Objective: To separate management traffic from data/customer traffic in your Cisco XR routers.
Preferably, Data and Management are into 2 separate network domains.
Pre-requisite:
UTP cables (for each RSP management port in case for switchover) are connected to a network switch to access the OOB management gateway
* * Management IP Configuration* *
1. Configure the vrf for management
vrf management
description VRF for Out-of-Band
address-family ipv4 unicast
2. Set the physical IP address on each RSP management port. There are total of 2 ports per RSP. For this example, we will use port 0
RSP0:
interface MgmtEth0/RSP0/CPU0/0
description OOB RSP0
vrf management
ipv4 address 10.10.10.100 255.255.255.0
no shutdown
RSP1:
interface MgmtEth0/RSP1/CPU0/0
description OOB RSP1
vrf management
ipv4 address 10.10.10.101 255.255.255.0
Pre-requisite:
UTP cables (for each RSP management port in case for switchover) are connected to a network switch to access the OOB management gateway
* * Management IP Configuration* *
1. Configure the vrf for management
vrf management
description VRF for Out-of-Band
address-family ipv4 unicast
2. Set the physical IP address on each RSP management port. There are total of 2 ports per RSP. For this example, we will use port 0
RSP0:
interface MgmtEth0/RSP0/CPU0/0
description OOB RSP0
vrf management
ipv4 address 10.10.10.100 255.255.255.0
no shutdown
RSP1:
interface MgmtEth0/RSP1/CPU0/0
description OOB RSP1
vrf management
ipv4 address 10.10.10.101 255.255.255.0
no shutdown
3. Configure virtual IP for dual RP management
ipv4 virtual address vrf management 10.10.10.102/24
ipv4 virtual address use-as-src-addr
4. Configure vrf static default route to the management gateway
Gateway = 10.10.10.1
router static vrf management address-family ipv4 unicast 0.0.0.0/0 10.10.10.1
**SSH Configuration**
Authorized IP to SSH in: 10.20.20.20
control-plane
management-plane
out-of-band
interface MgmtEth0/RSP0/CPU0/0
allow SSH peer
address ipv4 10.20.20.20
interface MgmtEth0/RSP1/CPU0/0
allow SSH peer
address ipv4 10.20.20.20
ACL:
line default
access-class ingress SSH-ACL
ipv4 access-list SSH-ACL
10 permit ipv4 host 10.20.20.20
20 deny ipv4 any any log
**SNMP Configuration**
SNMP Polling Server = 10.20.20.20
SNMP Trap Server = 10.30.30.30
SNMP Community = MyP0llingP455
SNMP Trap Server = 10.30.30.30
SNMP Community = MyP0llingP455
Trap Community = trapcommunity123
Control Plane:
control-plane
management-plane
out-of-band
interface MgmtEth0/RSP0/CPU0/0
allow SNMP peer
address ipv4 10.20.20.20
interface MgmtEth0/RSP1/CPU0/0
allow SNMP peer
address ipv4 10.20.20.20
SNMP Polling:
ipv4 access-list SNMP-ACL
10 permit ipv4 host 10.20.20.20 any
snmp-server vrf management
snmp-server community MyP0llingP455 RO SystemOwner IPv4 SNMP-ACL
SNMP Traps:
snmp-server host 10.30.30.30 traps trapcommunity123
**Syslog Configuration**
Remote Syslog Server IP = 10.50.50.50
logging 10.50.50.50 vrf management severity notifications
**NTP Configuration**
NTP Server IP = 10.40.40.40
ntp
server vrf management 10.40.40.40
Optional (NTP Security):
ntp
ntp
access-group vrf management ipv4 peer ALLOW-NTP-SERVERS
access-group vrf management ipv4 serve BLOCK-NTP
access-group vrf management ipv4 serve-only BLOCK-NTP
access-group vrf management ipv4 query-only BLOCK-NTP
ipv4 access-list ALLOW-NTP-SERVERS
10 permit ipv4 host 10.40.40.40 any
ipv4 access-list BLOCK-NTP
10 deny ipv4 any any
**AAA Configuration**
Tacacs Server1 IP = 10.55.55.56
Tacacs Server2 IP = 10.55.55.57
configure:
aaa group server tacacs+ TACACS
aaa group server tacacs+ TACACS vrf management
aaa group server tacacs+ TACACS vrf management
aaa group server tacacs+ TACACS server-private 10.55.55.56
aaa group server tacacs+ TACACS server-private 10.55.55.57
Output:
aaa group server tacacs+ TACACS
vrf management
server-private 10.55.55.56 port 49
key 7 071B204F711918160405041E006A
!
server-private 10.55.55.57 port 49
key 7 09584F0A26151601181B0B382F64
**FTP Configuration** (Optional for FTP transfers)
ftp client vrf management username ftpuser1
ftp client vrf management password clear ftppassword1
Note: Netflow traffic should not go through the management ports because of the traffic volume and may cause high CPU utilization. Also take note, that can OOB configuration can also be done using loopback interface, but will not be covered in this tutorial.
No comments:
Post a Comment