VOSS 8.

2 Segmented Mgmt Stack explained

Ludovico Stevens
Technical Marketing Engineering
February 2021
VOSS Management before 8.2
VOSS IP mgmt prior to 8.2 (still applies to VSP8600)
• Switch mgmt via
• Out-of-band: OOB Ethernet port
CPU • Inband: Any IP address configured
on default GRT (vrf-0)
Control plane • CPU selects OOB vs. Inband exclusively
based on MgmtRouter and GRT routes
Data plane
• If OOB and GRT are IP routed
Mgmt together, can result in non-
OOB port IP-oob Router functional asymmetric routing
vrf-512
• Mgmt traffic initiated by switch over
inband, selection of source IP
ambiguous:
Circuitless IP IP-3 VLAN 40 • GRT IP interface corresponding to
VRF next-hop IP for destination non-ISIS
route
vrf-X
Brouter 1/2 IP-1 IP-2 VLAN 30 • GRT ISIS Source IP for ISIS route
• Need to configure fixed source IP to
use/advertise for some protocols:
Circuitless IP IP-3 VLAN 20 RADIUS, SNMP, Syslog, LLDP,
SONMP, etc..
GRT
vrf-0 • NOTE: No OOB port on XA1400,
Brouter 1/1 IP-1 IP-2 VLAN 10 VSP4850, VSP4450
• VSP4850 support up to VOSS7.1.x
3 only ©EXTREME NETWORKS, INC. ALL RIGHTS RESERVED.
VOSS IP mgmt prior to 8.2 (still applies to VSP8600)

CPU interface mgmtEthernet mgmt

ip address <ip>/<mask>
Control plane exit
router vrf MgmtRouter
Data plane ip route <net> <mask> <nexthop> weight <val>
exit
Mgmt
OOB port IP-oob Router
vrf-512

Circuitless IP IP-3 VLAN 40

interface loopback <id>
VRF ip address <ip>/<mask>
vrf-X exit
Brouter 1/2 IP-1 IP-2 VLAN 30
interface gigabitEthernet <port>
brouter vlan <vid> subnet <ip>/<mask>
Circuitless IP IP-3 VLAN 20 exit

GRT
vrf-0 interface vlan <vid>
ip address <ip>/<mask>
Brouter 1/1 IP-1 IP-2 VLAN 10
exit
4 ©EXTREME NETWORKS, INC. ALL RIGHTS RESERVED.
VOSS IP mgmt prior to 8.2 – DVR Leaf
• A DVR Leaf does not actually
CPU have a full IP stack for the
DVR interfaces
Control plane • The GRT DVR interfaces
Data plane cannot be used for
Mgmt mgmt
OOB port IP-oob Router
vrf-512 DVR Leaf only
router isis
inband-mgmt-ip <ip>
exit

DVR-4 VLAN 40
VRF
vrf-X
• Instead, a Circuitless IP was
DVR-3 VLAN 30 created in GRT, but using a
new command as the
traditional “interface
Circuitless IP DVR-2 VLAN 20
loopback <n>” config context
GRT
vrf-0
is not available on a DVR Leaf
DVR-1 VLAN 10 node
5 ©EXTREME NETWORKS, INC. ALL RIGHTS RESERVED.
Pre-8.2 mgmt asymmetrical routing problems
OOB segment

Firewall

Mgmt segment

External IP router

• A mgmt initiated packet (e.g. SNMP Request, or SSH TCP Syn) destined for a VSP inband GRT IP address
• Prior to 8.2, VSP might send response (SNMP Response, or SSH TCP SynAck) via OOB port, if the OOB has a
valid IP route
• Communication will fail, for SNMP, SSH, Telnet; but ICMP ping works, so very confusing!
• Recommendation pre-8.2: keep OOB network separate; do not configure a default route in MgmtRouter VRF

6 ©EXTREME NETWORKS, INC. ALL RIGHTS RESERVED.

