Software Configuration Guide for the Cisco ISR 4400 Series
Using the Management Interfaces
Downloads: This chapterpdf (PDF - 1.41MB) The complete bookPDF (PDF - 3.81MB) | The complete bookePub (ePub - 413.0KB) | Feedback

Table of Contents

Using the Management Interfaces

Gigabit Ethernet Management Interface

Gigabit Ethernet Management Interface Overview

Default Gigabit Ethernet Configuration

Gigabit Ethernet Port Numbering

Gigabit Ethernet Management Interface VRF

Common Gigabit Ethernet Management Tasks

Viewing the VRF Configuration

Viewing Detailed Information for the Gigabit Ethernet Management VRF

Setting a Default Route in the Management Ethernet Interface VRF

Setting the Gigabit Ethernet Management IP Address

Telnetting over the Gigabit Ethernet Management Interface

Pinging over the Gigabit Ethernet Management Interface

Copying Using TFTP or FTP

Setting up Clock via NTP Server

Logging

SNMP-Related Services

Assigning a Domain Name

Assigning DNS

Configuring a RADIUS or TACACS+ Server Group

Attaching an ACL to VTY Lines

IP Address Handling in ROMMON and the Management Ethernet Port

Enabling SNMP

Web User Interface Management Interface

Legacy Web User Interface Overview

Graphics-Based Web User Interface Overview

Overview of Persistent Web User Interface Transport Maps

Enabling Web User Interface Access

Configuring Web User Interface Access

Prerequisites

Accessing the Web User Interface

Web User Interface Authentication

Domain Name System and the Web User Interface

Clocks and the Web User Interface

Using Auto Refresh

Configuration Examples

Using the Management Interfaces

Last Updated: April 9, 2014

 

The following management interfaces are provided for external users and applications:

Gigabit Ethernet Management Interface

Gigabit Ethernet Management Interface Overview

The router provides an Ethernet management port, named GigabitEthernet0.

The Ethernet management port allows you to perform management tasks on the router. It is an interface that should not and often cannot forward network traffic; but it can be used to access the router via Telnet and SSH to perform management tasks on the router. The interface is most useful before a router has begun routing or in troubleshooting scenarios when other forwarding interfaces are inactive.

The following are some key aspects of the Ethernet management interface:

  • The router has one management ethernet interface named GigabitEthernet0.
  • IPv4 and IPv6 are the only routed protocols supported for the interface.
  • The interface provides a way to access the router even if forwarding interfaces are not functional or the system process is down.
  • The management ethernet interface is part of its own virtual routing and forwarding (VRF). This is discussed in more detail in the “Gigabit Ethernet Management Interface VRF” section.

Default Gigabit Ethernet Configuration

By default, a forwarding VRF is configured for the interface with a special group named “Mgmt-intf.” You cannot change this configuration. Configuring a forwarding VRF for the interface with special group named “Mgmt-intf” allows you to isolate the traffic on the management interface away from the forwarding plane. Otherwise, the interface can be configured like other Gigabit Ethernet interfaces for most functions.

For example, the default configuration is:
Router(config)# interface GigabitEthernet0
Router(config-if)# vrf forwarding Mgmt-intf

Gigabit Ethernet Port Numbering

The Gigabit Ethernet management port is always GigabitEthernet0. The port can be accessed in global configuration mode.

Router# configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)# interface gigabitethernet0
Router(config-if)#

Gigabit Ethernet Management Interface VRF

The Gigabit Ethernet management interface is automatically part of its own VRF. This VRF, which is named “Mgmt-intf,” is automatically configured on the router and is dedicated to the management ethernet interface; no other interfaces can join this VRF, and no other interfaces may be placed in the management VRF. The management ethernet interface VRF does not participate in the MPLS VPN VRF or any other network-wide VRF.

Placing the Gigabit Ethernet management interface in its own VRF has the following effects on the management ethernet interface:

  • Requires configuring multiple features. Because Cisco IOS CLI may be different for certain management ethernet functions compared to other routers. You are required to configure or use many features inside the VRF.
  • Prevents transit traffic from traversing the router. Because all module interfaces and the management ethernet interface are automatically in different VRFs, no transit traffic can enter the management ethernet interface and leave a module interface, or vice versa.
  • Improves security of the interface. Because the Mgmt-intf VRF has its own routing table as a result of being in its own VRF, routes can only be added to the routing table of the management ethernet interface if you explicitly enter them.

The management ethernet interface VRF supports both IPv4 and IPv6 address families.


