Solved

swpXX on mgmt vrf?

  • 27 June 2018
  • 2 replies
  • 272 views

Userlevel 2
I have switches managed remotely with their eth0's being in the mgmt vrf. If I were to connect another vendor's managed switch to a switchport, and put that switchport into mgmt vrf, would that bad or okay?
icon

Best answer by Eric Pulvino 27 June 2018, 18:25

It is certainly possible to configure that and have it work but from a design standpoint that would be VERY uncommon so it probably makes sense to revisit what is trying to be done and if this is the best way to do it.

Most of the time the MGMT vrf is reserved only for the Eth0 mgmt interface of the switch. VRF is a L3 concept because it provides separate isolated routing tables. The mgmt vrf provides the segmentation of putting Eth0 in a different routing table so that the default route that arrives via DHCP on Eth0 does not corrupt any routing that is occurring on the dataplane.

In principle you'd think it might make sense to have a dataplane switchport with access to the same VRF/routing table since they might be on the same VLAN but in practice usually the switchport is tied to a L2 Vlan. So it's the difference between a L3 Eth0 port and a L2 switchport.

The L3 concept for segmentation is a VRF, the L2 concept for segmentation is a VLAN. For this reason it's not necessary to extend the VRF to the L2 port as long as the mgmt vlan is provisioned there to support the switch from the other vendor.
View original

2 replies

Userlevel 5
It is certainly possible to configure that and have it work but from a design standpoint that would be VERY uncommon so it probably makes sense to revisit what is trying to be done and if this is the best way to do it.

Most of the time the MGMT vrf is reserved only for the Eth0 mgmt interface of the switch. VRF is a L3 concept because it provides separate isolated routing tables. The mgmt vrf provides the segmentation of putting Eth0 in a different routing table so that the default route that arrives via DHCP on Eth0 does not corrupt any routing that is occurring on the dataplane.

In principle you'd think it might make sense to have a dataplane switchport with access to the same VRF/routing table since they might be on the same VLAN but in practice usually the switchport is tied to a L2 Vlan. So it's the difference between a L3 Eth0 port and a L2 switchport.

The L3 concept for segmentation is a VRF, the L2 concept for segmentation is a VLAN. For this reason it's not necessary to extend the VRF to the L2 port as long as the mgmt vlan is provisioned there to support the switch from the other vendor.
Userlevel 2
This situation is definitely a one-off, and I was just exploring options. Thank you for the reply!

Reply