VOSS Management from 8.2 onwards
VOSS IP mgmt 8.2 with Segmented Mgmt Interface
mgmt oob IP • Switch mgmt via 3 unambiguous IP
Segmented interfaces:
Mgmt mgmt clip IP CPU • mgmt oob
Interface mgmt vlan IP
• mgmt clip
Control plane • mgmt vlan
Data plane • mgmt clip can be assigned to any VRF/GRT
Mgmt • mgmt vlan can be assigned to any VLAN
OOB port Router
vrf-512 • When switch responds to mgmt request,
response will now always use same mgmt
interface request arrived on
• No more problems with asymmetrical
Circuitless IP mgmt routing
IP-3 VLAN 40
VRF • No need to configure source IP for mgmt
protocols
vrf-X
Brouter 1/2 IP-1 IP-2 VLAN 30 • For which mgmt IP LLDP and SONMP
should advertise, any of the 3 mgmt
interfaces can be selected
Circuitless IP IP-3 VLAN 20 • MgmtRouter vrf-512 becomes obsolete
GRT • CLI show commands & SNMP MIB are
vrf-0 maintained and will now show
Segmented Mgmt IPs for it
Brouter 1/1 IP-1 IP-2 VLAN 10
• NOTE: No OOB port on XA1400, VSP4450
8 ©EXTREME NETWORKS, INC. ALL RIGHTS RESERVED.
VOSS IP mgmt 8.2 with Segmented Mgmt Interface
mgmt oob
mgmt oob IP
Segmented ip address <ip>/<mask>
Mgmt mgmt clip IP CPU enable
ip route <net>/<mask> next-hop <nhop> [weight <val>]
Interface mgmt vlan IP [force-topology-ip]
Control plane exit

Data plane
mgmt clip [vrf <name>]
Mgmt ip address <ip>/32
OOB port Router enable
vrf-512 [force-topology-ip]
exit

• IPv6 also supported (except on XA1400)

mgmt vlan <vid>
Circuitless
ip address IP
<ip>/<mask> IP-3 VLAN 40 • force-topology-ip
enable VRF • Determines which mgmt IP used in LLDP
ip route <net>/<mask> next-hop <nhop> [weight <val>] advertisements
vrf-X
[force-topology-ip] • Will advertise both IPv4 and IPv6 if both
Brouter 1/2exit IP-1 IP-2 VLAN 30 configured
• Gotchas!
• if switch booted without a config (ZTF defaults)
Circuitless IP IP-3 VLAN 20 mgmt vlan will already be created for vlan 4048
GRT • mgmt IPs must be “enabled”
• configuring a mgmt IP does not automatically
vrf-0 turn off mgmt dhcp-client; remember to turn
Brouter 1/1 IP-1 IP-2 VLAN 10 that off:
- no mgmt dhcp-client

9 ©EXTREME NETWORKS, INC. ALL RIGHTS RESERVED.

Segmented Mgmt Interface - quick-config-mgmt
mgmt oob IP
Segmented
Mgmt mgmt clip IP CPU • quick-config-mgmt
Interface • Integrated interactive script
mgmt vlan IP
Control plane to configure segmented
mgmt IP interfaces
Data plane
• Useful if starting afresh with
Mgmt 8.2 or later
OOB port Router
VSP8000-1:1#% vrf-512
quick-config-mgmt
Welcome to the management interface setup utility.
You will be requested for information to initially configure the switch.
When finished the information will be applied and stored as a part of the configuration.
Once the basic parameters are configured, additional configuration can
Circuitless IP IP-3
proceed using other management interfaces. Press
VLANq 40
to abort at any time.
Management interface types:
VRF
1 - Out of band management port
vrf-X
3 - In-band port-based VLAN
Please enter management interface type or "q" to quit. [1]:
Brouter 1/2 IP-1 IP-2 VLAN 30
• IPv4 only is supported
Circuitless IP • Can setup only one interface
IP-3 VLAN 20
at a time
GRT
• Management CLIP is not
vrf-0 supported
Brouter 1/1 IP-1 IP-2 VLAN 10

10 ©EXTREME NETWORKS, INC. ALL RIGHTS RESERVED.

