Note: This feature is not supported on vNIOS Grid members for Riverbed.
The MGMT (Management) port is a 10/100/1000Base-T Ethernet connector on the front panel of the TE-810, TE-820, TE-1410, TE-1420, TE-2210, TE-2220, and IB-4010 appliances. It allows you to isolate the following types of traffic from other types of traffic on the LAN and HA ports:
...
- Although you manage all Grid members through the Grid Master, if you enable the MGMT port on common Grid members, they can send syslog events, SNMP traps, and e-mail notifications, and receive SSH connections on that port.
Infoblox does not support MGMT port usage for some appliance configurations (indicated by the symbol in
Table 8.6) because it cannot provide redundancy through the use of a VIP. A Grid Master that is an HA pair needs the redundancy that a VIP interface on the HA port provides for Grid communications. Similarly, DNS servers in an HA pair need that redundancy to answer DNS queries. Because the MGMT port does not support a VIP and thus cannot provide redundancy, Grid Masters (and potential Grid Masters) do not support Grid communications on the MGMT port.
In addition, NIOS appliances in an HA pair support DNS services on the active node only (indicated by the symbol in Table 8.6). Only the active node can respond to queries that it receives. If a DNS client sends a query to the MGMT port of the node that happens to be the passive node, the query can eventually time out and fail.
The MGMT port is not enabled by default. By default, a NIOS appliance uses the LAN port (and HA port when deployed in an HA pair). You must log in using a superuser account to enable and configure the MGMT port. You can configure both IPv4 address and IPv6 address for the MGMT port of a Grid member. You can enable the MGMT port through the Infoblox GUI, as explained in the following sections.
470NIOS Administrator Guide (Rev. A)NIOS 8.1
Using the MGMT PortAnchor Appliance Management Appliance Management Anchor bookmark926 bookmark926
Appliance ManagementAnchor bookmark927 bookmark927
You can restrict administrative access to a NIOS appliance by connecting the MGMT port to a subnet containing only management systems. This approach ensures that only appliances on that subnet can access the Infoblox GUI and receive appliance management communications such as syslog events, SNMP traps, and e-mail notifications from the appliance.
If you are the only administrator, you can connect your management system directly to the MGMT port. If there are several administrators, you can define a small subnet—such as 10.1.1.0/29, which provides six host IP addresses (10.1.1.1–10.1.1.6) plus the network address 10.1.1.0 and the broadcast address 10.1.1.7—and connect to the NIOS appliance through a dedicated switch (which is not connected to the rest of the network). Figure 8.7 shows how an independent appliance separates appliance management traffic from network protocol services. Note that the LAN port is on a different subnet from the MGMT port.
Figure 8.7 Appliance Management from One or More Management SystemsAnchor bookmark928 bookmark928
The NIOS appliance serves DNS and DHCP to the public network through the LAN port.A single management system connects directly to the MGMT port of the NIOS appliance through an Ethernet cable.Several management systems connect to the MGMT port of the NIOS appliance through a dedicated switch.Public Network
1.1.1.0/24
DNS and DHCP ServicesLAN
1.1.1.5MGMT
10.1.1.1
Ethernet CablePrivate Network
10.1.1.0/30
Appliance ManagementNIOS
appliance-1DNS and DHCP ClientsLAN
1.1.1.6MGMT
10.1.1.1Infoblox
Appliance -2Note:
Because the two private networks are used solely for appliance management and are completely isolated from the rest of the network—and therefore from each other—their address space can overlap without causing any routing issuesEthernet
CablePrivate Network
10.1.1.0/29
Appliance ManagementDedicated
Switch
Management Systems 10.1.1.2 - 10.1.1.5
Similarly, you can restrict management access to a Grid Master to only those appliances connected to the MGMT ports of the active and passive nodes of the Grid Master.
To enable the MGMT port on an independent appliance or Grid Master for appliance management and then cable the MGMT port directly to your management system or to a network forwarding appliance such as a switch or router:
- From the Grid tab, select the Grid Manager tab -> Members tab -> Grid_member check box, and then click the Edit icon.
- In the Network -> Basic tab of the Grid Member Properties editor, add the MGMT port to the Additional Ports and Addresses table as follows:
NIOS 8.1NIOS Administrator Guide (Rev. A)471
Managing Appliance Operations
- Click the Add icon and select MGMT (IPv4) to configure an IPv4 address or select MGMT (IPv6) to configure an IPv6 address for the MGMT port. You can configure both IPv4 and IPv6 addresses for the MGMT port.
...
This ensures that all database synchronization and Grid maintenance operations are inaccessible from other network elements while the common Grid members provide network protocol services on their LAN ports.
Figure 8.8 shows how Grid members communicate to the master over a dedicated subnet.
472NIOS Administrator Guide (Rev. A)NIOS 8.1
Using the MGMT Port
| Anchor | ||||
|---|---|---|---|---|
|
The private network (10.1.1.0/24) is reserved for
HA Grid Master Master Candidate
The Grid Master and Master Candidate
Grid communications
between the Grid Master and all Grid members, and for appliance management between the management system and the Grid Master.
HA
HA
VIP 10.1.1.5
HA
HA VIP
10.1.1.10
connect to the private network using a VIP on their HA ports.
