New Cisco Routers and switches come with a dedicated Ethernet port which unique purpose are to provide management acces s to the device via SSH or Telnet. This interface was isolated in its own VRF called "MGMT-VRF". Placing the management Ethernet interface in its own VRF have the following effects on the management Ethernet interface:
Many features must be configured or used inside the VRF, so the CLI could be different for certain Management Ethernet funct Ions on other routers.
Prevents transit traffic from traversing the device. Because all of the SPA interfaces and the Management Ethernet interface is automatically in different vrfs, no transit tr Affic can enter the Management Ethernet interface and leave a SPA interface, or vice versa.
Improved security of the interface. Because the mgmt-intf VRF has it own routing table as a result of being in its own VRF, routes can-only is added to the R Outing Table of the Management Ethernet interface if explicitly entered by a user.
The Management Ethernet interface VRF supports both IPV4 and IPV6 address families.
That means the static default route should isn't interfere with Routing in the Global Routing Table or any other VRF Configu Red, that management traffic are isolated in its own VRF. The configuration for the Management Interface cannot is modified in terms of VRF, you can only assign a IP address to it and a Static Default Route to allow connectivity.
The purpose is to connect this interface to a isolated IP network that can guarantee ' always on ' access to the device onl Y for management purposes.
However, it's not a must-to-use this interface for management. You can still configure your device-to-accept SSH and Telnet sessions on the Global Routing Table or any other VRF (in Oth Er words, coming from any other interface).
For Cisco Catalyst Switch 3850, the Gigabit Ethernet Management interface are automatically part of its own VRF. This VRF, which are named "mgmt-intf," is automatically configured and are dedicated to the Management Ethernet interface; No other interfaces can join the this VRF. Therefore, this VRF does not participate in the MPLSXXXVRF or any other network-wide VRF. The mgmt-intf VRF supports loopback interface.
Basic Configuration on MGMT-VRF
Here is basic related Management Interface Configuraiton:
VRF definition MGMT-VRF! address-family IPv4 exit-address-family! address-family IPv6 exit-address-family
Interface gigabitethernet0/0 VRF forwarding MGMT-VRF IP address 10.9.2.15 255.255.255.0 negotiation auto!
Static Route
IP route vrf MGMT-VRF 0.0.0.0 0.0.0.0 10.9.2.26
Line VTY Access
Common Configuration for VTY Lines
Access-list 101 Permit IP 10.9.2.0 0.255.255.255 any logline vty 0 4 access-class 101 in Exec-timeout 4 logging SYNCHR Onous Login Authentication Vtyauth transport input SSH line vty 5 access-class 101 in Exec-timeout 4 logging SYNCHR Onous Login Authentication Vtyauth Transport Input ssh!
Unfortunately, Ping to 10.9.2.15 is working fine and not ssh. SW refused configuration
Solutions:
Line vty 0 4 access-class 101 in Vrf-also exec-timeout 4 logging Synchronous login Authentication Vtyauth Transport INP UT sshline vty 5 access-class 101 in Vrf-also exec-timeout 4 logging Synchronous login authentication Vtyauth TRANSP ORT input ssh!
NTP
NTP server VRF MGMT-VRF 10.9.1.242ntp server VRF mgmt-vrf 10.9.6.5
Ethernet Management Interface VRF