 Segmented Mgmt Interface – DHCP Client
mgmt oob mgmt vlan <vid>
enable mgmt oob IP
Segmented enable
exit
Mgmt
mgmt dhcp-client oob mgmt clip IP CPU exit
mgmt dhcp-client vlan
Interface mgmt vlan IP
Control plane • New segmented mgmt interface comes
New Zero-Touch Defaults (8.2) with new DHCP Client
mgmt oob
enable
Data plane • Only for mgmt vlan and mgmt oob
exit Mgmt • Create and enable the mgmt interface type
mgmt vlanOOB4048 port Router then enable dhcp-client on it
enable vrf-512
exit • In practice this will only be used when the
dhcp-client cycle VSP boots up in the new 8.2 and 8.3 zero-
touch factory defaults, which introduce the
concepts of the onboarding Private-VLAN
Circuitless IP IP-3 VLAN 40 (4048) and ETREE I-SID (15999999) and
where all VSP ports are enabled and
VRF members of PVLAN 4048
vrf-X • This new zero-touch “default” mode
Brouter 1/2 IP-1 IP-2 VLAN 30 applies when the VSP is booted
without any config file
• NOTE: this does not apply to the old
“boot config flag factorydefaults” which
Circuitless IP IP-3 VLAN 20 produces the original default config
GRT where all ports are disabled and
members of VLAN 1
vrf-0 • dhcp-client cycle mode will
Brouter 1/1 IP-1 IP-2 VLAN 10 alternatively try and obtain a DHCP IP
on either the oob or vlan interfaces
11 ©EXTREME NETWORKS, INC. ALL RIGHTS RESERVED.
VOSS IP mgmt 8.2 – no more asymmetrical routing
OOB segment

Firewall

Mgmt segment

External IP router

• Segmented mgmt interfaces use Linux VR contexts

• If a mgmt request is received on mgmt clip, the switch response will always use the same mgmt interface
• For switch initiated messages (RADIUS Requests, SNMP Traps, Syslog, etc..) per mgmt interface routes are
inspected and valid route metrics applied
• Default metric weights: clip = 100, vlan = 200, oob = 300
• Static routes can be configured for mgmt vlan & mgmt oob (and different weight configured)
• For mgmt clip, the IP routes of the associated VRF/GRT apply (always with weighting 100)
12 ©EXTREME NETWORKS, INC. ALL RIGHTS RESERVED.
Segmented Mgmt Interface: L3 BEB / L3 Router
mgmt oob IP • If the VSP is a L3 BEB (or a non-
Segmented Fabric IP router), inband
Mgmt mgmt clip IP CPU
management must use mgmt clip
Interface mgmt vlan IP
Control plane • The mgmt vlan interface
“should” not be used
Data plane
• The mgmt clip interface can be
Mgmt
OOB port Router
associated with the GRT (as
vrf-512
before) but can now also be easily
associated with any VRF
• If IP Shortcuts or L3VSN is
enabled on the GRT/VRF, the
Circuitless IP IP-3 VLAN 40 mgmt clip will automatically be
VRF redistributed even if
vrf-X redistribution of directs is not
Brouter 1/2 IP-1 IP-2 VLAN 30 enabled
• Note that management via a GRT
Circuitless IP
Circuitless IP was already best
IP-3 VLAN 20
practice pre-8.2 for L3 BEBs
GRT
vrf-0 • The mgmt oob interface can also
Brouter 1/1 IP-1 IP-2 VLAN 10 be used
13 ©EXTREME NETWORKS, INC. ALL RIGHTS RESERVED.
Segmented Mgmt Interface: L2 BEB / L2 Switch

