Nexus management SVI

Iulian Vaideanu · ‎02-22-2016

It says in the Nexus 3000 Layer 2 Switching Config Guide that the "management" keyword under a SVI's config "configures the SVI to be used for in-band management". What exactly does that mean? Or, in other words, what can't you do if you don't config "management"? I have a couple of N3064s configured with the default "no management" and I can use the SVI just fine to Telnet / SSH to the device or copy files to it by (T)FTP...

Mark Malone · ‎02-22-2016

Hi inband mgmt. is when your not using the dedicated mgmt. port that comes with your device for mgmt. traffic , rather you will use an inline interface like an SVI, if your segrating your mgmt. traffic for true oob traffic from you prod traffic you should use your mgmt. port itself as an inline mgmt. port will be of no use when say the network goes into a storm

usually you would set the mgmt. port in a vrf and set all mgmt. traffic like ssh/ntp/syslog etc to be a source of that port and then you mgmt. port would connect to a dedicated mgmt. switch for out of band access during issues that's real out of band as its completely segregated from prod traffic

Iulian Vaideanu · ‎02-22-2016

I know what in-band management is - my question is: what's the difference between configuring a SVI with "management" and configuring it with "no management"? I'm using SVIs (in the default vrf) to manage my two N3064s and they both have:

# sh run int vlan424 all | i management
no management

Mark Malone · ‎02-22-2016

Yes so when you apply management it becomes a useable Inband mgmt port if its not there it will not use the SVI as one for mgmt. traffic

Mark Malone · ‎02-22-2016

http://tekcert.com/blog/2015/03/05/how-setup-inband-management-interface-cisco-nexus-switch

Iulian Vaideanu · ‎02-22-2016

"it will not use the SVI as one for mgmt. traffic" - then, what is "management traffic"? As I said in the first post, I can Telnet / SSH to the device just fine, copy files to it, anything I've needed so far... all these with the only SVI configured as "no management".

Mark Malone · ‎02-22-2016

If you remove it from that interface it just won't use that as the source of mgmt. traffic it will use another interface , loopback maybe another interface with mgmt. set etc

what have you set your mgmt. traffic to be a source of ?

if nothing the device will decide for itself where it takes it from

EDIT: your talking about coming inbound when you say you can still ssh etc , this is outbound how the switch sends traffic out for specific protocols

Halyna · ‎04-12-2018

"it just won't use that as the source of mgmt. traffic it will use another interface"

Checked it - does not correct or I understood in a wrong way.

For test typed "no management" at all of SVIs on nexus 3172 - and continue to make successful outbound ssh/telnet connections from nexus to other devices in the network.

So for me it's not clear still what does this command do.

Cisco config guide tells:

interface-vlan vlan-id management

Creates a VLAN interface (SVI) and configures the SVI to be used for in-band management.

But as mentioned above - with "no management" on interface its ip-address still can be used for connection on the device.

rsumidacisco · ‎06-22-2016

I'm trying to understand this command on the Nexus as well. On Brocade switches they use a similar command which restricts the management plane to that vlan interface. If you don't use the management command then any vlan interface can be used for the management plane. e.g. telnet, ssh, snmp, tacacs, etc.

I'm assuming the Nexus behaves the same way but I have yet to find Cisco documentation stating that. My coworker is setting this up in the lab to test to so I should have an answer in a week or so.