Configuring Management Interfaces

Configuring Out-of-Band Management Access

To configure out-of-band (OOB) management access for controllers, leaf switches, or spine switches, these steps must be performed:

Configure the OOB management IP address and gateway on the management interface
Allow access from the necessary external subnets
Allow the necessary protocols on the management ports

Before you begin

The APIC out-of-band management connection link must be 1 Gbps.

Procedure

Command or Action Purpose

Step 1

configure

Example:

apic1# configure

Enters configuration mode.

Step 2

{controller apic-number-or-range | switch node-id[-node-id-or-range]}

Example:

apic1(config)# controller 1-3

Specifies the controller or switch to be configured. You can enter a range of controllers or switches using dashes or commas.

Step 3

interface mgmt0

Example:

apic1(config-controller)# interface mgmt0

The mgmt0 interface provides out-of-band management, which enables you to manage the device by its IPv4 address.

Step 4

ip address addr/mask gateway addr

Example:

apic1(config-controller-if)# ip address-range 172.23.48.16/21 gateway 172.23.48.1

Configures the IP address and gateway for OOB management. If you specified more than one controller or switch, the command becomes ip address-range and IP addresses are assigned sequentially beginning with the address specified in this command.

Note

The APIC management interface does not support an IPv6 address and cannot connect to an external IPv6 server through this interface.

Step 5

exit

Example:

apic1(config-controller-if)# exit

Step 6

exit

Example:

apic1(config-controller)# exit

Step 7

tenant mgmt

Example:

apic1(config)# tenant mgmt

System Management policies are configured under a special tenant called mgmt.

Step 8

external-l3 epg default oob-mgmt

Example:

apic1(config-tenant)# external-l3 epg default oob-mgmt

Enters the configuration mode of the out-of-band management EPG.

Step 9

match ip addr/mask

Example:

apic1(config-tenant-l3ext-epg)# match ip 192.0.20.0/24

Provides access control for out-of-band management interface to external management subnets.

Step 10

exit

Example:

apic1(config-tenant-l3ext-epg)# exit

Step 11

access-list oob-default

Example:

apic1(config-tenant)# access-list oob-default

Configures the access list filter for the OOB default policy.

Step 12

match tcp dest 443

Example:

apic1(config-tenant-acl)# match tcp dest 443

Allows access on the management interface for HTTPS traffic (TCP/443).

Step 13

match tcp dest 22

Example:

apic1(config-tenant-acl)# match tcp dest 22

Allows access on the management interface for SSH traffic (TCP/22).

Examples

This example shows how to configure out-of-band management access for three APIC controllers. In this example, the three controllers are assigned sequential IP addresses, with controller 1 at 172.23.48.16/21, controller 2 at 172.23.48.17/21, and controller 3 at 172.23.48.18/21.


apic1# configure
apic1(config)# controller 1-3
apic1(config-controller)# interface mgmt0
apic1(config-controller-if)# ip address-range 172.23.48.16/21 gateway 172.23.48.1
apic1(config-controller-if)# exit
apic1(config-controller)# exit
apic1(config)# tenant mgmt
apic1(config-tenant)# external-l3 epg default oob-mgmt
apic1(config-tenant-l3ext-epg)# match ip 192.0.20.0/24
apic1(config-tenant-l3ext-epg)# exit
apic1(config-tenant)# access-list oob-default
apic1(config-tenant-acl)# match tcp dest 443
apic1(config-tenant-acl)# match tcp dest 22

This example shows how to configure out-of-band management access for a leaf or spine switch.


apic1# configure
apic1(config)# switch 101
apic1(config-switch)# interface mgmt0
apic1(config-switch-if)# ip address 172.23.48.101/21 gateway 172.23.48.1

Configuring Inband Management Access

Configuring Inband Management Access to a Switch from an Outside Network

To configure inband (IB) management access for leaf switches or spine switches, these steps must be performed:

Configure the inband management IP address and gateway on the inband management interface
Create or specify a VLAN domain for external inband connectivity
Add the external management station interface to the VLAN domain
Allow the necessary protocols on the management ports

Procedure

	Command or Action	Purpose
Step 1	configure Example: `apic1# configure`	Enters configuration mode.
Step 2	switch `switch-id-or-range` Example: `apic1(config)# switch 101`	Specifies the switch to be configured. You can enter a range of switches using dashes or commas.
Step 3	interface inband-mgmt0 Example: `apic1(config-switch)# interface inband-mgmt0`	The inband-mgmt0 interface provides inband management.
Step 4	ip address `addr/mask` gateway `addr` Example: `apic1(config-switch-if)# ip address 10.13.1.1/24 gateway 10.13.1.254`	Configures the IP address and gateway for inband management. If you specified more than one switch, the command becomes ip address-range and IP addresses are assigned sequentially beginning with the address specified in this command.
Step 5	exit Example: `apic1(config-switch-if)# exit`
Step 6	exit Example: `apic1(config-switch)# exit`

