Configuring Out-of-Band Management Access
To configure out-of-band (OOB) management access for controllers, leaf switches, or spine switches, these steps must be performed:
-
Configure the OOB management IP address and gateway on the management interface
-
Allow access from the necessary external subnets
-
Allow the necessary protocols on the management ports
Before you begin
The APIC out-of-band management connection link must be 1 Gbps.
Procedure
Command or Action | Purpose | |||
---|---|---|---|---|
Step 1 |
configure Example:
|
Enters configuration mode. |
||
Step 2 |
{controller apic-number-or-range | switch node-id[-node-id-or-range]} Example:
|
Specifies the controller or switch to be configured. You can enter a range of controllers or switches using dashes or commas. |
||
Step 3 |
interface mgmt0 Example:
|
The mgmt0 interface provides out-of-band management, which enables you to manage the device by its IPv4 address. |
||
Step 4 |
ip address addr/mask gateway addr Example:
|
Configures the IP address and gateway for OOB management. If you specified more than one controller or switch, the command becomes ip address-range and IP addresses are assigned sequentially beginning with the address specified in this command.
|
||
Step 5 |
exit Example:
|
|||
Step 6 |
exit Example:
|
|||
Step 7 |
tenant mgmt Example:
|
System Management policies are configured under a special tenant called mgmt. |
||
Step 8 |
external-l3 epg default oob-mgmt Example:
|
Enters the configuration mode of the out-of-band management EPG. |
||
Step 9 |
match ip addr/mask Example:
|
|
||
Step 10 |
exit Example:
|
|||
Step 11 |
access-list oob-default Example:
|
Configures the access list filter for the OOB default policy. |
||
Step 12 |
match tcp dest 443 Example:
|
Allows access on the management interface for HTTPS traffic (TCP/443). |
||
Step 13 |
match tcp dest 22 Example:
|
Allows access on the management interface for SSH traffic (TCP/22). |
Examples
This example shows how to configure out-of-band management access for three APIC controllers. In this example, the three controllers are assigned sequential IP addresses, with controller 1 at 172.23.48.16/21, controller 2 at 172.23.48.17/21, and controller 3 at 172.23.48.18/21.
apic1# configure
apic1(config)# controller 1-3
apic1(config-controller)# interface mgmt0
apic1(config-controller-if)# ip address-range 172.23.48.16/21 gateway 172.23.48.1
apic1(config-controller-if)# exit
apic1(config-controller)# exit
apic1(config)# tenant mgmt
apic1(config-tenant)# external-l3 epg default oob-mgmt
apic1(config-tenant-l3ext-epg)# match ip 192.0.20.0/24
apic1(config-tenant-l3ext-epg)# exit
apic1(config-tenant)# access-list oob-default
apic1(config-tenant-acl)# match tcp dest 443
apic1(config-tenant-acl)# match tcp dest 22
This example shows how to configure out-of-band management access for a leaf or spine switch.
apic1# configure
apic1(config)# switch 101
apic1(config-switch)# interface mgmt0
apic1(config-switch-if)# ip address 172.23.48.101/21 gateway 172.23.48.1