Note You can configure only the Gigabit Ethernet management interface (and a loopback interface) as a part of the Mgmt-intf VRF. You cannot configure other interfaces in this VRF.


Viewing the VRF Configuration

The VRF configuration for the Gigabit Ethernet management interface is viewable using the show running-config vrf command.

This example shows the default VRF configuration:

Router# show running-config vrf
 
Building configuration...
 
Current configuration : 351 bytes
vrf definition Mgmt-intf
!
address-family ipv4
exit-address-family
!
address-family ipv6
exit-address-family
!
(some output removed for brevity)

Viewing Detailed Information for the Gigabit Ethernet Management VRF

To see detailed information about the Gigabith Ethernet management VRF, enter the
show vrf detail Mgmt-intf command.

Router# show vrf detail Mgmt-intf
 
VRF Mgmt-intf (VRF Id = 4085); default RD <not set>; default VPNID <not set>
Interfaces:
Gi0
Address family ipv4 (Table ID = 4085 (0xFF5)):
No Export VPN route-target communities
No Import VPN route-target communities
No import route-map
No export route-map
VRF label distribution protocol: not configured
VRF label allocation mode: per-prefix
Address family ipv6 (Table ID = 503316481 (0x1E000001)):
No Export VPN route-target communities
No Import VPN route-target communities
No import route-map
No export route-map
VRF label distribution protocol: not configured
VRF label allocation mode: per-prefix

Setting a Default Route in the Management Ethernet Interface VRF

You can set a default route in the Gigabit Ethernet management Interface VRF by entering the following commands:

Router(config)# ip route vrf Mgmt-intf 0.0.0.0 0.0.0.0 next-hop-IP-address

 

To set a default route in the management ethernet interface VRF with an IPv6 address, enter the following command:

Router(config)# ipv6 route vrf Mgmt-intf : : /next-hop-IPv6-address/

Setting the Gigabit Ethernet Management IP Address

You can set the IP address of the Gigabit Ethernet management port like the IP address on any other interface.

To configure an IPv4 address on the management ethernet interface, enter the following commands:

Router(config)# interface GigabitEthernet 0
Router(config-if)# ip address A.B.C.D A.B.C.D
 

To configure an IPv6 address on the management ethernet interface, enter the following commands:

Router(config)# interface GigabitEthernet 0

Router(config-if)# ipv6 address X:X:X:X::X

Telnetting over the Gigabit Ethernet Management Interface

You can telnet to a router through the Gigabit Ethernet management interface VRF using the telnet command and the router’s IP address.

To telnet to the IPv4 address of the router, enter the following command:

Router# telnet 172.17.1.1 /vrf Mgmt-intf
 

To telnet to the IPv6 address of the router, enter the following command:

Router# telnet 2001:db8::abcd /vrf Mgmt-intf

Pinging over the Gigabit Ethernet Management Interface

You can ping other interfaces using the management ethernet interface through the VRF.

To ping the interface with the IPv4 address, enter the following command:

Router# ping vrf Mgmt-intf 172.17.1.1
 

To ping the interface with the IPv6 address, enter the following command:

Router# ping vrf Mgmt-intf 2001:db8::abcd

Copying Using TFTP or FTP

To copy a file using TFTP through the management ethernet interface, the
ip tftp source-interface GigabitEthernet 0 command must be entered before entering the
copy tftp command because the copy tftp command has no option of specifying a VRF name.

Similarly, to copy a file using FTP through the management ethernet interface, the
ip ftp source-interface GigabitEthernet 0 command must be entered before entering the
copy ftp command because the copy ftp command has no option of specifying a VRF name.

Example: TFTP

Router(config)# ip tftp source-interface gigabitEthernet 0

Example: FTP

Router(config)# ip ftp source-interface gigabitEthernet 0
 
Building configuration...
- Omitted lines -
!
!
ip ftp source-interface GigabitEthernet0
ip tftp source-interface GigabitEthernet0
!

Setting up Clock via NTP Server

To allow the software clock to be synchronized by a Network Time Protocol (NTP) time server over the Gigabit Ethernet management interface, enter the ntp server vrf Mgmt-intf command and specify the IP address of the device providing the update.

To set up NTP server over the management ethernet interface with an IPv4 address, enter the following command:

Router(config)# ntp server vrf Mgmt-intf 172.17.1.1
 

To set up the NTP server over the management ethernet interface with an IPv6 address, enter the following command:

Router(config)# ntp server vrf Mgmt-intf 2001:db8::abcd

Logging

To specify the Gigabit Ethernet management interface as the source IP or IPv6 address for logging, enter the logging host ip-address vrf Mgmt-intf command.

