updated

sushantjrao · sushantjrao · commit 08a04b01c166 · 2025-02-26T19:06:25.000+05:30
diff --git a/articles/operator-nexus/TOC.yml b/articles/operator-nexus/TOC.yml
@@ -210,21 +210,23 @@
           href: howto-set-up-break-glass-access.md
         - name: How to use-break-glass-access
           href: howto-use-break-glass-access.md
+        - name: How to set up break-glass access using In-Band management
+          href: howto-set-up-break-glass-access-using-in-band-management.md
         - name: How to enable-Micro-BFD on CE and PE devices
           href: howto-enable-micro-bfd.md
-        - name: How to replace a terminal server
-          href: howto-replace-a-terminal-server.md
+        - name: How to replace terminal server
+          href: howto-replace-terminal-server.md
         - name: How to upgrade os of terminal server
           href: howto-upgrade-os-of-terminal-server.md
         - name: How to restrict serial port access and set timeout on terminal-server
           href: howto-restrict-serial-port-access-and-set-timeout-on-terminal-server.md
-        - name: How to append a custom suffix to interface descriptions
-          href: howto-append-a-custom-suffix-to-interface-descriptions.md
-        - name: How to reboot a Network Device in Azure Operator Nexus Network Fabric
-          href: howto-reboot-a-network-device.md
+        - name: How to append custom suffix to interface descriptions
+          href: howto-append-custom-suffix-to-interface-descriptions.md
+        - name: How to reboot Network Device in Azure Operator Nexus Network Fabric
+          href: howto-reboot-network-device.md
         - name: How to Configure NNF with Bring Your Own (BYO) Storage
           href: howto-configure-bring-your-own-storage-network-fabric.md
-        - name: How to upgrade os of terminal server
+        - name: How to upgrade OS of terminal server
           href: howto-upgrade-os-of-terminal-server.md
         - name: How to restrict serial port access and set timeout on terminal-server
           href: howto-restrict-serial-port-access-and-set-timeout-on-terminal-server.md           
diff --git a/articles/operator-nexus/concepts-access-control-lists.md b/articles/operator-nexus/concepts-access-control-lists.md
@@ -53,6 +53,21 @@ The action property of an ACL statement can have one of the following types:
 - **Drop**: Discards packets that match specified conditions.
 - **Count**: Counts the number of packets that match specified conditions.
 
+## Control plane traffic policy (CP-TP)
+
+Additionally to add an additional layer of control plane protection for enhancing network security, users can also configure and modify control plane traffic policies on supported devices via APIs. 
+
+•	A Traffic Policy (TP) solution for securing the fabric device Control Plane (packets destined to or originating from the fabric device) of the supported devices in AON.
+
+•	The device control plane (which includes Policing/Rate Limiting) can be implemented as Traffic Policies based on source/destination IP, source/destination ports, and protocols.
+•	API supports create, update, and delete the TP entries/rules/Policing/Rate Limiting.
+
+To implement the functionality for Control Plane ACL - Traffic Policy: 
+
+•	For existing deployments, users must create a CPTP ACL resource, associate it with the Network Fabric (NF), and perform a patch operation.
+
+•	For new deployments, users should create the CPTP ACL resource either during fabric creation or after the fabric has been provisioned, followed by patching it to the NF resource. Since the CPTP ACL resource is not created by default, users must manually create it before attaching it to the NF.
+
 ## Next steps:
 
 [Creating Access Control List (ACL) management for NNI and layer 3 isolation domain external networks](howto-create-access-control-list-for-network-to-network-interconnects.md)
diff --git a/articles/operator-nexus/concepts-observability.md b/articles/operator-nexus/concepts-observability.md
@@ -105,6 +105,10 @@ You can use the sample Azure Resource Manager workbook templates for [Operator N
 
 You can use the sample Azure Resource Manager alarm templates for [Operator Nexus alerting rules](https://github.com/microsoft/AzureMonitorCommunity/tree/master/Azure%20Services/Azure%20Operator%20Nexus#alert-rules). You should specify thresholds and conditions for the alerts. You can then deploy these alert templates on your on-premises environment.
 
