Original document with latest updates:
https://wiki.cnap.hv.se/en/practice/ccnp/labs/mgmt-port
¶ VRF and Mgmt-Port Lab
Understand the OOB-network below that uses SSH, and Ethernet-Console, in a VRF
BTW: Link to this page is: https://wiki.cnap.hv.se/CCNP-2_ENARSI (right-click and "Open in new window")
¶ Things to know
OOB: Assume that you have messed up really bad and everithing in you production network (a.k.a. skill) is down. Not a single IP address answers to ping. Then you need a separate network that does not depend on the production network; that is called a Out-Of-Band (OOB) Network.
Cisco Mgmt Port: To build a OOB-network most enterprice Cisco devices a separate port, just like the Console-Port, that is called the Mgmt-Port. This port is a Ethernet-port, not a serial-port, that is a completely different communication scheme. The separation from all other Cisco IOS configuration, i.e. your skill, is accomplished by putting it in a separate VRF
OOB Switch: to make the OOB-network resilient it is usually a single, separate, switch that connect all the Mgmt-ports of your devices to the Management PC (you)
¶ This is the ENCOR skill topology 2025 ( Maybe 
)
¶ Cabling
- Select a dedicated, separate, Layer-2 switch and call it OOB-switch
- Connect one ethernet-cable from each cisco device that has a Mgmt-port, to the OOB-switch
- Connect an ethernet-cable from the OOB-switch to your Management (Mgmt) PC
¶ Subnetting
- Select a subnet that is easy to remember, like 11.11.11.0/24
- In the future give Cisco device number 1 th IP-address 11.11.11.1/24, device nr2 IP-address 11.11.11.2
- Give the Mgmt-PC the IP-address 11.11.11.99/24 (assuming that you have less then 99 cisco-devices in your POD
- There is no default-gateway in the OOB-network (Figure out why!)
¶ Physical Topology
¶ Layer 2 Topology
Connect ETHERNET-cables to all Ethernet-Management ports of devices
¶ Configuration
- Use a serial connection and a light blue cable connected to the "Console" port if the cisco device
(This cable will later be removed, never to be used again) - Use "show running" to find out the name of Mgmnt-port, and what VRF it is in
interface GigabitEthernet0/0
vrf forwarding Mgmt-vrf
no ip address
negotiation auto
- Configure Mgmt-port IP-address, and no shutdown
- Verify Link-LED lights on cisco device and OOB-switch
- Configure IP-Address on Mgmnt PC
- Ping from the Mgmt-PC to the cisco-device
- Sometimes it also works to ping from the cisco-device to Mgmt-PC:
ping vrf Mgmt-vrf 11.11.11.99 - Configure SSH
ip domain-name cnap.hv.se
crypto key generate rsa modulus 1024
ip ssh version 2
username cisco priv 15 secret Network!337
- Open a PUTTY SSH-window on the Mgmt-PC and connect to the cisco-device. Keep it open, don't close.
- In putty-SSH (not Putty-console) configure log messages to also go to your vty
line vty 0 15
monitor
You will get 15, out of 16, error messages but we do not care! As long as the 16'th monitor command works
11. Repeat for all other cisco-devices, until you have 6 windows of Putty, all connected to different cisco devices.
¶ Windows tricks
Use :window-key 🪟: + arrow-key to move windows, left, right or maximize
Use :Alt-key: + TAB-key to switch focus to next window
Use :Alt-key: + Shift + TAB-key to switch focus to previous window
¶ The End
Hope that you enjoyed this lab, and seen the benefits of having all CLI-windows on a single PC. Now it is really easy to compare routing-tables between devices (as well as copy-paste ) !
¶ Robert's Notes that can be handy...
random copy paste
REMEMBER Flagga-R NCPA.CPL för att komma till kontrollpanelenNätverk snabbast
----------------------
interface GigabitEthernet0/0
vrf forwarding Mgmt-vrf
no ip address
negotiation auto
!
MLS-5(config)#do show vrf
Name Default RD Protocols Interfaces
Mgmt-vrf <not set> ipv4,ipv6 Gi0/0
MLS-5(config)#
MLS-5#show ip int bri gigabitEthernet 0/0
Interface IP-Address OK? Method Status Protocol
GigabitEthernet0/0 11.11.11.5 YES manual up up
MLS-5#
IBLAND ÄR DET LITE TRÖÖÖÖGT
C:\Users\cisco>ping 11.11.11.5
Pinging 11.11.11.5 with 32 bytes of data:
Reply from 11.11.11.99: Destination host unreachable.
Request timed out.
Reply from 11.11.11.5: bytes=32 time=1ms TTL=255
Reply from 11.11.11.5: bytes=32 time<1ms TTL=255
=========================================
MLS-5#show ip route
Gateway of last resort is not set
==============================================
MLS-5#show ip route vrf ?
WORD VPN Routing/Forwarding instance name
MLS-5#show ip route vrf Mgmt-vrf
Extended Host Mode is enabled
Routing Table: Mgmt-vrf
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2, m - OMP
n - NAT, Ni - NAT inside, No - NAT outside, Nd - NAT DIA
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
H - NHRP, G - NHRP registered, g - NHRP registration summary
o - ODR, P - periodic downloaded static route, l - LISP
a - application route
+ - replicated route, % - next hop override, p - overrides from PfR
& - replicated local route overrides by connected
Gateway of last resort is not set
11.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C 11.11.11.0/24 is directly connected, GigabitEthernet0/0
L 11.11.11.5/32 is directly connected, GigabitEthernet0/0
MLS-5#
--------------
MLS-5(config)#line vty 0 15
MLS-5(config-line)#moni
MLS-5(config-line)#monitor
VTY must be active
VTY must be active
VTY must be active
VTY must be active
VTY must be active
VTY must be active
VTY must be active
VTY must be active
VTY must be active
VTY must be active
VTY must be active
VTY must be active
VTY must be active
VTY must be active
VTY must be active
MLS-5(config-line)#^Z
MLS-5#
*Jan 6 07:00:26.670: %SYS-5-CONFIG_I: Configured from console by console
MLS-5#
*Jan 6 07:00:26.670: %SYS-5-CONFIG_I: Configured from console by console
MLS-5#ping 11.11.11.99
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 11.11.11.99, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
MLS-5#ping vrf M
MLS-5#ping vrf Mgmt-vrf 11.11.11.99
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 11.11.11.99, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/2 ms
MLS-5#
=================== ROUTER =============================
router1(config)#do show running | begin inter
interface GigabitEthernet0/0/0
no ip address
shutdown
negotiation auto
!
interface GigabitEthernet0/0/1
no ip address
shutdown
negotiation auto
!
interface Serial0/1/0
no ip address
shutdown
!
interface Serial0/1/1
no ip address
shutdown
!
interface GigabitEthernet0
vrf forwarding Mgmt-intf
no ip address
shutdown
negotiation auto
!
-----------------
router1(config)#
router1(config)#interf gi 0
router1(config-if)#ip address 11.11.11.1 255.255.255.0
router1(config-if)#no shut
router1(config-if)#^Z
router1#
*Sep 2 09:31:45.430: %SYS-5-CONFIG_I: Configured from console by consoleping vrf M
router1#ping vrf
*Sep 2 09:31:54.040: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0, changed state to upMgmt-intf
router1#ping vrf Mgmt-intf 11.11.11.99
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 11.11.11.99, timeout is 2 seconds:
...!!
Success rate is 40 percent (2/5), round-trip min/avg/max = 1/1/2 ms
router1#