Segmented
mgmt oob IP • If the VSP is a L2 BEB (or non-
Mgmt mgmt clip IP CPU Fabric L2 switch), inband
Interface mgmt vlan IP management must use
Control plane
mgmt vlan
Data plane
Mgmt
• The mgmt clip cannot be
OOB port Router used
vrf-512 • There are no IP addresses
configured on the GRT
VLAN 40
• There are no VRFs
• The mgmt vlan interface can
VLAN 30
be associated with any
platform VLAN already
created on the switch
VLAN 20
GRT • The mgmt oob interface can
vrf-0
VLAN 10
also be used
14 ©EXTREME NETWORKS, INC. ALL RIGHTS RESERVED.
Segmented Mgmt Interface: DVR Leaf, GRT mgmt

Segmented
mgmt oob IP • A DVR Leaf is a special case as it
Mgmt mgmt clip IP CPU is a L3 BEB in the data plane but
Interface a L2 BEB from a configuration
mgmt vlan IP
Control plane management perspective
Data plane
• If mgmt will be done over the
Mgmt
OOB port Router
GRT then mgmt clip can be used
vrf-512 • This will be equivalent to the
pre-8.2 inband-mgmt-ip
• However, on a DVR Leaf, the
DVR-4 VLAN 40
mgmt clip can only be
L3 I-SID associated with GRT
DVR-3 VLAN 30 • As a DVR Leaf does not have
any locally configured VRFs
DVR-2 VLAN 20 • The mgmt oob interface can also
GRT be used
vrf-0
DVR-1 VLAN 10

15 ©EXTREME NETWORKS, INC. ALL RIGHTS RESERVED.

Segmented Mgmt Interface: DVR Leaf, VRF mgmt
mgmt oob IP • A DVR Leaf is a special case as it is a L3 BEB
Segmented in the data plane but a L2 BEB from a
Mgmt mgmt clip IP CPU configuration management perspective
Interface mgmt vlan IP • If mgmt will be done over a VRF then mgmt
Control plane vlan should be used
• Once mgmt vlan created, creation of a
Data plane platform VLAN using the same vid will
Mgmt be allowed
OOB port Router • An I-SID will need to be configured on
vrf-512 the platform VLAN
• The DVR Controllers should have an IP
VRRP interface for this same I-SID
associated with the VRF used for
management
VLAN 40
- Do not configure DVR on this VLAN !
L3 I-SID • Local DVR interfaces on the same
mgmt VRF will not be IP routed directly
DVR-3 VLAN 30 to the mgmt vlan but will be able to
reach it via the DVR Controller
• The same approach using mgmt vlan could
DVR-2 VLAN 20 also be used for GRT management
GRT • The mgmt oob interface can also be used
vrf-0
DVR-1 VLAN 10

16 ©EXTREME NETWORKS, INC. ALL RIGHTS RESERVED.

