Cisco 3850 Mgmt VRF Configuration - NETSEC

Latest

Learning, Sharing, Creating

Cybersecurity Memo

Monday, November 20, 2017

Cisco 3850 Mgmt VRF Configuration

Ethernet Management Interface VRF

New Cisco Routers and Switches come with a dedicated Ethernet port which unique purpose is to provide management access to the device via SSH or Telnet. This interface is isolated in its own VRF called "Mgmt-vrf'. Placing the management Ethernet interface in its own VRF has the following effects on the Management Ethernet interface:
  1. Many features must be configured or used inside the VRF, so the CLI may be different for certain Management Ethernet functions on other routers.
  2. Prevents transit traffic from traversing the device. Because all of the SPA interfaces and the Management Ethernet interface are automatically in different VRFs, no transit traffic can enter the Management Ethernet interface and leave a SPA interface, or vice versa.
  3. Improved security of the interface. Because the Mgmt-intf VRF has its own routing table as a result of being in its own VRF, routes can only be added to the routing table of the Management Ethernet interface if explicitly entered by a user.
  4. The Management Ethernet interface VRF supports both IPv4 and IPv6 address families.


That means the static default route should not interfere with Routing in the Global Routing Table or any other VRF configured, that management traffic is isolated in its own VRF. The configuration for the Management Interface cannot be modified in terms of VRF, you can only assign an IP address to it and a Static Default Route to allow connectivity.

The purpose is to connect that interface to an isolated IP network that can guarantee "always on" access to the device only for management purposes.

However, it is not a must to use that interface for management. You can still configure your device to accept SSH and Telnet sessions on the Global Routing Table or any other VRF (in other words, coming from any other interface).


For Cisco Catalyst switch 3850, the Gigabit Ethernet Management interface is automatically part of its own VRF. This VRF, which is named “Mgmt-intf,” is automatically configured  and is dedicated to the Management Ethernet interface; no other interfaces can join this VRF. Therefore, this VRF does not participate in the MPLS VPN VRF or any other network-wide VRF. The Mgmt-intf VRF supports loopback interface.

Basic Configuration on Mgmt-vrf
Here is basic related Management Interface Configuraiton:
vrf definition Mgmt-vrf
 !
 address-family ipv4
 exit-address-family
 !
 address-family ipv6
 exit-address-family

interface GigabitEthernet0/0
 vrf forwarding Mgmt-vrf
 ip address 10.9.2.15 255.255.255.0
 negotiation auto
!





Static Route


ip route vrf Mgmt-vrf 0.0.0.0 0.0.0.0 10.9.2.26


Line VTY Access

Common configuration for VTY Lines

access-list 101 permit ip 10.9.2.0 0.255.255.255 any log


line vty 0 4
 access-class 101 in 
 exec-timeout 4 30
 logging synchronous
 login authentication VTYAUTH
 transport input ssh
line vty 5 15
 access-class 101 in 
 exec-timeout 4 30
 logging synchronous
 login authentication VTYAUTH
 transport input ssh
!



Unfortunately, ping to 10.9.2.15 is working fine But not ssh. SW refused configuration

SW-1#show vrf brief 
  Name                             Default RD            Protocols   Interfaces
  Mgmt-vrf                         <not set>             ipv4,ipv6   Gi0/0
SW-1#show ip rout
SW-1#show ip route 
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area 
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
       + - replicated route, % - next hop override

Gateway of last resort is not set

SW-1#show ip route vrf Mgmt-vrf

Routing Table: Mgmt-vrf
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area 
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
       + - replicated route, % - next hop override

Gateway of last resort is 10.9.2.26 to network 0.0.0.0

S*    0.0.0.0/0 [1/0] via 10.9.2.26
      10.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C        10.9.2.0/24 is directly connected, GigabitEthernet0/0
L        10.9.2.15/32 is directly connected, GigabitEthernet0/0
SW-1#show ssh
%No SSHv2 server connections running.
%No SSHv1 server connections running.
SW-1#show ip ssh
SSH Enabled - version 2.0
Authentication methods:publickey,keyboard-interactive,password
Encryption Algorithms:aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc,aes192-cbc,aes256-cbc
MAC Algorithms:hmac-sha1,hmac-sha1-96
Authentication timeout: 120 secs; Authentication retries: 3
Minimum expected Diffie Hellman key size : 1024 bits
IOS Keys in SECSH format(ssh-rsa, base64 encoded):
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCeYIx6ncI+YtYVVwrDPZxKc7wbzosd/4c3oGS6i3Sq
HJIStPO6Hn29l7FJERkkdZOVCHlfzbrFT0vy0RlC3BU6RncIEVXtFWDhicbmg9cVXevJSumRSSqzeROJ
ddU+1p5knstQlk2NENPMapacuYio2lf1uVC5AfJcamEESlQXXxPpZGuRSDIeKYb23M9PgsScUiTJRVmH
+4/v2ebZOZuE/MMUHR1cA012z5ZESCZqjtxOAo0l+XxAjb2M2IoXvnKiSqGh1P1XwQZoQXXz/2jcf67B
aXO+onaI7PutYjCUzVHyTmNtzUMxM1teQVpzXcfpSoXuL8pacnLjVZfql1hz                    
SW-1#



Solutions:

line vty 0 4
 access-class 101 in vrf-also
 exec-timeout 4 30
 logging synchronous
 login authentication VTYAUTH
 transport input ssh
line vty 5 15
 access-class 101 in vrf-also
 exec-timeout 4 30
 logging synchronous
 login authentication VTYAUTH
 transport input ssh
!


NTP 
ntp server vrf Mgmt-vrf 10.9.1.242
ntp server vrf Mgmt-vrf 10.9.6.5





Other Configuration can be found from my standard templates:









Reference:





No comments:

Post a Comment