Examples

This example shows how to configure inband management for a switch from a management station on an external network..


apic1# configure
apic1(config)# switch 101
apic1(config-switch)# interface inband-mgmt0
apic1(config-switch-if)# ip address 10.13.1.1/24 gateway 10.13.1.254
apic1(config-switch-if)# exit
apic1(config-switch)# exit

What to do next

Configure inband (IB) management connectivity to the management station.
Allow the necessary protocols (HTTPS and SSH) on the inbound management port.

Configuring Inband Management Access to a Controller from an Outside Network

To configure inband (IB) management access for controllers, these steps must be performed:

Configure the inband management IP address and gateway on the inband management interface
Create a VLAN domain for external inband connectivity
Allow the VLAN on the port connected to the controller

Procedure

	Command or Action	Purpose
Step 1	configure Example: `apic1# configure`	Enters configuration mode.
Step 2	controller `controller-id-or-range` Example: `apic1(config)# controller 1-3`	Specifies the controller to be configured. You can enter a range of controllers using dashes or commas.
Step 3	interface inband-mgmt0 Example: `apic1(config-controller)# interface inband-mgmt0`	The inband-mgmt0 interface provides inband management.
Step 4	ip address `addr/mask` gateway `addr` Example: `apic1(config-controller-if)# ip address-range 10.13.1.1/24 gateway 10.13.1.254`	Configures the IP address and gateway for inband management. If you specified more than one controller or switch, the command becomes ip address-range and IP addresses are assigned sequentially beginning with the address specified in this command.
Step 5	vlan `vlan-id` Example: `apic1(config-controller-if)# vlan 10`	Assigns a controller VLAN which is enabled on the port connected to the controller. For multiple controllers, all controllers must use the same VLAN.
Step 6	exit Example: `apic1(config-controller-if)# exit`
Step 7	exit Example: `apic1(config-controller)# exit`
Step 8	vlan-domain `domain-name` Example: `apic1(config)# vlan-domain apic-inband`	Creates and enters the configuration mode for the VLAN domain.
Step 9	vlan `vlan-id` Example: `apic1(config-vlan)# vlan 10`	Assigns the controller VLAN to the VLAN domain.
Step 10	exit Example: `apic1(config-vlan)# exit`	Returns to global configuration mode.
Step 11	leaf `node-id` Example: `apic1(config)# leaf 102`	Specifies the leaf switch to which the controller connected.
Step 12	interface `slot/port` Example: `apic1(config-leaf)# interface eth 1/1`	Specifies the port to which the controller is connected.
Step 13	vlan-domain member apic-inband Example: `apic1(config-leaf-if)# vlan-domain member apic-inband`	Configures controller connectivity to inband management.
Step 14	exit Example: `apic1(config-leaf-if)# exit`
Step 15	exit Example: `apic1(config-leaf)# exit`

Examples

This example shows how to configure inband management for a controller from a management station on an external network. APIC controller 1 is connected to port Ethernet 1/1 on Leaf 101, and VLAN 10 is used for the controller's inband connectivity.


apic1# configure
apic1(config)# controller 1-3
apic1(config-controller)# interface inband-mgmt0
apic1(config-controller-if)# ip address-range 10.13.1.1/24 gateway 10.13.1.254
apic1(config-controller-if)# vlan 10
apic1(config-controller-if)# exit
apic1(config-controller)# exit

# CREATE A VLAN DOMAIN FOR THE APIC INBAND VLAN
apic1(config)# vlan-domain apic-inband
apic1(config-vlan)# vlan 10
apic1(config-vlan)# exit

# ALLOW THE VLAN ON THE PORT CONNECTED TO THE CONTROLLER
apic1(config)# leaf 101
apic1(config-leaf)# interface eth 1/1
apic1(config-leaf-if)# vlan-domain member apic-inband
apic1(config-leaf-if)# exit
apic1(config-leaf)# exit

What to do next

Configure inband (IB) management connectivity to the management station.
Allow the necessary protocols (HTTPS and SSH) on the inbound management port.