Segmented Mgmt Interface: L3 BEB special cases
mgmt oob IP
• In some cases, it might be
Segmented necessary to configure mgmt vlan
Mgmt mgmt clip IP CPU even on a L3 BEB:
Interface mgmt vlan IP • XA1400 or VSP running Fabric
Control plane Extend over a dedicated VRF
Data plane and it is desired to reach the
switch on that VRF from the
Mgmt Internet (e.g., Cloud-IQ) or from
OOB port Router WAN underlay
vrf-512
• VSP7400 or VSP4900 with FIGW
VM and it is desired to SSH/FTP
the VM from the VSP host switch
Circuitless IP IP-3 VLAN 40 • In both the above cases a mgmt
VRF clip also exists for normal inband
vrf-X mgmt
Brouter 1/2 IP-1 IP-2 VLAN 30 • If a mgmt vlan is created on a
VLAN which already has an IP
address in the GRT/VRF, then the
Circuitless IP IP-3 VLAN 20 mgmt vlan IP must be made the
GRT
same as that IP address
vrf-0 • All three mgmt interfaces can be
Brouter 1/1 IP-1 IP-2 VLAN 10 used in this example
17 ©EXTREME NETWORKS, INC. ALL RIGHTS RESERVED.
Segmented Mgmt Interface: L3 BEB mistake to avoid!
• For a L3 VSP (BEB or non-Fabric),
mgmt oob IP management via a GRT Circuitless IP
Segmented
Mgmt mgmt clip IP CPU was already best practice pre-8.2 for L3
Interface BEBs
mgmt vlan IP
Control plane • However, some customers may not
Data plane have followed that best practice, and
used a GRT VLAN IP for managing all of
Mgmt their L3 BEBs and L2 BEBs alike
OOB port Router
• This did work pre-8.2
vrf-512
• However, this approach will NOT work
properly on a L3 BEB with the new
Segmented Mgmt interface
Circuitless IP IP-3 VLAN 40
• The mgmt vlan IP can only be
VRF reached if traffic destined to it
vrf-X enters the VSP switch on the same
Brouter 1/2 IP-1 IP-2 VLAN 30 VLAN
• If the traffic destined to it enters
the switch on a different IP
Circuitless IP IP-3 VLAN 20 interface of the same GRT/VRF,
GRT then it will not get IP routed to the
mgmt vlan IP destination
vrf-0
Brouter 1/1 IP-1 IP-2 VLAN 10

18 ©EXTREME NETWORKS, INC. ALL RIGHTS RESERVED.

Segmented Mgmt Interface: L3 BEB mistake to avoid!
OOB segment

Firewall

Mgmt segment

External IP router

• In this example, the VSP mgmt vlan IP cannot be reached because the mgmt
packet entered the switch on a different IP interface
• This is true even if a routing VLAN IP is already also configured on the underlying
platform VLAN and IP routing is possible between both IP interfaces
• This is a mistake. As the VSP is clearly a L3 router, mgmt clip must be used
19 ©EXTREME NETWORKS, INC. ALL RIGHTS RESERVED.
Migration to 8.2
Migration of L3 BEB / L3 Router

Upgrade to 8.2

• NOTE, after the upgrade the GRT CLIP will have

interface loopback <id> gone
migrate-to-mgmt
exit • If an ISIS Source IP was in use, re-create a new
GRT CLIP (using a different IP address) and assign
• “migrate-to-mgmt” command is that as the new ISIS Source IP
available since VOSS 7.1.3, 8.0.1 and 8.1.0 • As of 8.2 an ISIS Source IP is not mandatory but is
still recommended if using IP Shortcuts and will
• save config and upgrade be required again by DVR-One-IP

21 ©EXTREME NETWORKS, INC. ALL RIGHTS RESERVED.

Migration of L2 BEB / L2 Switch

Upgrade to 8.2

interface vlan <vid> • NOTE, after the upgrade the GRT

migrate-to-mgmt VLAN IP will have gone
exit
• If the VSP has more than 1 IP address
• “migrate-to-mgmt” command is on more than 1 VLAN before the
available since VOSS 7.1.3, 8.0.1 and 8.1.0 upgrade, then think twice; the VSP is
probably a L3 BEB and should be
• save config and upgrade manged via a CLIP instead!
22 ©EXTREME NETWORKS, INC. ALL RIGHTS RESERVED.
Migration of DVR Leaf

Upgrade to 8.2

• simply upgrade • The DVR inband-mgmt-ip CLIP

automatically becomes the new
segmented mgmt clip
• The ISIS inband-mgmt-ip command
becomes obsolete in 8.2

23 ©EXTREME NETWORKS, INC. ALL RIGHTS RESERVED.

