Management VRF is a subset of VRF (virtual routing tables and forwarding) and provides a separation between the out-of-band management network and the in-band data plane network. For all VRFs, the main routing table is the default table for all of the data plane switch ports. With management VRF, a second table, mgmt, is used for routing through the Ethernet ports of the switch. The mgmt name is special cased to identify the management VRF from a data plane VRF. FIB rules are installed for DNS servers because this is the typical deployment case.
Cumulus Linux only supports eth0 as the management interface, or eth1, depending on the switch platform. The Ethernet ports are software-only parts that are not hardware accelerated by
switchd. VLAN subinterfaces, bonds, bridges, and the front panel switch ports are not supported as management interfaces.
When management VRF is enabled, logins to the switch are set into the management VRF context. IPv4 and IPv6 networking applications (for example, Ansible, Chef, and
apt-get) run by an administrator communicate out the management network by default. This default context does not impact services run through
systemd and the
systemctl command, and does not impact commands examining the state of the switch, such as the
ip command to list links, neighbors, or routes.
The management VRF configurations in this chapter contain a localhost loopback IP address (127.0.0.1/8). Adding the loopback address to the L3 domain of the management VRF prevents issues with applications that expect the loopback IP address to exist in the VRF, such as NTP.
Enabling Management VRF
To enable management VRF on eth0, complete the following steps:
Bringing the Management VRF Up after Downing It with ifdown
If you take down the management VRF using
ifdown, to bring it back up you need to do one of two things:
ifup --with-depends <vrf>
ifreload -a disconnects the session for any interface configured as auto.
Running Services within the Management VRF
You can run a variety of services within the management VRF instead of the default VRF. In most cases, you must stop and disable the instance running in the default VRF before you can start the service in the management VRF. This is because the instance running in the default VRF owns the port across all VRFs. The list of services that must be disabled in the default VRF are:
When you run a service inside the management VRF, that service runs only on eth0; it no longer runs on any switch port. However, you can keep the service running in the default VRF with a wildcard for agentAddress. This enables the service to run on all interfaces no matter which VRF, so you don't have to run a different process for each VRF.
Some applications can work across all VRFs. The kernel provides a
sysctl that allows a single instance to accept connections over all VRFs. For TCP, connected sockets are bound to the VRF on which the first packet is received. This
sysctl is enabled for Cumulus Linux.
To enable a service to run in the management VRF, do the following. These steps use the NTP service, but you can use any of the services listed above, except for
dhcrelay (discussed here) and
hsflowd (discussed below).
- Configure the management VRF as described in the Enabling Management VRF section above.
If NTP is running, stop the service:
Disable NTP from starting automatically in the default VRF:
Start NTP in the management VRF.
ntp@mgmtso that it starts when the switch boots:
After you enable
ntp@mgmt, you can verify that NTP peers are active:
Enabling Polling with snmpd in a Management VRF
When you enable
snmpd to run in the management VRF,
snmpd listens only on eth0; you can no longer listen on a switch port.
SNMP configuration in NCLU is not VRF aware so the
snmpd daemon is always started in the default VRF. Because interfaces in a particular VRF (routing table) are not aware of interfaces in a different VRF, the
snmpd daemon only responds to polling requests and sends traps on the interfaces of the VRF on which it is running. If you configure a management VRF, you need to start the
snmpd daemon manually in the management VRF and stop all other
If you are using sFlow to monitor traffic in the management VRF, you need to complete the following steps to enable sFlow.
hsflowdprocess to the
systemdconfiguration file in
/etc/vrf. Edit the
/etc/vrf/systemd.conffile with a text editor.
hsflowddaemon if it is running:
hsflowdto ensure it does not start in the default VRF if the system is rebooted:
hsflowdin the the management VRF:
hsflowd@mgmtso it starts when the switch boots:
Verify that the
hsflowdservice is running in the management VRF:
Using ping or traceroute
By default, when you issue a
traceroute, the packet is sent to the dataplane network (the main routing table). To use
traceroute on the management network, use the
-I flag for ping and
Running Services as a Non-root User
Sometimes you may want to run services in the management VRF as a non-root user. To do so, you need to create a custom service based on the original service file.
