Alternate Management Interface on MS Devices
Overview
In traditional Meraki network deployments, management traffic such as Syslog messages, responses to SNMP polling and communication with RADIUS servers, is sourced from the LAN IP - the address of the device's default management VLAN. Because this VLAN is also used by the MS device to communicate with the Meraki Dashboard, it has connectivity to the Internet.
Security policies in certain deployments may mandate isolation of management traffic from the public networks. The Alternate Management Interface feature provides for this option by enabling an MS series switch to source its management traffic from an IP address other than that of the default management VLAN.
Requirements, guidelines and limitations
- Hardware and software requirements: Alternate Management Interface is support on the following MS switch platforms and firmware versions
MS Switch Family MS Switch Model MS Firmware Support (first supported on) MS2xx MS210 MS14.5 MS225 MS14.5 MS250 MS14.5 MS3xx MS350 MS14.5 MS355 MS14.5 MS390 MS15 MS4xx MS410 MS14.5 MS425 MS14.5 MS450 MS14.5 - The Alternate Management Interface (AMI) functionality is enabled at a per-network level and, therefore, all switches within the Dashboard Network will use the same VLAN for the AMI. The AMI IP address can be configured per switch.
- The AMI VLAN should not be the same as the Management VLAN configured on any of the switches (the LAN IP VLAN on the switch details page) or for the network (via Switching > Switch settings > VLAN configuration).
- Layer 3 routing must be enabled on a switch for its AMI to be activated. Please refer to the section on Configuring the switches with the routes toward the management servers for further details.
Configuring the Alternate Management Interface from Dashboard
Configuring the MS switches in a Meraki Dashboard network to use AMI involves three key steps.
- Enabling AMI for the network and associating management services with it.
- Configuring the Alternate Management Interface IP addresses on the switches.
- Configuring the switches with the routes toward the management servers.
Enabling AMI for the network and associating management services with it.
To enable the Alternate Management Interface, navigate to Network-wide > General. The configuration options can be found under the section 'Alternate Management Interface' if the network-type is Switch and under 'Switch Alternate Management Interface' where the network-type is Combined.
When enabled, this configuration section allows us to specify the alternate management VLAN, and choose a combination of services, from amongst RADIUS, SNMP and Syslog, to which the Alternate Management Interface configuration would be applicable.
Configuring the Alternate Management Interface IP addresses on the switches.
Once the Alternate Management Interface has been enabled, the AMI VLAN number is populated as the ALT MGMT VLAN on all the switches in the network which support the Alternate Management Interface functionality.
The Alternate Management Interface IP is assigned statically and can be configured for each switch from its Switch details page.
The subnet of the AMI (the subnet mask for the AMI IP address) is derived from Layer-3 interface for the AMI VLAN, if one has been configured on the switch. In the absence of a Layer-3 interface for the AMI VLAN, each switch will consider its AMI to be /32 network address.
Configuring the switches with the routes toward the management servers.
The switch relies on its routing table entries to determine the IP address of the next-hop device for exporting traffic for protocols mapped to AMI. The required routes can be configured statically or though the use of a dynamic routing protocol from the Switch > Routing & DHCP section on the Dashboard. Please refer to the MS Layer 3 Switching and Routing document for details on routing configurations and their dependencies, in MS switches
In the absence of Layer-3 routing on the switch, the AMI IP address will not be accepted by the switch. In this scenario, while the AMI IP can be configured, it will not show up on in the UI, as we see in the image below.
.While the AMI VLAN is correctly reflected in the ALT MGMT VLAN section, the ALT MGMT LAN IP does not display the configured IP address.
The state of the Layer-3 routing on the switch can be checked from the L3 routing tab on the switch details page.
Configuring the Alternate Management Interface using API
GET Alternate Management Interface configuration
The GET /networks/{networkId}/switch/alternateManagementInterface request is used to obtain the current Alternate Management Interface configuration of a Dashboard Network and on the switches in it. Some examples of response to these requests are as follows.
Example response from Network Templates
Successful HTTP response code: 200
{
"enabled": true,
"vlanId": 100,
"protocol": [
"snmp",
"radius",
"syslog"
]
}
Example response from Networks when AMI is enabled
Successful HTTP response code: 200
{
"enabled": true,
"vlanId": 100,
"protocols": ["radius","snmp","syslog"],
"switches": [
{
"serial": "Q2AB-CDEF-GHIJ",
"alternateManagementIp": "192.168.128.100"
},
{
"serial": "Q2AB-CDEF-KLMN",
"alternateManagementIp": "192.168.128.200"
},
.....
]
}
Example response from Networks when AMI is disabled
Successful HTTP response code: 200
{
"enabled": false,
}
Apply Alternate Management Interface configuration
Use the PUT /networks/{networkId}/switch/alternateManagementInterface request to configure AMI on a network. The following table provides some example configurations and their corresponding responses.
| Request | Response |
| Configure Network-wide Switch AMI settings | |
PUT /networks/L_12345/switch/alternateManagementInterface
{
"enabled": true,
"vlanId": 100,
"protocols": ["syslog"]
}
|
Successful HTTP response code: 200
{
"enabled": true,
"vlanId": 100,
"protocols": ["syslog"],
"switches": []
|
| Configure AMI IP addresses on switches | |
PUT /networks/L_12345/switch/alternateManagementInterface
{
"switches": [
{
"serial": "Q2AB-CDEF-GHIJ",
"alternateManagementIp": "192.168.128.100"
},
{
"serial": "Q2AB-CDEF-KLMN",
"alternateManagementIp": "192.168.128.200"
}
]
}
|
Successful HTTP response code: 200
{
"enabled": true,
"vlanId": 100,
"protocols": ["syslog"],
"switches": [
{
"serial": "Q2AB-CDEF-GHIJ",
"alternateManagementIp": "192.168.128.100",
},
{
"serial": "Q2AB-CDEF-KLMN",
"alternateManagementIp": "192.168.128.200"
}
]
}
|
| Configure Network-wide settings and AMI IP on switch | |
PUT /networks/L_12345/switch/alternateManagementInterface
{
"enabled": true,
"vlanId": 100,
"protocols": ["syslog"],
"switches": [
{
"serial": "Q2AB-CDEF-GHIJ",
"alternateManagementIp": "192.168.128.100"
}
]
}
|
Successful HTTP response code: 200
{
"enabled": true,
"vlanId": 100,
"protocols": ["syslog"],
"switches": [
{
"serial": "Q2AB-CDEF-GHIJ",
"alternateManagementIp": "192.168.128.100"
}
]
}
|
| Disable Switch AMI on the network | |
PUT /networks/L_12345/switch/alternateManagementInterface
{
"enabled": false
}
|
Successful HTTP response code: 200
{
"enabled": false
}
|
Flow of traffic with Alternate Management Interface
Traffic for the services selected under the Alternate Management Interface configuration is routed in accordance with the information in the routing table of the switch. The Alternate Management VLAN's IP is used as the source IP address of the data packets being sent. Sourcing this traffic from the IP address of the Alternate Management VLAN allows us to avoid any overlap and ensure that the return traffic from servers can be separated from the public network.