Configuring Inband Management Connectivity to the Management Station

To configure inband (IB) management connectivity to the management station, these steps must be performed:

Create or specify a VLAN domain for external inband connectivity
Add the external management station interface to the VLAN domain

Procedure

	Command or Action	Purpose
Step 1	configure Example: `apic1# configure`	Enters configuration mode.
Step 2	vlan-domain `domain-name` Example: `apic1(config)# vlan-domain external-inband`	Creates and enters the configuration mode for the VLAN domain.
Step 3	vlan `vlan-id` Example: `apic1(config-vlan)# vlan 11`	Assigns a VLAN to the domain.
Step 4	exit Example: `apic1(config-vlan)# exit`	Returns to global configuration mode.
Step 5	leaf `node-id` Example: `apic1(config)# leaf 102`	Specifies the leaf switch to which the management station is connected.
Step 6	interface `slot/port` Example: `apic1(config-leaf)# interface eth 1/2`	Specifies the port to which the management station is connected.
Step 7	vlan-domain member external-inband Example: `apic1(config-leaf-if)# vlan-domain member external-inband`	Configures external layer2 connectivity to inband management.
Step 8	switchport trunk allowed vlan `vlan-id` inband-mgmt `gateway-ip/mask` Example: `apic1(config-leaf-if)# switchport trunk allowed vlan 11 inband-mgmt 179.10.1.254/24`	Configures external layer2 connectivity to inband management. The specified IP address is the gateway address used by the external management station and the gateway functionality is provided by the ACI fabric.
Step 9	exit Example: `apic1(config-leaf-if)# exit`
Step 10	exit Example: `apic1(config-leaf)# exit`

Examples

This example shows how to configure inband management connectivity to the management station.


# CREATE A VLAN DOMAIN FOR EXTERNAL CONNECTIVITY TO INBAND MANAGEMENT
apic1# configure
apic1(config)# vlan-domain external-inband
apic1(config-vlan)# vlan 11
apic1(config-vlan)# exit

# CONFIGURE LAYER 2 CONNECTIVITY FROM THE MANAGEMENT STATION INTERFACE TO INBAND MANAGEMENT
apic1(config)# leaf 102
apic1(config-leaf)# interface eth 1/2
apic1(config-leaf-if)# vlan-domain member external-inband
apic1(config-leaf-if)# switchport trunk allowed vlan 11 inband-mgmt 179.10.1.254/24
apic1(config-leaf-if)# exit
apic1(config-leaf)# exit

What to do next

Allow the necessary protocols (HTTPS and SSH) on the inbound management port.

Configuring Inband Management Contract to Open HTTPS/SSH Ports

Procedure

	Command or Action	Purpose
Step 1	configure Example: `apic1# configure`	Enters configuration mode.
Step 2	tenant mgmt Example: `apic1(config)# tenant mgmt`	System Management policies are configured under a special tenant called mgmt.
Step 3	access-list inband-default Example: `apic1(config-tenant)# access-list inband-default`	Configures the access list filter for the inband default policy.
Step 4	match tcp dest 443 Example: `apic1(config-tenant-acl)# match tcp dest 443`	Allows access on the management interface for HTTPS traffic (TCP/443).
Step 5	match tcp dest 22 Example: `apic1(config-tenant-acl)# match tcp dest 22`	Allows access on the management interface for SSH traffic (TCP/22).

Examples

This example shows how to allow HTTPS and SSH access to the inband management port.


apic1# configure
apic1(config)# tenant mgmt
apic1(config-tenant)# access-list inband-default
apic1(config-tenant-acl)# match tcp dest 443
apic1(config-tenant-acl)# match tcp dest 22 
apic1(config-tenant-acl)# exit
apic1(config-tenant)# exit

Cisco APIC NX-OS Style Command-Line Interface Configuration Guide

Bias-Free Language

Results

Chapter: Configuring Management Interfaces

Configuring Management Interfaces

Configuring Out-of-Band Management Access

Before you begin

Procedure

Example:

Example:

Example:

Example:

Example:

Example:

Example:

Example:

Example:

Example:

Example:

Example:

Example:

Examples

Configuring Inband Management Access to a Switch from an Outside Network

Procedure

Example:

Example:

Example:

Example:

Example:

Example:

Examples

What to do next

Configuring Inband Management Access to a Controller from an Outside Network

Procedure

Example:

Example:

Example:

Example:

Example:

Example:

Example:

Example:

Example:

Example:

Example:

Example:

Example:

Example:

Example:

Examples

What to do next

Configuring Inband Management Connectivity to the Management Station

Procedure

Example:

Example:

Example:

Example:

Example:

Example:

Example:

Example:

Example:

Example:

Examples

What to do next

Configuring Inband Management Contract to Open HTTPS/SSH Ports

Procedure

Example:

Example:

Example:

Example:

Example:

Examples

Was this Document Helpful?

Contact Cisco