Following on from recent posts where I have covered our use of the Cisco Catalyst 4500-X platform for the eduroam networking infrastructure upgrade project, I thought it would be good to cover the Ethernet management interface in more detail. Why, I hear you ask? Well, whilst the topic in itself probably seems very trivial (and a bit dull frankly), configuring this and getting it to actually work proved trickier than I initially expected!
Having spent some time researching the topic online after hitting a few snags, I wasn’t able to find one single resource that answered all my questions.
Therefore my hope is that this post may prove a useful time-saver to those who find themselves with a Cisco switch or router with an ethernet management interface they wish to use for management and monitoring systems.
Why should you use the management interface at all?
This is a valid question. In some scenarios you may decide you don’t wish to. Certainly with the majority of our Cisco switching estate, we choose not to either. In cases where we *must* have Out-Of-Band (OOB) access to a device in the event of a major outage (thankfully we don’t see many of those), we often instead favour the use of the console port connected with terminal servers which we can connect to over an alternative IP network. For other cases, we often use one of the standard base T ports VLAN’d off onto a separate Lights Out Management (LOM) network.
However using this dedicated management interface can be of benefit for many reasons depending on the scenario you’re working with. Here are few of the main ones that influenced our decision in the case of the 4500-X platform:
- It isolates management traffic away from the global routing table in a dedicated VRF;
- It avoids having to use ‘front-facing’ interfaces;
- It avoids the expense of having to procure extra base T transceivers if you’re working with an all SFP/SFP+ platform.
I’m sure there are other benefits too of course, though being that the 4500-X is an all SFP platform with no other built-in base T ports, this seemed like a very sensible way to go.
Overview of management configuration – things to note
So, when I initially found myself sat at a terminal attempting an initial configuration of one of these switches, I quickly realised that our standard configuration template wasn’t going to cut the mustard. I found some caveats with how you might normally expect to configure features, even the basic things.
Here’s a summary of what I found. I’ll expand on these later on in this post:
- The management port out-of-the box is assigned to a management VRF (called ‘mgmtVrf’ or some variation depending on the platform and software version you’re working with) and cannot be re-assigned to either another VRF, or the global routing table (so you can’t cheat);
- We restrict VTY lines on our devices using an ACL to limit access to defined management IP hosts/networks. I found that without an additional parameter in the access-class configuration statement I got ‘connection refused’ errors when attempting to connect to the VTY line;
- Rather counter-intuitively, using the ‘vrf <vrfname>’ variant of the ip domain-name command needed for Secure Shell (SSH) configuration did not work when generating crypto keys;
- Authentication Authorisation & Accounting (AAA) configurations using the ‘default’ server group would not work;
- A custom AAA server group had to be defined for TACACS+/RADIUS servers. Within this I had to use some specific commands to get this to work including specifying the source interface for associated requests;
- Some common global configuration mode commands could be used as normal, but others required the mgmtVrf VRF to be configured as an additional parameter;
See? I told you it was tricky!
SSH/VTY configuration
As described earlier, the sensible thing to do is to restrict access to your devices to only use SSH and only be allowed to do so from certain authorised hosts/networks.
In light of this, here’s what our basic configuration looks like (I’ve changed some IPs to dummy ones for security reasons):
aaa new-model username networks secret <password> ip domain-name lom.oucs.ox.ac.uk ip access-list standard SSH-ACCESS permit 192.168.3.222 permit 192.168.1.67 permit 192.168.102.0 0.0.0.31 permit 192.168.21.0 0.0.0.255 permit 192.168.22.0 0.0.0.255 permit 172.16.0.0 0.0.15.255 permit 192.168.2.0 0.0.0.255 ip ssh time-out 60 ip ssh source-interface <source-interface> ip ssh version 2 line vty 0 4 access-class SSH-ACCESS in exec-timeout 5 0 logging synchronous transport input ssh line vty 5 15 exec-timeout 0 0 logging synchronous transport input none
Then of course, we would generate the RSA key:
crypto key generate rsa general-keys modulus 2048
OK, this part of the configuration has probably changed the least in light of using the management port.
