Thursday, 11 June 2020

Out of Band (OOB) Management Configuration in Cisco IOS-XR (SSH,SNMP,NTP,AAA,Syslog)



Objective: To separate management traffic from data/customer traffic in your Cisco XR routers. 
Preferably, Data and Management are into 2 separate network domains.

Pre-requisite:
UTP cables (for each RSP management port in case for switchover) are connected to a network switch to access the OOB management gateway

Management IP Configuration

1. Configure the vrf for management
vrf management
 description VRF for Out-of-Band
 address-family ipv4 unicast

2. Set the physical IP address on each RSP management port. There are total of 2 ports per RSP. For this example, we will use port 0

RSP0:
interface MgmtEth0/RSP0/CPU0/0
 description OOB RSP0
 vrf management
 ipv4 address 10.10.10.100 255.255.255.0
 no shutdown


RSP1:
interface MgmtEth0/RSP1/CPU0/0
 description OOB RSP1
 vrf management
 ipv4 address 10.10.10.101 255.255.255.0
 no shutdown

3. Configure virtual IP for dual RP management
ipv4 virtual address vrf management 10.10.10.102/24
ipv4 virtual address use-as-src-addr

4. Configure vrf static default route to the management gateway
Gateway = 10.10.10.1
router static vrf management address-family ipv4 unicast 0.0.0.0/0 10.10.10.1


**SSH Configuration*
Authorized IP to SSH in: 10.20.20.20

control-plane
 management-plane
   out-of-band
   interface MgmtEth0/RSP0/CPU0/0
    allow SSH peer
     address ipv4 10.20.20.20

   interface MgmtEth0/RSP1/CPU0/0
    allow SSH peer
     address ipv4 10.20.20.20

ACL:
line default
access-class ingress SSH-ACL

ipv4 access-list SSH-ACL
 10 permit ipv4 host 10.20.20.20
 20  deny ipv4 any any log


**SNMP Configuration**
SNMP Polling Server = 10.20.20.20
SNMP Trap Server = 10.30.30.30
SNMP Community = MyP0llingP455
Trap Community = trapcommunity123

Control Plane:
control-plane
 management-plane
   out-of-band

   interface MgmtEth0/RSP0/CPU0/0
   allow SNMP peer
     address ipv4 10.20.20.20

  interface MgmtEth0/RSP1/CPU0/0
   allow SNMP peer
     address ipv4 10.20.20.20

SNMP Polling:
ipv4 access-list SNMP-ACL
 10 permit ipv4 host 10.20.20.20 any

snmp-server vrf management
snmp-server community MyP0llingP455 RO SystemOwner IPv4 SNMP-ACL

SNMP Traps:
snmp-server host 10.30.30.30 traps trapcommunity123

**Syslog Configuration**
Remote Syslog Server IP = 10.50.50.50

logging 10.50.50.50 vrf management severity notifications

**NTP Configuration**
NTP Server IP = 10.40.40.40

ntp
server vrf management 10.40.40.40

Optional (NTP Security):
ntp 
access-group vrf management ipv4 peer ALLOW-NTP-SERVERS
access-group vrf management ipv4 serve BLOCK-NTP
access-group vrf management ipv4 serve-only BLOCK-NTP
access-group vrf management ipv4 query-only BLOCK-NTP


ipv4 access-list ALLOW-NTP-SERVERS
 10 permit ipv4 host 10.40.40.40 any 

ipv4 access-list BLOCK-NTP
 10 deny ipv4 any any 

**AAA Configuration**
Tacacs Server1 IP = 10.55.55.56
Tacacs Server2 IP = 10.55.55.57

configure:
aaa group server tacacs+ TACACS
aaa group server tacacs+ TACACS vrf management
aaa group server tacacs+ TACACS server-private 10.55.55.56
aaa group server tacacs+ TACACS server-private 10.55.55.57

Output:
aaa group server tacacs+ TACACS
 vrf management
 server-private 10.55.55.56 port 49
  key 7 071B204F711918160405041E006A
 !
 server-private 10.55.55.57 port 49
  key 7 09584F0A26151601181B0B382F64

**FTP Configuration** (Optional for FTP transfers)
ftp client vrf management username ftpuser1
ftp client vrf management password clear ftppassword1


Note: Netflow traffic should not go through the management ports because of the traffic volume and may cause high CPU utilization. Also take note, that can OOB configuration can also be done using loopback interface, but will not be covered in this tutorial.

No comments:

Post a Comment