Document toolboxDocument toolbox

Using the MGMT Port

Owned by Panna .
Oct 03, 2024
8 min read

The MGMT (Management) port is a 10/100/1000Base-T Ethernet connector on the front panel of an Infoblox-250-A,

-550-A, -1050-A, -1550-A, -1552-A, -2000-A, and -4010 appliance. It allows you to isolate the following types of traffic from other types of traffic on the LAN and HA ports:

For information about what types of traffic qualify as appliance management and Master Grid communications, see /wiki/spaces/mgmadminguide/pages/911183794.

Note: The MGMT port currently does not support NTP, NAT, or TFTP.

Some appliance deployment scenarios support more than one concurrent use of the MGMT port. The following table depicts MGMT port uses for various appliance configurations.

Table 8.4 Supported MGMT Port Uses for Various appliance Configurations

Appliance ConfigurationAppliance Management

Master Grid Communications

Multi-Grid Master

Multi-Grid Master Candidate

HA Master Grid Member

Single Master Grid Member

Although you manage all Master Grid members through the Multi-Grid Master, if you enable the MGMT port on common Master Grid members, they can send syslog events, SNMP traps, and e-mail notifications, and receive SSH connections on that port.
Infoblox does not support MGMT port usage for some appliance configurations (indicated by the symbol  in 19282742 because it cannot provide redundancy through the use of a VIP. A Multi-Grid Master that is an HA pair needs the redundancy that a VIP interface on the HA port provides for Master Grid communications. Because the MGMT port does not support a VIP and thus cannot provide redundancy, Multi-Grid Masters (and potential Multi-Grid Masters) do not support Master Grid communications on the MGMT port.
The MGMT port is not enabled by default. By default, the appliance uses the LAN port (and HA port when deployed in an HA pair). You must log in using a superuser account to enable and configure the MGMT port. You can enable the MGMT port through the Infoblox GUI, as explained in the following sections.

Appliance Management

You can restrict administrative access to the appliance by connecting the MGMT port to a subnet containing only management systems. This approach ensures that only appliances on that subnet can access the Infoblox GUI and receive appliance management communications such as syslog events, SNMP traps, and e-mail notifications from the appliance.
If you are the only administrator, you can connect your management system directly to the MGMT port. If there are several administrators, you can define a small subnet—such as 10.1.1.0/29, which provides six host IP addresses (10.1.1.1–10.1.1.6) plus the network address 10.1.1.0 and the broadcast address 10.1.1.7—and connect to the appliance through a dedicated switch (which is not connected to the rest of the network). 19282742 shows how an appliance separates appliance management traffic from network protocol services. Note that the LAN port is on a different subnet from the MGMT port.

Figure 8.6 Appliance Management from One or More Management Systems


Similarly, you can restrict management access to the Multi-Grid Master to only those members connected to the MGMT ports of the active and passive nodes of the Multi-Grid Master.
To enable the MGMT port on the Multi-Grid Master for appliance management and then cable the MGMT port directly to your management system or to a network forwarding appliance such as a switch or router:

  1. From the Master Grid tab, select the Members tab -> master_grid_member checkbox, and then click the Edit icon.
  2. In the Network -> Basic tab of the Master Grid Member Properties editor, add the MGMT port to the Additional Ports and Addresses table as follows:
  3. Click the Add icon and select MGMT (IPv4) to configure an IPv4 address or select MGMT (IPv6) to configure an IPv6 address for the MGMT port. You can configure both IPv4 and IPv6 addresses for the MGMT port.
    Multi-Grid Manager adds a row for the MGMT port. For an HA pair, it adds two rows, one for each node.
  4. Enter the following in the row of the MGMT port for a single Multi-Grid Master, and in the rows of the two nodes for an HA Multi-Grid Master:
    • Interface: Displays the name of the interface. You cannot modify this.
    • Address: Type the IP address for the MGMT port, which must be in a different subnet from that of the LAN and HA ports.
    • Subnet Mask (IPv4) or Prefix Length (IPv6): For IPv4 address, specify an appropriate subnet mask for the number of management systems that you want to access the appliance through the MGMT port. For IPv6 address, specify the prefix length.
    • Gateway: Type the default gateway for the MGMT port. If you need to define any static routes for traffic originating from the MGMT port—such as SNMP traps, syslog events, and email notifications—destined for remote subnets beyond the immediate subnet, specify the IP address of this gateway in the route.
    • Port Settings: Choose the connection speed that you want the port to use. You can also choose the duplex setting. Choose Full for concurrent bidirectional data transmission or Half for data transmission in one direction at a time. Select Automatic to instruct the appliance to negotiate the optimum port connection type (full or half duplex) and speed with the connecting switch automatically. This is the default setting. You cannot configure port settings for vNIOS appliances.
  5. In the Network -> Advanced tab, make sure that the Enable VPN on MGMT Port checkbox is not selected.
  6. Save the configuration.
  7. Log out of Multi-Grid Manager.
  8. Cable the MGMT port to your management system or to a switch or router to which your management system can also connect.
  9. If your management system is in a subnet from which it cannot reach the MGMT port, move it to a subnet from which it can.
    The Infoblox Multi-Grid Manager GUI is now accessible through the MGMT port on the appliance from your management system.
  10. Open an Internet browser window and enter the IP address of the MGMT port as follows: https://<IP address of MGMT port>.
  11. Log in to Multi-Grid Manager.
  12. Check the Detailed Status panel of the Master Grid member to make sure the status icons are green.