Private Network 10.1.1.0/24
for Grid Communications and appliance Management
Management System 10.1.1.30
MGMT 10.1.1.15
Single Member
LAN
MGMT 10.1.1.20
Passive Node
MGMT 10.1.1.21
Active Node HA Member
HA HA
VIP
The common Grid members connect to the private network through their MGMT ports*.
They connect to the public network through their LAN and HA ports (using a VIP).
The common Grid members use the public network (1.1.1.0/24) for DNS and DHCP services.
1.1.1.6
Public Network 1.1.1.0/24
DNS and DHCP Services
1.1.1.7
DNS and DHCP Clients
...
Note: You must enable the MGMT port before modifying its port settings. See Using the MGMT Port .
- In the Network -> Basic tab of the Grid Member Properties editor, add the MGMT port to the Additional Ports and Addresses table as follows:
- Click the Add icon and select MGMT (IPv4) to configure an IPv4 address or select MGMT (IPv6) to configure an IPv6 address for the MGMT port. You can configure both IPv4 address and IPv6 address for the MGMT port.
NIOS 8.1NIOS Administrator Guide (Rev. A)473
Managing Appliance Operations
Grid Manager adds a row for the MGMT port. For an HA pair, it adds two rows, one for each node.
...
You can configure
| Anchor | ||||
|---|---|---|---|---|
|
While providing DNS services on the MGMT port, you can still use that port simultaneously for appliance management. Figure 8.9 shows a management system communicating with a single independent appliance through its MGMT port while the appliance also provides DNS services on that port to a private network. Additionally, the appliance provides DNS services to an external network through its LAN port.
474NIOS Administrator Guide (Rev. A)NIOS 8.1
Using the MGMT Port
| Anchor | ||||
|---|---|---|---|---|
|
External
NetworkLAN
PortExternal DNS Client
External DNS Clients
External DNS services go through the LAN port.
Single
Independent ApplianceMGMT
PortInternal
NetworkAppliance management and internal DNS services go through the MGMT port.
Management System
Internal DNS Clients
Like a single independent appliance, a single Grid member can also support concurrent DNS traffic on its MGMT and LAN ports. However, because you manage all Grid members through the Grid Master, a Grid member only uses an enabled MGMT port to send SNMP traps, syslog events, and email notifications, and to receive SSH connections.
In addition, the active node of an HA pair can provide DNS services through its MGMT port. To use this feature, you must enable DNS services on the MGMT ports of both nodes in the HA pair and specify the MGMT port IP addresses of both nodes on the DNS client as well, in case there is a failover and the passive node becomes active. Note that only the active node can respond to queries that it receives. If a DNS client sends a query to the MGMT port of the node that happens to be the passive node, the query can eventually time out and fail.
To enable DNS services on the MGMT port of an appliance:
...
Note: You must enable the MGMT port before modifying its port settings. See Using the MGMT Port .
- In the Network -> Basic tab of the Grid Member Properties editor, add the MGMT port to the Additional Ports and Addresses table as follows:
- Click the Add icon and select MGMT (IPv4) to configure an IPv4 address or select MGMT (IPv6) to configure an IPv6 address for the MGMT port. You can configure both IPv4 and IPv6 address for the MGMT port.
...
- Enter the following in the row of the MGMT port for a single Grid Master or independent appliance, and in the rows of the two nodes for an HA Grid Master or independent HA pair:
- Interface: Displays the name of the interface. You cannot modify this.
- Address: Type the IP address for the MGMT port, which must be in a different subnet from that of the LAN and HA ports.
- Subnet Mask (IPv4) or Prefix Length (IPv6): For IPv4 address, specify an appropriate subnet mask for the number of management systems that you want to access the appliance through the MGMT port. For IPv6 address, specify the prefix length.
NIOS 8.1NIOS Administrator Guide (Rev. A)475
Managing Appliance Operations
- Gateway: Type the default gateway for the MGMT port. If you need to define any static routes for traffic originating from the MGMT port—such as SNMP traps, syslog events, and email notifications—destined for remote subnets beyond the immediate subnet, specify the IP address of this gateway in the route.
- Port Settings: Choose the connection speed that you want the port to use. You can also choose the duplex setting. Choose Full for concurrent bidirectional data transmission or Half for data transmission in one direction at a time. Select Automatic to instruct the NIOS appliance to negotiate the optimum port connection type (full or half duplex) and speed with the connecting switch automatically. This is the default setting. You cannot configure port settings for vNIOS appliances.
- DSCP Value: Displays the Grid DSCP value. To modify, click Override and enter the DSCP value. You can enter a value from 0 to 63. For information about DSCP, see Implementing Quality of Service Using DSCP on page 455.
...
- Save the configuration and click Restart if it appears at the top of the screen. To see that the appliance now also serves DNS on the MGMT port:
- From the Data Management tab, select the DNS tab -> -> Members tab -> Grid_member check box.
- Expand the Toolbar and click View -> View DNS Configuration.
- Check that the IP address of the MGMT port appears in the address match list in the listen-on substatement.
476NIOS Administrator Guide (Rev. A)NIOS 8.1
About Lights Out Management