+#### Hardware capacity alerts
+
+The hardware capacity threshold for devices is set at 60%, and the TrafficPolicy limit thresholds are set at 35%. All alerts will be published via syslog.
+
 ## Log Analytic Workspace
 
 A [Log Analytics Workspace (LAW)](/azure/azure-monitor/logs/log-analytics-workspace-overview) is a unique environment to log data from Azure Monitor and other Azure services. Each workspace has its own data repository and configuration but may combine data from multiple services. Each workspace consists of multiple data tables.
diff --git a/articles/operator-nexus/howto-append-custom-suffix-to-interface-descriptions.md b/articles/operator-nexus/howto-append-custom-suffix-to-interface-descriptions.md
@@ -1,6 +1,6 @@
 ---
-title: How to append a custom suffix to interface descriptions in Azure Operator Nexus Network Fabric
-description: Learn how to append and remove a custom suffix from interface descriptions in Azure Operator Nexus Network Fabric for enhanced operational annotations.
+title: How to append custom suffix to interface descriptions in Azure Operator Nexus Network Fabric
+description: Learn how to append and remove custom suffix from interface descriptions in Azure Operator Nexus Network Fabric for enhanced operational annotations.
 author: sushantjrao
 ms.author: sushrao
 ms.service: azure-operator-nexus
@@ -9,7 +9,7 @@ ms.date: 02/24/2025
 ms.custom: template-how-to
 ---
 
-# Append a custom suffix to interface descriptions in Azure Operator Nexus Network Fabric
+# Append custom suffix to interface descriptions in Azure Operator Nexus Network Fabric
 
 This guide explains how to append a user-defined suffix (`additionalDescription`) to interface descriptions in Azure Operator Nexus Network Fabric. This feature provides enhanced flexibility for operational annotations, allowing users to customize interface descriptions for specific maintenance or operational requirements.
 