Upgrade paths to VOSS 8.2+

Upgrade
Switch to be migrated: Pre-migration (7.1.3+) steps to 8.2+ Post-migration steps
OOB managed Access through OOB
Commit
(Optionally add management CLIP and
Switches management VLAN IP)
software

DVR Leafs Access through inband-mgmt-ip Commit

address software

(optionally
SPB Switches that Execute ‘migrate-to-mgmt’ under add ‘mgt Access through selected mgmt CLIP address Commit
are inband IP-SC existing IP CLIP interface context for OOB’ and change isis ip-source-address to different software
‘mgmt
SPB IP-SC IP interface non-mgmt IP address
managed VLAN’ IP)

(optionally
Select one CLIP address and add ‘mgmt
L3 Switches that are
execute ‘migrate-to-mgmt’ on CLIP - OOB’ and
CLIP managed or define NEW ‘mgmt CLIP” interface
‘mgmt
VLAN’ IP)
Access through selected mgmt CLIP Commit
address software
Configure a CLIP mgmt interface and (optionally
L3 Switches that are inband add ‘mgmt
VLAN IP managed execute ‘migrate-to-mgmt’ under it OOB’)

Select existing bridged mgmt VLAN host IP and

L2 Switches that are inband execute ‘migrate-to-mgmt’ under existing IP
(optionally Access through VLAN host IP Commit
add ‘mgmt
VLAN IP managed interface context or define NEW ‘mgmt VLAN’ IP software
OOB’)
interface

On selected bridged VLAN or CLIP execute ‘migrate-to-

mgmt’ under existing IP interface context OR configure Access through selected CLIP or Commit
XA Platform new mgmt VLAN or CLIP interfaces in VOSS 8.1.1 or VLAN host IP software
later releases (excl. 8.1.50)

24 ©EXTREME NETWORKS, INC. ALL RIGHTS RESERVED.

VOSS 8.2+ upgrade – what if?

Upgrade to
Switch to be migrated: Pre-migration (7.1.3+) 8.2+ Post-migration

OOB managed If desired: add management CLIP and

Switches management VLAN IP

DVR Leafs Access through inband-mgmt-ip address

SPB Switches that switch only reachable through OOB (if available) but not
are inband IP-SC No migrate-to-mgmt executed reachable anymore through IP-SC clip and will reboot back
managed to 7.1.3+ release if no commit software executed

switch only reachable through OOB (if available) but not

L3 Switches that No migrate-to-mgmt executed reachable anymore through clip and will reboot back to
are CLIP managed 7.1.3+ release if no commit software executed

L2/L3 Switches switch only reachable through OOB (if available) but not
that are inband No migrate-to-mgmt executed reachable anymore through VLAN IP or clip and will reboot
back to 7.1.3+ release if no commit software executed
VLAN IP managed

not reachable anymore and will reboot back to 7.1.3+ release if no

XA Platform No migrate-to-mgmt executed
commit software executed

25 ©EXTREME NETWORKS, INC. ALL RIGHTS RESERVED.

Ping/Traceroute changes with 8.2
VOSS IP mgmt 8.2 with Segmented Mgmt Interface
ping <IP> mgmt
mgmt oob IP traceroute <IP> mgmt
Segmented
Mgmt mgmt clip IP CPU
VSP:1(config)#% show sys default-ping-context
Interface mgmt vlan IP
Default ping context grt
Control plane VSP:1(config)#% sys default-ping-context ?
grt ping/traceroute context is grt
Data plane mgmt ping/traceroute context is mgmt
vrf ping/traceroute context is vrf
Mgmt
VSP:1(config)#%
OOB port Router
vrf-512
• When pinging from VSP,
must remember to specify the
Circuitless IP IP-3 VLAN 40 “mgmt” context!
VRF ping <IP> vrf <name>
vrf-X traceroute <IP> vrf <name>
Brouter 1/2 IP-1 IP-2 VLAN 30
• If no context, GRT is assumed
Circuitless IP IP-3 VLAN 20
• Default context can be set
GRT ping <IP> [grt]
vrf-0 traceroute <IP> [grt]
Brouter 1/1 IP-1 IP-2 VLAN 10

27 ©EXTREME NETWORKS, INC. ALL RIGHTS RESERVED.