/port

Specifies the port to which the controller is connected.

Example:

apic1(config-leaf)#

interface eth 1/1 vlan-domain member apic-inband

Configures controller connectivity to inband management.

Example:

apic1(config-leaf-if)#

vlan-domain member apic-inband exit

Example:

apic1(config-leaf-if)#

exit exit

Example:

apic1(config-leaf)#

exit

6

Cisco APIC NX-OS Style Command-Line Interface Configuration Guide

Configuring Management Interfaces

Configuring Inband Management Connectivity to the Management Station

Examples

This example shows how to configure inband management for a controller from a management station on an external network. APIC controller 1 is connected to port Ethernet 1/1 on Leaf 101, and VLAN 10 is used for the controller's inband connectivity.

apic1#

configure

apic1(config)#

controller 1-3

apic1(config-controller)#

interface inband-mgmt0

apic1(config-controller-if)#

ip address-range 10.13.1.1/24 gateway 10.13.1.254

apic1(config-controller-if)#

vlan 10

apic1(config-controller-if)#

exit

apic1(config-controller)#

exit

# CREATE A VLAN DOMAIN FOR THE APIC INBAND VLAN apic1(config)#

vlan-domain apic-inband

apic1(config-vlan)#

vlan 10

apic1(config-vlan)#

exit

# ALLOW THE VLAN ON THE PORT CONNECTED TO THE CONTROLLER apic1(config)#

leaf 101

apic1(config-leaf)#

interface eth 1/1

apic1(config-leaf-if)#

vlan-domain member apic-inband

apic1(config-leaf-if)#

exit

apic1(config-leaf)#

exit

What to Do Next

• Configure inband (IB) management connectivity to the management station.

• Allow the necessary protocols (HTTPS and SSH) on the inbound management port.

Configuring Inband Management Connectivity to the Management Station

To configure inband (IB) management connectivity to the management station, these steps must be performed:

• Create or specify a VLAN domain for external inband connectivity

• Add the external management station interface to the VLAN domain

Procedure

Step 1

Step 2

Command or Action configure

Example:

apic1#

configure

vlan-domain domain-name

Example:

apic1(config)#

vlan-domain external-inband

Purpose

Enters configuration mode.

Creates and enters the configuration mode for the VLAN domain.

Cisco APIC NX-OS Style Command-Line Interface Configuration Guide

7

Configuring Management Interfaces

Configuring Inband Management Connectivity to the Management Station

Step 3

Step 4

Step 5

Step 6

Step 7

Step 8

Step 9

Step 10

Command or Action

vlan vlan-id

Purpose

Assigns a VLAN to the domain.

Example:

apic1(config-vlan)#

vlan 11 exit

Returns to global configuration mode.

Example:

apic1(config-vlan)#

exit

leaf node-id Specifies the leaf switch to which the management station is connected.

Example:

apic1(config)#

leaf 102

interface slot/port

Specifies the port to which the management station is connected.

Example:

apic1(config-leaf)#

interface eth 1/2 vlan-domain member external-inband

Configures external layer2 connectivity to inband management.

Example:

apic1(config-leaf-if)#

vlan-domain member external-inband

switchport trunk allowed vlan vlan-id

inband-mgmt gateway-ip/mask

Example:

apic1(config-leaf-if)#

switchport trunk allowed vlan 11 inband-mgmt

179.10.1.254/24

Configures external layer2 connectivity to inband management. The specified IP address is the gateway address used by the external management station and the gateway functionality is provided by the ACI fabric.

exit

Example:

apic1(config-leaf-if)#

exit exit

Example:

apic1(config-leaf)#

exit

Examples

This example shows how to configure inband management connectivity to the management station.

# CREATE A VLAN DOMAIN FOR EXTERNAL CONNECTIVITY TO INBAND MANAGEMENT apic1#

configure

apic1(config)#

vlan-domain external-inband

apic1(config-vlan)#

vlan 11

apic1(config-vlan)#

exit

8

Cisco APIC NX-OS Style Command-Line Interface Configuration Guide

Configuring Management Interfaces

Configuring Inband Management Contract to Open HTTPS/SSH Ports

# CONFIGURE LAYER 2 CONNECTIVITY FROM THE MANAGEMENT STATION INTERFACE TO INBAND MANAGEMENT apic1(config)#

leaf 102

apic1(config-leaf)#

interface eth 1/2

apic1(config-leaf-if)#

vlan-domain member external-inband

apic1(config-leaf-if)#

switchport trunk allowed vlan 11 inband-mgmt 179.10.1.254/24

apic1(config-leaf-if)#

exit

apic1(config-leaf)#

exit

What to Do Next

• Allow the necessary protocols (HTTPS and SSH) on the inbound management port.

Configuring Inband Management Contract to Open HTTPS/SSH Ports

Procedure

Step 1

Step 2

Step 3

Step 4

Step 5

Command or Action configure

Purpose

Enters configuration mode.

Example:

apic1#

configure tenant mgmt

System Management policies are configured under a special tenant called mgmt.

Example:

apic1(config)#

tenant mgmt access-list inband-default

Configures the access list filter for the inband default policy.

Example:

apic1(config-tenant)#

access-list inband-default match tcp dest 443

Allows access on the management interface for

HTTPS traffic (TCP/443).

Example:

apic1(config-tenant-acl)#

match tcp dest 443 match tcp dest 22

Allows access on the management interface for

SSH traffic (TCP/22).

Example:

apic1(config-tenant-acl)#

match tcp dest 22

Examples

This example shows how to allow HTTPS and SSH access to the inband management port.

apic1#

configure

apic1(config)#

tenant mgmt

apic1(config-tenant)#

access-list inband-default

Cisco APIC NX-OS Style Command-Line Interface Configuration Guide

9

Configuring Inband Management Contract to Open HTTPS/SSH Ports

apic1(config-tenant-acl)#

match tcp dest 443

apic1(config-tenant-acl)#

match tcp dest 22

apic1(config-tenant-acl)#

exit

apic1(config-tenant)#

exit

Configuring Management Interfaces

10

Cisco APIC NX-OS Style Command-Line Interface Configuration Guide

Was this manual useful for you? yes no
Thank you for your participation!

* Your assessment is very important for improving the work of artificial intelligence, which forms the content of this project

Download PDF

advertisement