Example

Router(config)# logging host 172.17.1.1 vrf Mgmt-intf

SNMP-Related Services

To specify the Gigabit Ethernet management interface as the source of all SNMP trap messages, enter the snmp-server source-interface traps gigabitEthernet 0 command.

Example

Router(config)# snmp-server source-interface traps gigabitEthernet 0

Assigning a Domain Name

The IP domain name assignment for the Gigabit Ethernet management interface is done through the VRF.

To define the default domain name as the Gigabit Ethernet management VRF interface, enter the
ip domain-name vrf Mgmt-intf domain command.

Example

Router(config)# ip domain-name vrf Mgmt-intf cisco.com

Assigning DNS

To specify the management ethernet interface VRF as a name server, enter the
ip name-server vrf Mgmt-intf IPv4-or-IPv6-address command.

Example

Router(config)# ip name-server vrf Mgmt-intf A.B.C.D
or
Router(config)# ip name-server vrf Mgmt-intf X:X:X:X::X

Configuring a RADIUS or TACACS+ Server Group

To group the Management VRF as part of an AAA server group, enter the
ip vrf forward Mgmt-intf
command when configuring the AAA server group.

The same concept is true for configuring a TACACS+ server group. To group the Management VRF as part of a TACACS+ server group, enter the ip vrf forwarding Mgmt-intf command when configuring the TACACS+ server group.

Example: Radius Server Group Configuration

Router(config)# aaa group server radius hello
Router(config-sg-radius)# ip vrf forwarding Mgmt-intf

Example: Tacacs+ Server Group

outer(config)# aaa group server tacacs+ hello
Router(config-sg-tacacs+)# ip vrf forwarding Mgmt-intf

Attaching an ACL to VTY Lines

To ensure an access control list (ACL) is attached to vty lines, use the vrf-also keyword when attaching the ACL to the vty lines.

Example

Router(config)# line vty 0 4
Router(config-line)# access-class 90 in vrf-also
or

Router(config-line)# IPv6 access-class my-vty-acl in vrf-also

IP Address Handling in ROMMON and the Management Ethernet Port

IP addresses can be configured in ROMMON using the IP_ADDRESS= and IP_SUBNET_MASK= commands. You can also configure the IP address using the ip address command in interface configuration mode.

Before the system is booted and the Cisco IOS process is running on the router, the IP address set in ROMMON acts as the IP address of the management ethernet interface.

After the Cisco IOS process starts and is in control of the management ethernet interface, the IP address specified when configuring the GigabitEthernet0 interface in the Cisco IOS CLI becomes the IP address of the management ethernet interface.

The ROMMON-defined IP address is used only until the Cisco IOS process is active. For this reason, the IP addresses specified in ROMMON and in the Cisco IOS XE commands should be identical in order for the Gigabit Ethernet management interface to function properly.

Enabling SNMP

For further information about enabling SNMP, see the “SNMP-Related Services” section and Configuring SNMP Support.

Web User Interface Management Interface

You can access your router using a web user interface, The web user interface allows you to monitor router performance using an easy-to-read graphical interface. Most aspects of your router can be monitored using the web user interface.

The web user interface allows you to perform the following functions:

  • View information in an easy-to-read graphical format.
  • Monitor most software processes, including processes related to the Cisco IOS and non-Cisco IOS subpackages within the Cisco IOS XE consolidated package.
  • Monitor most hardware components, including all RPs, NIMs, and SM-Xs installed on your router.
  • Access legacy web user interface in addition to the enhanced web user interface.
  • Gather show command output.

This section consists of the following topics:

Legacy Web User Interface Overview

Previous Cisco routers have a legacy web user interface that can be used to monitor the router. This legacy web user interface presents information in a straightforward manner without using any graphics. On the router, this interface is part of the larger web user interface and can be accessed by clicking the IOS Web UI option in the left-hand menu.

On your router, the legacy web user interface can be used only to configure and monitor the Cisco IOS subpackages. In some scenarios, most notably when an ip http command has been successfully entered to enable the HTTP or HTTPS server while a properly configured web user interface transport map has not yet been applied on the router, the legacy web user interface will be accessible while the graphics-based web user interface will be inaccessible.

An example showing the IOS web user interface home page is shown in Figure 3-1.