I’d like to highlight that using the following command as a substitute for the one above did not work:
ip domain-name vrf mgmtVrf lom.oucs.ox.ac.uk
Great! This is really counter-intuitive isn’t it? Using the VRF-specific variant of the command instead of the standard command will mean you won’t be able to generate the RSA key. However, you do need this command in addition to allow DNS lookups assuming you want to do this via the management interface too in conjunction with VRF-specific name server commands.
The only remaining changes necessary to allow this part of the configuration to work was the addition of two commands within the line vty configuration:
line vty 0 4 access-class SSH-ACCESS in vrf-also exec-timeout 5 0 logging synchronous login authentication TAC_PLUS transport input ssh line vty 5 16 exec-timeout 0 0 logging synchronous transport input none
With these changes in place, you should be able to generate the RSA key as normal and find that SSH access via the VTYs works as expected. These are only very subtle differences granted, but I suspect you may find yourself scratching your head for a while without them – I certainly did!
The configuration of the specific custom AAA server group (named TAC_PLUS in my examples) is detailed in the next section. If in your own scenario you simply rely on the local database for authentication, then you shouldn’t need the ‘login authentication’ command.
AAA configuration
You can probably ignore this section if you aren’t using AAA – ie. if you don’t use a TACACS+ or RADIUS server to manage access to your network devices. In all likelihood, I would imagine you would be using one or the other in most cases.
Our default AAA configuration is pretty standard really. In the case of normal operation, any users wishing to log into a network switch for example, are required to authenticate via our team-internal TACACS+ service, which in-turn decides what level of access a user is allowed (full or read-only) and what commands they are allowed to enter. This service also keeps accounting records – i.e. what a user did whilst they were logged in to a switch.
In the rare case where the TACACS+ server may be unavailable, users can authenticate via the local user database on the switch. This should only ever be the case if the TACACS+ method is unavailable.
These rules should also be applied regardless of where a user logs in from – i.e. whether they log in remotely over a VTY line or if they are attached directly to the console port of the switch.
So with all this in mind, our normal AAA configuration template looks like this:
aaa authentication login default group tacacs+ local aaa authentication enable default enable group tacacs+ aaa authorization console aaa authorization exec default group tacacs+ local if-authenticated aaa authorization commands 15 default group tacacs+ local if-authenticated aaa accounting commands 1 default stop-only group tacacs+ aaa accounting commands 15 default stop-only group tacacs+ tacacs-server host <tacacs-server-IP> key <key-string> tacacs-server directed-request ip tacacs source-interface <source-interface>
This configuration didn’t work at all when using the management interface. Instead, you have to first define your own server group like this:
aaa group server tacacs+ TAC_PLUS server-private <tacacs-server-IP> key <key-string> ip vrf forwarding mgmtVrf ip tacacs source-interface <management-interface>
In fairness, Cisco have been warning us for quite some time that they would be deprecating the old ‘tacacs-server’ and ‘radius-server’ commands. Old habits often die hard though!
Also note the use of the ‘server-private’ command and the definition of the mgmtVrf VRF within the group. Both are important!
In light of our new custom AAA server group configuration, the AAA method commands also have to be amended to match. These now should look something like this (exact commands may vary depending on your own AAA policies used locally of course):
aaa authentication login default group TAC_PLUS local aaa authentication enable default group TAC_PLUS enable aaa authorization console aaa authorization exec default group TAC_PLUS local if-authenticated aaa authorization commands 15 default group TAC_PLUS local if-authenticated aaa accounting commands 1 default stop-only group TAC_PLUS aaa accounting commands 15 default stop-only group TAC_PLUS
Other global configuration mode commands
There are of course other management services to consider, assuming of course, you want all management-related traffic to utilise the management port.
Commands for these other services are entered in global configuration mode. Using the dedicated management port, some of these commands have to be amended to include additional parameters whereas others do not. I would suggest that using the context-help (our helpful friend the ‘?’) in IOS/IOS-XE will help here in addition to the configuration guide for your platform.
