topic Re: Management VLAN routing problem on 5304 in Switches, Hubs, and Modems

Management VLAN routing problem on 5304

Igoris_1 — Fri, 26 Sep 2008 10:35:05 GMT

assigned VID9 as management, expected it to disappear from routing table, but it is still there and static route that was added to reach VID9 over firewall is not in the table.
See thread http://forums12.itrc.hp.com/service/forums/questionanswer.do?admit=109447627+1222340288104+28353475&threadId=1259359 saying that:
"Management Vlan Subnet won't be inserted in the Routing Table and it will be accessible only from the Same Vlan"
It's not true, management VLAN is still 'connected' and VID9 is unreachable through firewall.
Status and Counters - VLAN Information

Maximum VLANs to support : 40
Primary VLAN : DEFAULT_VLAN
Management VLAN : valdymas

VLAN ID Name | Status Voice
------- -------------------- + ---------- -----
1 DEFAULT_VLAN | Port-based No
5 LAN3 | Port-based No
6 10.2.2.X | Port-based No
7 DMZ | Port-based No
8 fire-fire | Port-based No
9 valdymas | Port-based No

IP Route Entries

Destination Gateway VLAN Type Sub-Type Metric Dist.
------------------ --------------- ---- --------- ---------- ---------- -----
10.27.71.0/24 valdymas 9 connected 0 0

Re: Management VLAN routing problem on 5304

cenk sasmaztin — Sat, 27 Sep 2008 12:40:18 GMT

hi Igoris

please send me sh run print

Re: Management VLAN routing problem on 5304

Igoris_1 — Mon, 29 Sep 2008 04:54:51 GMT

see attached config, I removed some non relevant lines.

Re: Management VLAN routing problem on 5304

cenk sasmaztin — Mon, 29 Sep 2008 09:57:39 GMT

you can write managemet vlan comman on switch for declare.

sw(config)# management-vlan 9

cenk

Re: Management VLAN routing problem on 5304

Igoris_1 — Mon, 29 Sep 2008 10:02:09 GMT

it is already done, I probably accidentally deleted this from posted config.

Re: Management VLAN routing problem on 5304

cenk sasmaztin — Mon, 29 Sep 2008 10:15:05 GMT

hi Igoris

please send me true sh run print

and sh ip route print

cenk

Re: Management VLAN routing problem on 5304

Igoris_1 — Mon, 29 Sep 2008 10:29:21 GMT

see attached both outputs in one file.

Re: Management VLAN routing problem on 5304

cenk sasmaztin — Mon, 29 Sep 2008 10:39:55 GMT

??????????

ip route 10.27.71.0 255.255.255.0 10.27.58.244

Re: Management VLAN routing problem on 5304

Igoris_1 — Mon, 29 Sep 2008 10:43:57 GMT

10.27.58.244 is the firewall, but this static route is not in the table, as 10.27.71.0/24 is still 'connected' regardless it's management VLAN

Re: Management VLAN routing problem on 5304

cenk sasmaztin — Mon, 29 Sep 2008 10:47:25 GMT

which device have 10.27.58.244 ip

managemet vlan isolated routing between vlans
but
you write ip route command for 10.27.71.0 network
delete this routing command for management vlan security

Re: Management VLAN routing problem on 5304

Igoris_1 — Mon, 29 Sep 2008 10:55:38 GMT

"which device have 10.27.58.244 ip"
it's cisco firewall.
Before 5304 was manageable over any of it's interfaces, by defining VID9 as management I wanted to restrict it to only one and also keep it accessible from other networks, that's why static route to reach it over external router/firewall.