Figure 3-1 Legacy Web User Interface Home Page

Graphics-Based Web User Interface Overview

The graphics-based web user interface on your router displays router information in the form of graphic-based tables, graphs, or charts, depending up on the type of the information. You can access any monitoring related information stored in both the Cisco IOS and non- Cisco IOS subpackages and access a complete view your router using the web user interface. See Figure 3-2 for an example of the graphics-based web user interface home page.

Figure 3-2 Graphics-Based Web User Interface Home Page

Overview of Persistent Web User Interface Transport Maps

You must configure a persistent web user interface transport map to enable the graphics-based web user interface on your router. When successfully configured and applied to your router, the persistent web user interface transport map defines how the router handles incoming requests from the web user interface. In the persistent web user interface transport map, you can define whether the graphics-based web user interface can be accessed through HTTP, HTTPS, or both protocols. You can apply only one persistent web user interface map to your router.

You must configure the legacy web user interface prior to enabling the graphics-based web user interface on your router. You can use the ip http command set to configure the legacy web user interface.
The ip http command settings define which ports are used by HTTP or HTTPS for both the legacy and graphics-based web user interface.

For information on configuring the entire graphics-based web user interface, including the configuration of persistent web user interface transport maps on your router, see the
“Configuring Web User Interface Access” section.

Configuring Web User Interface Access

To enable the entire web user interface, perform the following steps:

Prerequisites

  • You must configure the legacy web user interface prior to enabling the graphics-based web user interface on your router. Access to the web user interface on your router is disabled by default.
  • You must specify the default route in the Gigabit Ethernet management VRF interface before configuring the web user interface on your router. The web user interface is disabled when the Gigabit Ethernet management interface is not configured or is not functioning. See the Setting a Default Route in the Management Ethernet Interface VRF for information on configuring a default route in the Gigabit Ethernet management interface on your router.


Step 1 (Optional) Enter the show clock command in the privileged EXEC mode of your router to ensure the clock setting on your router is accurate.

Router# show clock

*19:40:20.598 UTC Fri Jan 21 2013

 

If the router time is not properly set, use the clock set and clock timezone commands for setting the system clock.


Note The Clocks and the Web User Interface provides additional information on how clock settings on both the router and the web-browser can impact the web user interface.


Step 2 Enter the configure terminal command to enter the global configuration mode.

Step 3 Enter the following commands to enable the legacy web user interface:

  • ip http server —Enables HTTP on port 80, which is the default HTTP port.
  • ip http port port-number —Enables HTTP on the nondefault user-specified port. Default port number is 80.
  • ip http secure-server —Enables HTTPS on port 443, the default HTTPS port.
  • ip http secure-port port-number —Enables HTTPS on the nondefault user-specified port.

The legacy web user interface is available to access. You must follow Step 4 through Step 7and complete configuration tasks to access the graphics-based web user interface.

Step 4 Create and name a persistent web user interface transport map by entering the transport-map type persistent webui transport-map - name command.

Step 5 Enable HTTP, HTTPS, or both by entering the following commands in transport map configuration mode:

  • server —Enables HTTP.
  • secure-server —Enables HTTPS.

Port numbers cannot be set within the transport map. The port numbers defined in Step 3 are also used with these settings in the persistent web user interface transport map.

Step 6 (Optional) Enter the show transport-map name transport-map-name privileged EXEC command to verify that your transport map is properly configured.

Step 7 Enable the transport map by entering the transport type persistent webui input transport-map-name command in global configuration mode.


 

Accessing the Web User Interface

To access the web user interface, perform the following steps:


Step 1 Open your web browser. The web user interface supports the following web browsers:

  • Microsoft Internet Explorer 6 or later
  • Mozilla Firefox 2.0 or later

Step 2 Enter the address of the router in the address field of the web browser. The format for the router address in the address field is http://<routername or management-ethernet-ip-address>:[http-port] or https://<routername or management-ethernet-ip-address>:[https-port]. The addresses that are acceptable depend upon your web browser user interface configurations and whether your router is participating in DNS.

The following examples are acceptable address field web browser entries:

HTTP Using Default Port Example

http://172.16.5.1

HTTPS Using Default Port Example

https://172.16.5.1

HTTP Using NonDefault Port Example

http://172.16.5.1:94

HTTPS Using NonDefault Port Example

https://172.16.5.1:530/

HTTP Using Default Port Participating in DNS Example

http://router1

HTTPS Using Default Port Participating in DNS Example

https://router1

HTTP Using NonDefault Port Participating in DNS Example

http://router1:94

HTTPS Using NonDefault Port Participating in DNS Example

https://router1:530/

Step 3 When prompted, enter your username and password. The username and password combination required to enter the web user interface is the same combination required to access the router.

