[c-nsp] VRF-aware management

Church, Chuck cchurch at multimax.com
Wed Jan 17 13:37:15 EST 2007


 

>-----Original Message-----
>From: Oliver Boehmer (oboehmer) [mailto:oboehmer at cisco.com] 
>Sent: Wednesday, January 17, 2007 1:13 PM
>To: Church, Chuck; nsp
>Subject: RE: [c-nsp] VRF-aware management

>Well, just putting the source-interface into the vrf and referencing
>this in the application at hand only works for tftp, for snmp, syslog
>and tacacs you have to configure the vrf in the application itself,
i.e.
>
>logging x.x.x.x vrf mgmt
>snmp-server host x.x.x.x vrf mgmt community
>aaa group server tacacs+ MGMT
> vrf mgmt
>ntp server vrf mgmt x.x.x.x

We're currently using 12.2(18)SX6 on our Sup720s.  From what the CLI is
telling me, specifying a VRF isn't allowed for syslog.  It is for the
traps like you mentioned.  The aaa group command doesn't support vrf.
The ntp server command did though.  So specifying which interface syslog
or TACACS packets should leave won't guarantee they use that interface,
and hence use the VRF routing table that's associated with that
interface?  Would SNMP responses to 'gets' act the same way? 


>I don't think we have vrf-awareness for ssh/scp client.. Unless the CLI
>has a /vrf keywoard or similar (i.e. like telnet), I fear you're out of
>luck.

We only intend on using SSH as a server, for remote management of this
Sup720.  Not looking for client support.  We are looking for client
functionality of SCP though.

>I guess doing the opposite (i.e. putting all customers into a vrf and
>just keeping the global table for management and control plane) is not
a
>feasible option? :-} Or is this not an MPLS network and you're doing
OOB
>management by putting some OOB mgmt interface into the vrf?

>	oli

It's an option, but we've tried to standardize our configurations on
this kind of device across the board.  Putting all the customer stuff
(involving ACLs, PBR, NAT, etc) into a VRF would be a huge undertaking,
and probably confuse our support staff in a really bad way.  You're
correct, this is not an MPLS network.  We'd like to put the mgmt
interface in a VRF to get around some duplicate addressing issues, which
aren't easy to fix on either the customer nor the NMS side.

Thanks,

Chuck



More information about the cisco-nsp mailing list