Re: Management VLAN routing problem on 5304

cenk sasmaztin — Mon, 29 Sep 2008 11:30:35 GMT

vlan 9 L3 interface on your switch if you write managemet vlan command on switch for vlan 9 unable routing other L3 interface (namely vlan's)

but if you write static routing command vlan 9 (L3 interface) between other L3 interface (router or firewall) able routing vlan 9

if you can want protech managemet
if you can want remote control your network switch

you can use
managemet vlan
ip authorize manager
ssh
ssl
acl for managemet vlan network

Re: Management VLAN routing problem on 5304

cenk sasmaztin — Mon, 29 Sep 2008 11:37:36 GMT

Issuing the management-vlan command will have several effects:
ô First, it disables the ability for a switch to receive management traffic on any
IP address other than the one assigned to the management VLAN.
When you attempt to connect to the switch by specifying any other IP address
other than the one assigned to the Secure Management VLAN, you will
receive a typical error message for the application you are using (Telnet,
SSH, or web browser) indicating a connection could not be established. It
will appear not unlike a situation where a typical network disruption appears
to be the problem.
For example, for Telnet you will receive a message similar to the following:
â Connecting To 10.1.2.1...Could not open connection to the host, on
port 23: Connect failedâ .
ProCurve Device Management Security
Rev. 7.31 2 â 187
ô Second, it disables any communication from outside the Secure Management
VLAN network.
Hidden ACLs are placed on the Secure Management VLAN, preventing any
and all network traffic from getting into Secure Management VLAN. So, for
example, you will not be able to ping the IP address of the Secure
Management VLAN from an IP address associated with any other VLAN.
In the case of a ping command, you will receive a â Request timed-outâ error
message.
ô Third, it will allow management stations within the Secure Management
VLAN to source IP packets from that VLAN. For example, a management
station will be able to ping destinations in other user VLANs.
Operating notes for a Secure Management VLAN
ô You can only use a static, port-based VLAN for the Secure Management
VLAN.
ô The Secure Management VLAN does not support IGMP.
ô If there are more than 25 VLANs configured on the switch, reboot the switch
after configuring the Secure Management VLAN.
ô If you implement a Secure Management VLAN in a switch mesh
environment, all meshed ports will be members of the Secure Management
VLAN.
ô Only one Secure Management VLAN can be defined on a switch. If one
Secure Management VLAN ID is saved in the startup-config file and you
configure a different VLAN ID in the running-config file without saving the
running-config to the startup-config, then the switch uses the running-config
version until you reboot the switch, at which time the Secure Management
VLAN will revert to the one in the startup-config.
ô During a management session with the switch, if you define the Secure
Management VLAN that excludes the port through to which you are
connected on the switch, you will continue to have access only until you
terminate the session by logging out or rebooting the switch.
ô Enabling Spanning Tree Protocol where there are multiple links using
separate VLANs, including the Secure Management VLAN, between a pair
of switches, Spanning Tree will force the blocking of one or more links. This
may include the link carrying the Secure Management VLAN, which will
cause loss of management access to some devices.

Re: Management VLAN routing problem on 5304

Igoris_1 — Mon, 29 Sep 2008 12:21:05 GMT

"Second, it disables any communication from outside the Secure Management
VLAN network. "
Is it true even using external router? Let's say I have several SNMP servers, located in different networks, so the only server able to reach switch is the one from management VLAN ip range? And what about desktops, located in management VLAN, isolated from outside?

Re: Management VLAN routing problem on 5304

Igoris_1 — Fri, 03 Oct 2008 06:22:08 GMT

so, no solution for my problem. I will try to explain better what I'm trying to achieve:
1.restrict management access to only one VLAN, instead of many VLAN IP interfaces on my core 5304 switches. This is done by management VLAN statement.
2.Keep management VLAN accessible from other VLANs over external router/firewall, that means management VLAN 9 should be accessible from let's say VLAN 5 over static route to external router/firewall. At the moment static route can't be inserted into routing table, as same network is already there as 'connected', regardless it is defined as 'management'.

Re: Management VLAN routing problem on 5304

RicN — Fri, 03 Oct 2008 06:37:24 GMT

I do not think you accomplish both those things when using the management-vlan command, since that actually forbids any connections from outside this perticular VLAN.

A solution would be to define some random VLAN with a IP address, but NOT as a "hard" management-vlan, and define your own accesslists which only allows telnet/ssh/snmp traffic from your desired VLANs, and the set up the correct routing on the switch and on your firewall.