Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Fixed typo in Key Management first bullet; removed "only" from 5th bullet.

Add_workflow_for_techpubs
AUTH1
JIRAIDAUTHSBX-52019
REV5
REV6
REV3
REV1

Panel

In this section:

Table of Contents
maxLevel2

Excerpt

This object allows you to configure a group of management IP interfaces for the default address context.

Key Management Interface functionality:

  • One non-VLAN and pp up to 15 VLAN management interfaces can be configured on each physical management port for a total of 16.
  • Users can choose aribitrary VLAN tag values from 2-4094.
  • Users can use non-VLAN management interfaces when VLAN management interfaces are configured.
  • The VLAN interfaces on management ports follow the same redundancy model as the existing untagged management port interfaces.

  • The management interface can have only one IPv4 address and/or one IPv6 address. 

  • Unlike a packet port, the management port supports both non-VLAN and VLAN interfaces on the same management port.

  • Each management port should be configured with the same set of VLANs in order to provide port redundancy. 
  • Management interfaces in the same VLAN should be in the same subnet.
Note
iconfalse
titleNote
A management IP interface must contain at least one IP address to be considered valid.
 

CLI Changes

Command Syntax

Code Block
languagenone
% set system mgmtIpInterfaceGroup <mgmtIpIntfceGrp_name> mgmtIpInterface <IP_Intfce_name>
	ceName <ceName>
	ipAddressV4 <IPv4_address>
	ipAddressV6 <IPv6_address>
	portName <mgt0 | mgt1 | mgt2 | mgt3>
	prefixV4 <prefix>
	prefixV6 <prefix>
	state <disabled | enabled>
	vlanTag <2-4094>
Note
For management interface groups (and interfaces), the default address context is implied, and therefore the address context is not specified.
Code Block
languagenone
% show system mgmtIpInterfaceGroup <mgmtIpIntfceGrp_name> mgmtIpInterface <IP_Intfce_name>
 
% delete system mgmtIpInterfaceGroup <mgmtIpIntfceGrp_name> 
	mgmtIpInterface <mgmt_interface_#> 
	ipAddressV4 
	ipAddressV6 
	prefixV4 
	prefixV6
	vlanTag

The above delete command allows the deletion of an IPv4 address and prefix on the management interface only if:

  • the state is set to 'disabled', and
  • an IPv6 address exists.

Command Parameters

Caption
0Table
1Management IP Interface Group Parameters

 

Parameter

Length/Range

Description

mgmtIpInterfaceGroup

1-23

IP Interface Group name.

mgmtIpInterface

1-23

Management IP interface name.

ceName

1-255

Name of the computing element that hosts the port used by management IP interface. 

Note
ceName identifies each node (active or standby). System name identifies the HA pair. 
Spacevars
0product
is deployed in 1:1 redundancy (active or standby).

ipAddressV4

0-32

IPv4 address of the interface.
Length is in the range of 0 to 32. The 32-bit IP address in dotted decimal form (for example 128.127.50.224).

ipAddressV6

0-128

IPv6 address of the interface.
Length is in the range of 0 to 128. The eight 16-bit IP address in hexadecimal values separated by colons (for example 1280:1276:3350:2224:2222:3333:8888:1245). 

Note

Duplicate Address Detection procedures are performed on interfaces configured with IPv6 addresses. If a duplicate address is found in the network, a warning message is output to Linux logs at /var/log/syslog and /var/log/messages. Example message:


"Nov 12 08:52:35 SBC-1 kernel: [854194.740638] mgt1: IPv6 duplicate address fc00::100:0:0:100:1 detected"

portName

N/A

Port used by management IP interface (either two or four mgmt ports are available depending upon if 

Spacevars
0product
is configured for HA).

  • mgt0
  • mgt1
  • mgt2
  • mgt3

prefixV4

0-32

IPv4 subnet prefix of management interface.

prefixV6

0-128

IPv6 subnet prefix of management interface.

state

N/A

Administrative state of the management network interface.

  • disabled – (default) The management IP interface is inactive and does not respond to a ping.
  • enabled – The management IP interface is active and responds to a ping (Ethernet cable must be connected).
vlanTag2-4094, arbitrary

<VLAN tag> (default = 0) – Use this parameter to assign an arbitrary VLAN tag value to a management interface to facilitate isolating/separating management activities. For example, when PSX queries are being performed in one management VLAN interface, the EMA can be accessed on another management VLAN interface on the same management Ethernet port, while yet another VLAN interface can be used for Lawful Intercept (LI).

NOTE: Use a default value of "0" for a non-VLAN management interface.

