Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Graham1
Contributor
Jump to solution

Management interface

I have recently made teh switch froma standalone 6700 firewall to a HA cluster of two 6700's
as part of this process we are also starting use the MGMT interface for ... management!!

Previously our management was set to our LAN interface eth1-04 (10GbE).

To complicate matters we are migrating to a new network during renovation construction.
The management network is 10.x.50.0/24 which we get to via a bond10 L3 interface (eth1-02 & eth1-03) that connects the the L3 of our core switch stack.
The problem I am facing is that the management interfaces of both cluster nodes is also on 10.x.50.0 network.
The managment interface for each node is set to Private. Sync is set to a seprate interface and dedicated for that purpose.

This is causing an inconsistent routing issue and traffic is being drop by the MGMT interface, others are going through the bond10 interface.>>>>>
ip route
..
10.x.50.0/24 dev Mgmt proto kernel scope link src 10.x.50.31
..

Wondering what other could be doing?
Is my only option be to disable this management port and use my LAN port instead like before and isolate with rules?
I am aware the licensing may need to be re-worked since I am using that IP for the license.

0 Kudos
1 Solution

Accepted Solutions
emmap
Employee
Employee

The Mgmt interface is 'just another interface' on the box, so you can't have it in the same subnet as another interface on there. It's also all part of the same routing table as everything else by default. If you want to separate routing you can look at MDPS or VSX but there's no harm in using one of the prod interfaces to manage the box, it's quite common and 100% supported.

View solution in original post

(1)
3 Replies
emmap
Employee
Employee

The Mgmt interface is 'just another interface' on the box, so you can't have it in the same subnet as another interface on there. It's also all part of the same routing table as everything else by default. If you want to separate routing you can look at MDPS or VSX but there's no harm in using one of the prod interfaces to manage the box, it's quite common and 100% supported.

(1)
Graham1
Contributor

Thanks for the clarification.  Looks like I am heading in "prod interface" direction.

0 Kudos
the_rock
Legend
Legend

That makes sense, I know lots of people doing it that way.

Andy

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events