Pages

Sunday, July 6, 2014

Egress-Interface-Selection Feature F10


If you use the ooB Management Interface you configure an “ip management-route”.
For the IP Vlan Interfaces you use the normal Routing Table by adding routs with” ip route” command.

But if you make an SSH  connection or an ICMP Ping to the ooB Management IP-Address the Switch will answer via an Interface that is closes to your Source by looking into both Routing Tables. Means, it could happen that you Ping the Switch on ooB IP and the Switch will Answer with an Vlan In terface as Source. That could cause Problems because of unsycrone Rounting, it will make Problems if IP  ACLs are used to regulate Management Access or if an Firewall is in the Traffic Path,……




Egress Interface Selection (EIS)

EIS allows you to isolate the management and front-end port domains by preventing switch-initiated traffic routing between the two domains. This feature provides additional security by preventing flooding attacks on front-end ports. The following protocols support EIS: DNS, FTP, NTP, RADIUS, sFlow, SNMP, SSH, Syslog, TACACS, Telnet, and TFTP. This feature does not support sFlow on stacked units. When you enable this feature, all management routes (connected, static, and default) are copied to the management EIS routing table. Use the management route command to add new management routes to the default and EIS routing tables. Use the show ip management-eis-route command to view the EIS routes.

Important Points to Remember
                 
·         Deleting a management route removes the route from both the EIS routing table and the default routing table.
·         If the management port is down or route lookup fails in the management EIS routing table, the outgoing interface is selected based on route lookup from the default routing table.
·         If a route in the EIS table conflicts with a front-end port route, the front-end port route has precedence.
·         Due to protocol, ARP packets received through the management port create two ARP entries (one for the lookup in the EIS table and one for the default routing table).

management egress-interface-selection
!
application dns
application ftp
application http
application icmp
application ntp
application radius
application sflow-collector
application snmp
application ssh
application syslog
application tacacs
application telnet
application tftp
!
Posted by at
Labels:

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)