Command Example

To display management IP interfaces:

Code Block
languagenone
% show system mgmtIpInterfaceGroup  
	mgmtIpInterfaceGroup mgmtGroup {  
		mgmtIpInterface mgmtIntf1 {  
			ceName merc;  
			portName mgt0;  
			ipAddressV4 10.34.26.151;  
			prefixV4 3;  
			ipAddressV6 ::FFFF:10.34.26.151;  
			prefixV6 64;  state enabled;  
		}  
		mgmtIpInterface mgmtIntf2 {  
		ceName merc;  
		portName mgt1;  
		ipAddressV4 0.0.0.0;  prefixV4 24;  
		ipAddressV6 ::FFFF:0.0.0.0;  
		prefixV6 64;  
		state enabled;  
		}  
	}

To create management interfaces on two subnets in 

Spacevars
0product
HA setup:

Step 1: Add mgmtIntf2 and mgmtIntf4 to newly created mgmtGroup1

Code Block
languagenone
% set system mgmtIpInterfaceGroup mgmtGroup mgmtIpInterface mgmtIntf2 state disabled  
% commit  
% delete system mgmtIpInterfaceGroup mgmtGroup mgmtIpInterface mgmtIntf2  
% commit  
% set system mgmtIpInterfaceGroup mgmtGroup1  
% commit  
% set system mgmtIpInterfaceGroup mgmtGroup1 mgmtIpInterface 
	mgmtIntf2 ceName hayabusa portName mgt1 ipAddressV4 
	10.54.67.47 prefixV4 24 ipAddressV6 ::FFFF:10.54.67.47 
	prefixV6 64  
% commit  
% set system mgmtIpInterfaceGroup mgmtGroup1 mgmtIpInterface 
	mgmtIntf2 state enabled  
% commit  
% set system mgmtIpInterfaceGroup mgmtGroup mgmtIpInterface mgmtIntf4 state disabled  
% commit  
% delete system mgmtIpInterfaceGroup mgmtGroup 
	mgmtIpInterface mgmtIntf4  
% commit  
% set system mgmtIpInterfaceGroup mgmtGroup1 mgmtIpInterface 
	mgmtIntf4 ceName augusta portName mgt1 ipAddressV4 
	10.54.67.48 prefixV4 24 ipAddressV6 ::FFFF:10.54.67.48 
	prefixV6 64  
% commit  
% set system mgmtIpInterfaceGroup mgmtGroup1 mgmtIpInterface 
	mgmtIntf4 state enabled  
% commit 
% show system mgmtIpInterfaceGroup mgmtIpInterfaceGroup 
	mgmtGroup 
	{  mgmtIpInterface mgmtIntf1 {  
		ceName hayabusa;  
		portName mgt0;  
		ipAddressV4 10.54.66.50;  
		prefixV4 24;  
		ipAddressV6 ::FFFF:10.54.66.50;  
		prefixV6 64;  
		state enabled;  
	}  
	mgmtIpInterface mgmtIntf3 {  
		ceName augusta;  
		portName mgt0;  
		ipAddressV4 10.54.66.59;  
		prefixV4 24;  
		ipAddressV6 ::FFFF:10.54.66.59;  
		prefixV6 64;  
		state enabled;  
	}  
}  
mgmtIpInterfaceGroup mgmtGroup1 {  
	mgmtIpInterface mgmtIntf2 {  
		ceName hayabusa;  
		portName mgt1;  
		ipAddressV4 10.54.67.47;  
		prefixV4 24;  	
		ipAddressV6 ::FFFF:10.54.67.47;  
		prefixV6 64;  
		state enabled;  
	}  
	mgmtIpInterface mgmtIntf4 {  
		ceName augusta;  
		portName mgt1;  
		ipAddressV4 10.54.67.48;  
		prefixV4 24;  
		ipAddressV6 ::FFFF:10.54.67.48;  
		prefixV6 64;  
		state enabled;  
	}  
}

Step 2: Add static routes referencing the management interface:

Code Block
languagenone
% set system mgmtStaticRoute 0.0.0.0 0 10.54.66.1 mgmtGroup mgmtIntf1 preference 10  
% set system mgmtStaticRoute 0.0.0.0 0 10.54.66.1 mgmtGroup mgmtIntf3 preference 10  
% set system mgmtStaticRoute 0.0.0.0 0 10.54.67.1 mgmtGroup1 mgmtIntf2 preference 10  
% set system mgmtStaticRoute 0.0.0.0 0 10.54.67.1 mgmtGroup1 mgmtIntf4 preference 10 
% show table system mgmtStaticRoute  
					IP 		IP  
DESTINATION 				INTERFACE 	INTERFACE  
IP ADDRESS PREFIX NEXT HOP 		GROUP NAME NAME 
   PREFERENCE  --------------------------------------------------------
	------------  
0.0.0.0 0 10.54.66.1 mgmtGroup mgmtIntf1 10  
0.0.0.0 0 10.54.66.1 mgmtGroup mgmtIntf3 10  
0.0.0.0 0 10.54.67.1 mgmtGroup1 mgmtIntf2 10  
0.0.0.0 0 10.54.67.1 mgmtGroup1 mgmtIntf4 10

Step 3: Add ACL rules on mgmtGroup1: 