Step 4 The graphics-based web user interface as shown in Figure 3-2 section should appear in your web browser.

For additional information on the commands and the options available with each command, see the Cisco IOS Configuration Fundamentals Command Reference .


 

Web User Interface Authentication

When accessing the web user interface for your router, you must enter the same username and password as the ones configured on your router for authentication purposes. The web browser prompts all users for a username and password combination, and the web browser verifies this information with the router before allowing access to the web user interface.

Only users with a privilege level of 15 can access the web user interface. Authentication of web user interface traffic is governed by the authentication configuration for all other traffic.

To configure authentication on your router, see Configuring Authentication .

Domain Name System and the Web User Interface

The Domain Name System (DNS) is a distributed database in which you can map hostnames to IP addresses through the DNS protocol from a DNS server.

If the router is configured to participate in the Domain Name System, users can access the web user interface by entering http://<dns-hostname> as the web browser address.

For information on configuring DNS, see Configuring DNS” in IP Addressing: DNS Configuration Guide, Cisco IOS XE Release 3S .

Clocks and the Web User Interface

Certain web browsers can reject the request to view the web user interface if the time seen by the web browser differs from the time seen on the router by an hour or more. We recommend checking the router time using the show clock command before configuring the router. You can set the router’s system time using the clock set and clock timezone commands.

Similarly, the web browser’s clock source, which is usually the personal computer, must display accurate time to properly access the web user interface.

The following message appears when the web browser and the router clocks are more than an hour apart:

  • Your access is being denied for one of the following reasons:

Your previous session has timed-out.

You have been logged out from elsewhere.

You have not yet logged in.

The resource requires a higher privilege level login.

If web user interface is inaccessible even after fixing one or more of the possible causes of the issue listed above, check your router’s clock setting and your PC clock setting to ensure that both the clocks are displaying the correct day and time and retry accessing your web user interface.


Note Clock-related issues may occur when one clock changes to day light savings time while the other remains unchanged.


Using Auto Refresh

The web user interface does not refresh content automatically by default. To set an auto-refresh interval, follow these steps:


Step 1 Check the Refresh every check box on your graphical web user interface home page. A check mark appears in the check box; see Figure 3-3.

Figure 3-3 Auto-Refresh Check Box on your graphic-based web user interface

Step 2 Set the frequency of the auto-refresh interval using the drop-down menu.

Step 3 Click the Start button to the right of the drop-down menu. Immediately after clicking the Start button it becomes the Stop button and a countdown timer appears on the right of this Stop button as shown in Figure 3-4

Figure 3-4 Stop Button with Auto Refresh Counter


 

Configuration Examples

Example 3-1 In the following example, the web user interface using the default HTTP port is enabled:

Router# configure terminal

Enter configuration commands, one per line. End with CNTL/Z.

Router(config)# ip http server

Router(config)# transport-map type persistent webui http-webui

Router(config-tmap)# server

Router(config-tmap)# exit

Router(config)# exit

Router# show transport-map name http-webui

Transport Map:

Name: http-webui

Type: Persistent Webui Transport

Webui:

Server: enabled

Secure Server: disabled

Router# configure terminal

Router(config)# transport type persistent webui input http-webui

*Sep. 21 02:43:55.798: %UICFGEXP-6-SERVER_NOTIFIED_START: R0/0: psd: Server wui has been

notified to start

Example 3-2 In the following example, the web user interface using the default HTTPs port is enabled:

Router# configure terminal

Enter configuration commands, one per line. End with CNTL/Z.

Router(config)# ip http secure-server

Router(config)# transport-map type persistent webui https-webui

Router(config-tmap)# secure-server

Router(config-tmap)# exit

Router(config)# transport type persistent webui input https-webui

*Sep. 21 02:38:43.597: %UICFGEXP-6-SERVER_NOTIFIED_START: R0/0: psd: Server wui has been notified to start

Example 3-3 In the following example, the web user interface using the default HTTP and HTTPS ports is enabled:

Router# configure terminal

Enter configuration commands, one per line. End with CNTL/Z.

Router(config)# ip http server

Router(config)# ip http secure-server

Router(config)# transport-map type persistent webui http-https-webui

Router(config-tmap)# server

Router(config-tmap)# secure-server

Router(config-tmap)# exit

Router(config)# transport type persistent webui input http-https-webui

*Sep 21 02:47:22.981: %UICFGEXP-6-SERVER_NOTIFIED_START: R0/0: psd: Server wui has been notified to start