Here’s how I configured the 4500-X platform to send queries to our DNS servers, send logs to our syslog server, participate in SNMP and synchronise its clock to our NTP servers via the management port. I’ve highlighted in bold the commands that have to be amended:
ip domain-name vrf mgmtVrf lom.oucs.ox.ac.uk ip name-server vrf mgmtVrf <dns-server-1-IP> ip name-server vrf mgmtVrf <dns-server-2-IP> ip name-server vrf mgmtVrf <dns-server-3-IP> logging trap debugging logging facility local6 logging host <syslog-server-IP> vrf mgmtVrf logging host <syslog-server-IP> vrf mgmtVrf snmp-server community <community-string> RO <restricted-ACL-name/number> snmp-server trap-source <management-interface> snmp-server source-interface informs <management-interface> snmp-server contact Networks snmp-server host <snmp-poller-IP> vrf mgmtVrf <community-string/username> tty vtp config vlan-membership snmp snmp-server host <snmp-poller-IP> vrf mgmtVrf <community-string/username tty vtp config vlan-membership snmp ntp source <management-interface> ntp server vrf mgmtVrf <ntp-server-1-IP> ntp server vrf mgmtVrf <ntp-server-2-IP> ntp server vrf mgmtVrf <ntp-server-3-IP> ntp server vrf mgmtVrf <ntp-server-4-IP>
Please note I do not intend the above to be exhaustive. These are provided purely as examples and of course, you may have other services to configure that I haven’t mentioned here.
Conclusion
Once you get your head around the configuration specifics surrounding the management port, it actually provides a neat way of connecting your new device with your network management infrastructure without wasting front-facing interfaces. It also provides an out-of-the-box method for isolating your management traffic away from normal data traffic.
If I had one criticism, it would be that the configuration for this in the Cisco world could be easier and more consistent. But we can’t have it all our own way all of the time!
Thanks for reading!
Thanks for your post.
Can we limit only the vrf mgmtVrf can login ?
and Make other vrf user login fail (even he has the correct username and password) ?
Hi Michael,
Thanks for your query.
There doesn’t seem to be specific variant of the access-class command under the VTY lines that will achieve what you want here. I only see a ‘vrf-also’ option which allows login over VRF & global table interfaces I believe (looking at the 4500-X running 3.7.3E). You might be able to achieve something similar using an extended access-list for SSH access, setting a destination IP within each ACE to an IP interface on the local switch that exists in the Mgmt VRF and then referencing this instead with your access-class command under the VTY lines. It’s a long shot really and I hasten to say that I haven’t tried it myself.
Many thanks
John
Hi John,
Where you have this:
`ip ssh source-interface `
What would you use if the management interface was to be set to any of the vty lines?
Matt.
Hi Matt,
Thanks for the query.
The ‘ip ssh source-interface’ command in fact allows you to specify on which interface your device responds to SSH on. I.e. you could choose to set a specific VLAN or physical interface (or even the specific Ethernet management interface on your device) depending on your requirements. This is independent and unrelated to the VTY lines of the device.
If you instead wish to manipulate which VTY lines you allow SSH connections to, then you simply need to apply the relevant configuration under each (or all) VTY lines. For example, I used the following to only allow connections to the first five VTY lines of a 4500X using the Ethernet management interface:
line vty 0 4
access-class SSH-ACCESS in vrf-also
exec-timeout 5 0
logging synchronous
login authentication TAC_PLUS
transport input ssh
line vty 5 16
exec-timeout 0 0
logging synchronous
transport input none
I hope this is helpful to you.
Many thanks
John
[…] by not finding any solutions. A wider google search lead me to this great University of Oxford blog post by John Swain, who had a very similar experience as I […]
Thanks for this post, I had the same exact experience, you configs helped me get up and running. I have a couple new 4500-X’s and ASR-1001X’s, both platforms use the similar management interfaces in a management VRF.
You’re welcome Terry, I’m glad it was of some use.