Code Block
languagenone
 % show table addressContext default ipAccessControlList rule 
SOURCE 			DESTINATION 
					IP 			MGMT IP 
ADDRESS 		ADDRESS 
						INTERFACE IP 		INTERFACE MGMT IP SOURCE 
IP 	PREFIX 	DESTINATION 	PREFIX 			SOURCE 	DESTINATION 					BUCKE 
NAME 			PRECEDENCE PROTOCOL 	GROUP 			INTERFACE GROUP 		INTERFACE 
ADDRESS 	LENGTH 		IP ADDRESS LENGTH 		PORT 	PORT 		ACTION 			FILL RATE 
SIZE 
mgmt2_22 200 tcp - - mgmtGroup1 mgmtIntf2 0.0.0.0 0 0.0.0.0 0 any 22 accept 100 10 
mgmt2_80 201 tcp - - mgmtGroup1 mgmtIntf2 0.0.0.0 0 0.0.0.0 0 any 80 accept 100 10 
mgmt4_22 300 tcp - - mgmtGroup1 mgmtIntf4 0.0.0.0 0 0.0.0.0 0 any 22 accept 100 10 
mgmt4_80 301 tcp - - mgmtGroup1 mgmtIntf4 0.0.0.0 0 0.0.0.0 0 any 80 accept 100 10 
mgmt2_123 103 udp - - mgmtGroup1 mgmtIntf2 0.0.0.0 0 0.0.0.0 0 123 any accept 4 4 
mgmt2_161 202 udp - - mgmtGroup1 mgmtIntf2 0.0.0.0 0 0.0.0.0 0 any 161 accept 50 10 
mgmt2_162 104 udp - - mgmtGroup1 mgmtIntf2 0.0.0.0 0 0.0.0.0 0 162 any accept 10 10 
mgmt2_443 208 tcp - - mgmtGroup1 mgmtIntf2 0.0.0.0 0 0.0.0.0 0 any 443 accept 100 10 
mgmt4_123 303 udp - - mgmtGroup1 mgmtIntf4 0.0.0.0 0 0.0.0.0 0 123 any accept 4 4 
mgmt4_161 302 udp - - mgmtGroup1 mgmtIntf4 0.0.0.0 0 0.0.0.0 0 any 161 accept 50 10 
mgmt4_162 304 udp - - mgmtGroup1 mgmtIntf4 0.0.0.0 0 0.0.0.0 0 162 any accept 10 10 
mgmt4_443 308 tcp - - mgmtGroup1 mgmtIntf4 0.0.0.0 0 0.0.0.0 0 any 443 accept 100 10 
mgmt2_1812 105 udp - - mgmtGroup1 mgmtIntf2 0.0.0.0 0 0.0.0.0 0 1812 any accept 4 4 
mgmt2_1813 110 udp - - mgmtGroup1 mgmtIntf2 0.0.0.0 0 0.0.0.0 0 1813 any accept 1200 250 
mgmt2_2022 206 tcp - - mgmtGroup1 mgmtIntf2 0.0.0.0 0 0.0.0.0 0 any 2022 accept 10 10 
mgmt2_2024 209 tcp - - mgmtGroup1 mgmtIntf2 0.0.0.0 0 0.0.0.0 0 any 2024 accept 2500 250 
mgmt4_1812 305 udp - - mgmtGroup1 mgmtIntf4 0.0.0.0 0 0.0.0.0 0 1812 any accept 4 4
mgmt4_1813 310 udp - - mgmtGroup1 mgmtIntf4 0.0.0.0 0 0.0.0.0 0 1813 any accept 1200 250 
mgmt4_2022 306 tcp - - mgmtGroup1 mgmtIntf4 0.0.0.0 0 0.0.0.0 0 any 2022 accept 10 10 
mgmt4_2024 309 tcp - - mgmtGroup1 mgmtIntf4 0.0.0.0 0 0.0.0.0 0 any 2024 accept 2500 250

Step 4: Create two logical management IP interfaces one for each subnet:

Code Block
languagenone
 % set system logicalMgmtIpInterface mgmtGroup1 ipAddress 
	10.54.67.50  
% commit  
% set system logicalMgmtIpInterface AGMGM 
mgmtIpInterfaceGroupName mgmtGroup1 state enabled  
% commit  
% set system logicalMgmtIpInterface mgmtGroup ipAddress 
	10.54.66.65  
% commit  
% set system logicalMgmtIpInterface HAMGM 
	mgmtIpInterfaceGroupName mgmtGroup state enabled  
% commit 
% show system logicalMgmtIpInterface logicalMgmtIpInterface 
	AGMGM {  
		mgmtIpInterfaceGroupName mgmtGroup1;  
		ipAddress 10.54.67.50;  
		state enabled;  
	}  
	logicalMgmtIpInterface HAMGM {  
		mgmtIpInterfaceGroupName mgmtGroup;  
		ipAddress 10.54.66.65;  
		state enabled;  }
Note
If one management port goes down the other logical management IP interface on the other subnet must be used. A two-subnet configuration is a more robust network design.