Copy the original service file to its new name and store the file in
If there is a User directive, comment it out. If it exists, you can find it under [Service].
Modify the ExecStart line to
/usr/bin/vrf exec mgmt /sbin/runuser -u USER -- COMMAND. For example, to have the cumulus user run the foocommand:
Save and exit the file.
Reload the service so the changes take effect:
OSPF and BGP
In general, no changes are required for either BGP or OSPF. FRRouting is VRF-aware and automatically sends packets based on the switch port routing table. This includes BGP peering via loopback interfaces. BGP does routing lookups in the default table. However, depending on how your routes are redistributed, you might want to perform the following modification.
Redistributing Routes in Management VRF
Management VRF uses the mgmt table, including local routes. It does not affect how the routes are redistributed when using routing protocols such as OSPF and BGP.
To redistribute the routes in your network, use the
redistribute connected command under BGP or OSPF. This enables the directly-connected network out of eth0 to be advertised to its neighbor.
This also creates a route on the neighbor device to the management network through the data plane, which might not be desired.
Cumulus Networks recommends you always use route maps to control the advertised networks redistributed by the
redistribute connected command. For example, you can specify a route map to redistribute routes in this way (for both BGP and OSPF):
These commands produce the following configuration snippet in the
Using SSH within a Management VRF Context
If you SSH to the switch through a switch port, SSH works as expected. If you need to SSH from the device out of a switch port, use
vrf exec default ssh <ip_address_of_swp_port>. For example:
Viewing the Routing Tables
When you look at the routing table with
ip route show, you are looking at the switch port (main) table. You can also see the dataplane routing table with
net show route vrf main.
To look at information about eth0 (the management routing table), use
net show route vrf mgmt.
Viewing a Single Route
If you use
ip route get to return information about a single route, the command resolves over the mgmt table by default. To obtain information about the route in the switching silicon, use:
To get the route for any VRF, run the following command:
Using the mgmt Interface Class
ifupdown2, interface classes are used to create a user-defined grouping for interfaces. The special class mgmt is available to separate the management interfaces of the switch from the data interfaces. This allows you to manage the data interfaces by default using
ifupdown2 commands. Performing operations on the mgmt interfaces requires specifying the
--allow-mgmt option, which prevents inadvertent outages on the management interfaces. Cumulus Linux by default brings up all interfaces in both the auto (default) class and the mgmt interface class when the switch boots.
The management VRF interface class is not supported if you are configuring Cumulus Linux using NCLU.
You configure the management interface in the
/etc/network/interfaces file. In the example below, the management interface, eth0 and the management VRF stanzas are added to the mgmt interface class:
When you run
ifupdown2 commands against the interfaces in the mgmt class, include
--allow=mgmt with the commands. For example, to see which interfaces are in the mgmt interface class, run:
To reload the configurations for interfaces in the mgmt class, run:
You can still bring the management interface up and down using
ifup eth0 and
Management VRF and DNS
Cumulus Linux supports both DHCP and static DNS entries over management VRF through IP FIB rules. These rules are added to direct lookups to the DNS addresses out of the management VRF.
For DNS to use the management VRF, the static DNS entries must reference the management VRF in the
/etc/resolv.conf file. For example:
Nameservers configured through DHCP are updated automatically, Statically configured nameservers (configured in the
/etc/resolv.conf file) only get updated when you run
Because DNS lookups are forced out of the management interface using FIB rules, this might affect data plane ports if overlapping addresses are used. For example, when the DNS server IP address is learned over the management VRF, a FIB rule is created for that IP address. When DHCP relay is configured for the same IP address, a DHCP discover packet received on the front panel port is forwarded out of the management interface (eth0) even though a route is present out the front-panel port.
Incompatibility with cl-ns-mgmt
Management VRF has replaced the management namespace functionality in Cumulus Linux. The management namespace feature (used with the
cl-ns-mgmt utility) has been deprecated, and the
cl-ns-mgmt command has been removed.