diff --git a/articles/operator-nexus/howto-reboot-network-device.md b/articles/operator-nexus/howto-reboot-network-device.md
@@ -1,5 +1,5 @@
 ---
-title: How to Reboot a Network Device in Azure Operator Nexus Network Fabric
+title: How to reboot network device in Azure Operator Nexus Network Fabric
 description: Learn how to reboot a network device in Azure Operator Nexus Network Fabric using graceful and ungraceful reboot methods.
 author: sushantjrao
 ms.author: sushrao
diff --git a/articles/operator-nexus/howto-replace-terminal-server.md b/articles/operator-nexus/howto-replace-terminal-server.md
diff --git a/articles/operator-nexus/howto-set-up-break-glass-access-using-in-band-management.md b/articles/operator-nexus/howto-set-up-break-glass-access-using-in-band-management.md
@@ -0,0 +1,192 @@
+---
+title: How to set up Break-Glass access using In-Band management in Azure Operator Nexus Network Fabric
+description: Learn how to How to set up Break-Glass access using In-Band management 
+author: sushantjrao
+ms.author: sushrao
+ms.service: azure-operator-nexus
+ms.topic: how-to
+ms.date: 02/24/2025
+ms.custom: template-how-to
+---
+
+# Break-Glass access using In-Band management
+
+In the Nexus Network Fabric (NNF), there is an out-of-band management network where most fabric devices are connected to management switches via management ports (Ma1). The only exceptions are the Terminal Server and Aggregation Management Switches.
+To address the potential single point of failure posed by the management switch, Microsoft team has provided the Redundant In-band Management Break Glass Access feature. 
+
+> [!Note]
+> Currently, pivot to gNMI to use loopback6 is not supported.
+
+## Redundant In-Band management break glass access
+The Redundant In-band management break glass access feature provides a backup mechanism for the operations team to access Arista devices in the event of a primary management path failure. This feature allows operators to SSH into Arista devices using the loopback IP over the control plane VLAN / In-band management VRF, ensuring continuity of device management.
+
+### Primary and backup paths
+
+•	**Primary path:** The default method for accessing Arista devices is via the MA1 interface, which is used for management operations under normal conditions.
+
+•	**Backup path:** In cases where the primary path is unavailable, the break glass access allows operators to SSH to the device using the loopback IP over the control plane VLAN / In-band management VRF.
+
+The in-band management path is applicable only to devices configured and participating in BGP, excluding management switches and Network Packet Brokers (NPB). NPB does not support routing, and it is recommended against creating complex workarounds to enable such capability. The in-band management path relies on BGP because it provides dynamic routing, redundancy, resilience, policy-based routing, and scalability, all of which are essential for ensuring that management traffic can be reliably routed through the network.
+
+To support in-band management, a new loopback interface (lo6) is created on network devices. The addresses of these loopback interfaces will be advertised to the Provider Edge (PE) via the INFRA-MGMT VRF from the Customer Edge (CE). Customer IP addresses will be advertised to the Top of Rack (ToR) switches from the CEs via the default VRF.
+
+## Set up Break-Glass access using In-Band management
+
+### Assign IPv4 and IPv6 addresses to loopback interfaces
+
+On Customer Edge (CE) devices and Top of Rack (ToR) switches, assign IPv4 and IPv6 addresses to loopback interfaces.
+
+Example configuration for CE:
+
+```json
+	interface Loopback6
+ description "Inband Management"
+ vrf INFRA-MGMT
+ ip address 10.x.x.64/32
+ ipv6 address fda0:d59c:df09:2::x/128
+```
+
+Example configuration for ToR:
+
+```json
+interface Loopback6
+ description "Inband Management"
+ ip address 10.x.x.66/32
+ ipv6 address fda0:d59c:df09:2::x/128
+ ```
+
+ ### Update prefix-lists
+
+Add loopback addresses to prefix-lists and create IPv6 prefix if not already created.
+
+Example:
+
+```json
+ip prefix-list loopback
+ seq 10 permit 10.XX.X.34/32
+ seq 20 permit 10.XX.X.115/32
+ seq 30 permit 10.XX.X.117/32
+ seq 40 permit 10.XX.X.64/27 le 32
+ipv6 prefix-list loopback_v6
+ seq 10 permit fda0:d59c:df09:2::/64 eq 128
+```
+
+
+### Assign IPv6 addresses to CE-ToR interfaces
+
+Configure Ethernet interfaces on CE and ToR devices.
+
+Example for CE:
+
+```json
+interface Ethernet5/1
+ description "AR-CE1(fab5-AR-CE1):Et9/1 to CR1-TOR1(fab5-CP1-TOR1)-Port23"
+ mtu 9214
+ no switchport
+ ip address 10.x.x.1/31
+ ipv6 address fda0:d59c:df09:c::x/127
+```
+
+Example for ToR:
+
+```json
+interface Ethernet23/1
+ description "CR1-TOR1(fab5-CP1-TOR1):Et23/1 to AR-CE1(fab5-AR-CE1)-Port05"
+ mtu 9214
+ no switchport
+ ip address 10.x.x.0/31
+ ipv6 address fda0:d59c:df09:c::x/127
+```
+
+### Configure CE_TOR_UNDERLAY peer group
+
+Enable auto-local-addr for the peer group.
+
+Example:
+
+```json
+neighbor CE_TOR_UNDERLAY auto-local-addr
+```
+
+### Configure IPv6 address family in BGP
+
+Activate the CE_TOR_UNDERLAY peer group under the IPv6 address family.
+
+Example:
+
+```json
+address-family ipv6
+ neighbor CE_TOR_UNDERLAY activate
+```
+
+### Update adv_loopback RCF
+
+Include IPv6 prefix list in the adv_loopback function.
+
+Example:
+
+```json
+router general
+ control-functions
+ code unit adv_loopback
+ function adv_loopback() {
+  @SEQ_10 {if prefix match prefix_list_v4 loopback {
+   return true;
+  }}
+  @SEQ_20 {if prefix match prefix_list_v6 loopback_v6 {
+   return true;
+  }}
+ }
+ ```
+
+### Redistribute under Global BGP
+
+Redistribute connected and static routes using the adv_loopback route-map.
+
+Example:
+
+```json
+router bgp 65000
+ redistribute connected route-map adv_loopback
+8.	Create SOO Community:
+Example:
+ip extcommunity-list aon-soo permit soo 100:100
+9.	Create Route-Maps for Leaking Routes:
+Create policies for leaking routes between default and INFRA-MGMT VRFs and assign SOO.
+Example:
+route-map leak_default_infra permit 10
+ match ip address prefix-list loopback
+ match source-protocol bgp
+ set extcommunity extcommunity-list aon-soo
+```
+
+### Redistribute BGP leaked routes
+
+Redistribute BGP leaked routes in default and INFRA_MGMT VRFs.
+
+Example:
+
+```json
+router general
+ vrf default
+ leak routes source-vrf INFRA-MGMT subscribe-policy leak_infra_default
+ vrf INFRA-MGMT
+ leak routes source-vrf default subscribe-policy leak_default_infra
+ ```
+
+### Define Trusted Source IP prefixes
+
+Define and use trusted source IP prefixes for both IPv4 and IPv6 to enhance security and management.
+
+Example:
+
+```json
+ip prefix-list trusted_sources
+ seq 10 permit 10.x.x.0/16
+ seq 20 permit 192.x.x.0/16
+ipv6 prefix-list trusted_sources_v6
+ seq 10 permit fda0:d59c:df09::/48
+```
+
+> [!Note]
+> For Greenfield deployments, provide a list of trusted IP prefixes or use default resources created by the system. <br> For Brownfield deployments, ensure configurations are in place during upgrades and use PATCH operations to update the network fabric.