Master Grid Communications

You can isolate all communications in the Master Grid to a dedicated subnet as follows:

  • For Master Grid communications from the Multi-Grid Master, which can be an HA pair or a single appliance, the master uses either the VIP interface on the HA port of its active node (HA master) or its LAN port (single master). Neither a single nor HA Multi-Grid Master can use its MGMT port for Master Grid communications. (This restriction applies equally to master candidates.)
  • Master Grid members connect to the Multi-Grid Master through their MGMT ports.

This ensures that all database synchronization and Master Grid maintenance operations are inaccessible from other network elements while the Master Grid members provide network protocol services on their LAN ports.
19282742 shows how members communicate with the Multi-Grid Master over a dedicated subnet.

Figure 8.7 Grid Communications

Enabling Master Grid Communications over the MGMT Port for Existing Members

To enable the MGMT port for Master Grid communications on an existing single or HA Master Grid member:

  1. Log in to the Multi-Grid Master with a superuser account.
  2. From the Master Grid tab, select the Members tab -> master_grid_member checkbox, and then click the Edit icon.
    Note: You must enable the MGMT port before modifying its port settings. See 19282742.
  3. In the Network -> Basic tab of the Master Grid member Properties editor, add the MGMT port to the Additional Ports and Addresses table as follows:
  4. Click the Add icon and select MGMT (IPv4) to configure an IPv4 address or select MGMT (IPv6) to configure an IPv6 address for the MGMT port. You can configure both IPv4 and IPv6 addresses for the MGMT port.
    Multi-Grid Manager adds a row for the MGMT port. For an HA pair, it adds two rows, one for each node.
  5. Enter the following in the row of the MGMT port for a single Multi-Grid Master or member, and in the rows of the two nodes for an HA Multi-Grid Master:
    • Interface: Displays the name of the interface. You cannot modify this.
    • Address: Type the IP address for the MGMT port, which must be in a different subnet from that of the LAN and HA ports.
    • Subnet Mask (IPv4) or Prefix Length (IPv6): For IPv4 address, specify an appropriate subnet mask for the number of management systems that you want to access the appliance through the MGMT port. For IPv6 address, specify the prefix length.
    • Gateway: Type the default gateway for the MGMT port. If you need to define any static routes for traffic originating from the MGMT port—such as SNMP traps, syslog events, and email notifications—destined for remote subnets beyond the immediate subnet, specify the IP address of this gateway in the route.
    • Port Settings: Choose the connection speed that you want the port to use. You can also choose the duplex setting. Choose Full for concurrent bidirectional data transmission or Half for data transmission in one direction at a time. Select Automatic to instruct the appliance to negotiate the optimum port connection type (full or half duplex) and speed with the connecting switch automatically. This is the default setting. You cannot configure port settings for vNIOS appliances.
  6. In the Network -> Advanced tab, select the Enable VPN on MGMT Port checkbox.
  7. In the Security tab, do the following:
    • Restrict Remote Console and Support Access to MGMT Port: Select this checkbox to restrict SSH (Secure Shell) v2 access to the MGMT port only. This restricts Infoblox Technical Support and remote console connections—both of which use SSH v2—to just the MGMT port. For an HA pair, you can make an SSH v2 connection to the MGMT port on both the active and passive nodes.
      Clear the checkbox to allow SSH v2 access to both the MGMT and LAN ports. For an HA pair, you can make an SSH v2 connection to the MGMT and LAN ports on both the active and passive nodes.
  8. Save the configuration.
    The master communicates the new port settings to the member, which immediately begins using them. The member stops using its LAN port for Master Grid communications and begins using the MGMT port.
  9. To confirm that the member still has Master Grid connectivity, check that the status icons for that member are green.