CSS11500 management port routing problem

haver · ‎06-03-2003

I've got a CSS11503 running WebNS 7.10 and need to upgrade to 7.20. Ethernet management port is part of my management VLAN. I can ping the other equipment on the management VLAN and the default gateway.

Now, my FTP server (with the 7.20 image) is located on a different VLAN/subnet. The CSS'es default gateway can reach the FTP server without problems (actually, they are routed on the C6509/MSFC2). However, the CSS can't reach anything outside it's own subnet.

WebNS 7.20 has an option to add extra routes for the management port only, but 7.10 does not.

Do I really have to move the FTP server to the same subnet as the CSS in order to upgrade? However, I wonder what the 'gateway address' for the ethernet management port on the CSS is then used for. Apperantly, the CSS with 7.10 can't make use of it.

Any pointers?

lstrike · ‎06-04-2003

Haver,

There are several things you need to consider.

1. The management port default gateway command is used to load a boot file on a CSS from a different subnet.

2. The gateway address command has an effect only in an Offline DM boot operation and not in the running-config.

The following url displays this URL: http://www.cisco.com/univercd/cc/td/doc/product/webscale/css/css_710/cmdrefgd/cmdbootc.htm#xtocid1

3. If you want to do it from the command line it is better to use the following process.

http://www.cisco.com/en/US/partner/products/hw/contnetw/ps792/products_administration_guide_chapter09186a0080158356.html

By using the FTP command and using the copy ftp command to copy the image from your FTP server in version 7.1.

Gilles Dufour · ‎06-04-2003

one solution is to NAT the ftp address on the default gateway attached to the management port so the FTP device looks to be part of the same subnet.

7.20 will fix this problem - but you first need to upgrade :-)

Gilles.

haver · ‎06-04-2003

And so I did. The FTP server was temporarly put on the management VLAN and CSS version was bumped to 7.20.

But, I still can't seem to reach hosts outside the VLAN management port is part of. According to the manual, one should use 'ip management route' command to add extra routes. However, that command doesn't seem to exists,

ows-css-sw0# sh ver

Version: sg0720003 (7.20 Build 3)

Flash (Locked): 7.10 Build 102

Flash (Operational): 7.20 Build 3

Type: PRIMARY

Licensed Cmd Set(s): Standard Feature Set

ows-css-sw0# sh boot

!************************ BOOT CONFIG ************************

ip address 172.25.204.86

subnet mask 255.255.255.224

gateway address 172.25.204.65

primary boot-file sg0720003

primary boot-type boot-via-disk

ows-css-sw0# conf t

ows-css-sw0(config)# ip management route 172.25.202.0 /24 172.25.204.65

^

%% Invalid input detected at '^' marker.

ows-css-sw0(config)#

Am I doing something wrong here?

Gilles Dufour · ‎06-05-2003

this feature is only available in 6.10 currently which is for the first generation CSS.

This feature does not exist yet for the 11500.

Gilles.

dcayer · ‎06-04-2003

One work-around for this problem is to use NAT. But this requires a device on your management VLAN which is capable of doing NAT. With NAT, you can fool your CSS into thinking that the FTP server is local to its ethernet management port's subnet. We use this solution and on our CSS, the TACACS, NTP, SYSLOG, FTP, SNMP & TFTP servers all appear to be the same IP device which is local to the CSS's ethernet management port.

Of course In-band management is also an option, but we try to avoid this option whenever we can due to its security implications (i.e.: we want to minimize to possibility of our management VLAN being visible from the Internet!!!).

Hope this helps!

haver · ‎06-04-2003

Thanks for the suggestion. However, I don't really like unneccesary hacks on my network. CSS should support using other subnets via the management port and so it does in ver >= 7.20.