HPE Community
Aruba & ProVision-based
1752513 Members
4846 Online
108788 Solutions
New Discussion

Management VLAN - HP STACK

 
KleineMichel
Occasional Visitor

‎05-14-2018 03:39 AM

‎05-14-2018 03:39 AM

Management VLAN - HP STACK

Hello,

I’ve build a HP Stack (1x Aruba 2920 48 port + 3x Aruba 2920 24 port) with several VLANS. Everything works fine except one thing. I want to create a Vlan who can access all other VLANS.

I created VLAN70 to be the management vlan. I setup some access lists, but it doesn’t seems to work as I assumed it would.

When I give myself a IP-address in vlan70 I’m only able to manage other VLANS when they are physically connected to the same switch I am.

Does anyone has an idea how to get this done?

Thanks in Advance.

Michel

 

Config:

stacking
   member 1 type "J9727A" mac-address d06726-8ea500
   member 2 type "J9729A" mac-address 98f2b3-fa1280
   member 3 type "J9727A" mac-address d06726-8ee080
   member 4 type "J9727A" mac-address d06726-8ffcc0
   exit
hostname "Stack-Test"
aruba-central disable
no rest-interface
telnet-server listen data
web-management listen data
ip access-list extended "vlan20-acl"
     1 deny tcp 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255 eq 3389
     2 deny udp 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255 eq 3389
     3 deny tcp 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255 eq 445
     9 permit ip 172.16.20.0 0.0.0.255 172.16.10.215 0.0.0.255
     10 deny ip 172.16.20.0 0.0.0.255 172.16.10.0 0.0.0.255
     11 deny ip 172.16.20.0 0.0.0.255 172.16.30.0 0.0.0.255
     12 deny ip 172.16.20.0 0.0.0.255 172.16.50.0 0.0.0.255
     13 deny ip 172.16.20.0 0.0.0.255 172.16.60.0 0.0.0.255
     14 deny ip 172.16.20.0 0.0.0.255 172.16.40.0 0.0.0.255
     20 permit ip 172.16.20.0 0.0.0.255 10.0.0.10 0.0.0.255
     40 permit ip 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255
   exit
ip access-list extended "vlan40-acl"
     1 deny tcp 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255 eq 3389
     2 deny udp 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255 eq 3389
     3 deny tcp 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255 eq 445
     9 permit ip 172.16.40.0 0.0.0.255 172.16.70.0 0.0.0.255
     10 deny ip 172.16.40.0 0.0.0.255 172.16.10.0 0.0.0.255
     11 deny ip 172.16.40.0 0.0.0.255 172.16.20.0 0.0.0.255
     12 deny ip 172.16.40.0 0.0.0.255 172.16.30.0 0.0.0.255
     13 deny ip 172.16.40.0 0.0.0.255 172.16.50.0 0.0.0.255
     14 deny ip 172.16.40.0 0.0.0.255 172.16.60.0 0.0.0.255
     40 permit ip 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255
   exit
ip access-list extended "vlan50-acl"
     20 permit ip 172.16.50.0 0.0.0.255 10.0.0.1 0.0.0.255
   exit
ip access-list extended "vlan70-acl"
     10 permit ip 172.16.70.0 0.0.0.255 172.16.10.0 0.0.0.255
     20 permit ip 172.16.70.0 0.0.0.255 172.16.40.0 0.0.0.255
     40 permit ip 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255
   exit
ip authorized-managers 172.16.70.215 255.255.255.255 access manager
ip authorized-managers 10.0.0.10 255.255.255.255 access manager
ip authorized-managers 172.16.10.215 255.255.255.255 access manager
ip default-gateway 10.0.0.10
ip ssh listen data
ip route 0.0.0.0 0.0.0.0 10.1.0.1
ip routing
interface 2/17
   speed-duplex auto-100
   exit
interface 3/14
   speed-duplex auto-100
   exit
snmp-server community "public" unrestricted
snmp-server listen data
oobm
   disable
   no ip address
   member 1
      ip address dhcp-bootp
      exit
   member 2
      ip address dhcp-bootp
      exit
   member 3
      ip address dhcp-bootp
      exit
   member 4
      ip address dhcp-bootp
      exit
   exit
vlan 1
   name "DEFAULT_VLAN"
   no untagged 1/1-1/24,2/1-2/48,3/1-3/24,4/1-4/24
   ip address 172.16.1.254 255.255.255.0
   exit
vlan 2
   name "ROUTER"
   untagged 2/48
   ip address 10.1.0.254 255.255.255.0
   exit
vlan 3
   name "SERVER"
   untagged 2/45-2/47
   ip access-group "vlan3-acl" vlan-in
   ip address 10.0.0.254 255.255.255.0
   exit
vlan 10
   name "DATA"
   untagged 1/1-1/8,2/1-2/18,3/1-3/8,4/1-4/8
   tagged 2/46
   ip address 172.16.10.254 255.255.255.0
   ip helper-address 10.0.0.10
   exit
vlan 15
   name "WIFI"
   untagged 1/21-1/22,3/21-3/22,4/21-4/22
   tagged 2/39-2/40,2/46
   ip address 172.16.15.254 255.255.255.0
   ip helper-address 10.0.0.10
   exit
vlan 20
   name "TELEFONIE"
   untagged 1/9-1/14,2/19-2/24,3/9-3/14,4/9-4/14
   tagged 2/46
   ip access-group "vlan20-acl" vlan-in
   ip address 172.16.20.254 255.255.255.0
   ip helper-address 10.0.0.10
   exit
vlan 30
   name "AUDIO"
   untagged 1/23-1/24,3/23-3/24,4/23-4/24
   tagged 2/46
   ip address 172.16.30.254 255.255.255.0
   ip helper-address 10.0.0.10
   exit
vlan 40
   name "TOEGANG"
   untagged 1/15-1/20,2/25-2/38,3/15-3/20,4/15-4/20
   tagged 1/21-1/22,2/39-2/40,2/46,3/21-3/22,4/21-4/22
   ip access-group "vlan40-acl" vlan-in
   ip address 172.16.40.254 255.255.255.0
   ip helper-address 10.0.0.10
   exit
vlan 50
   name "WIFI GASTEN"
   untagged 2/39-2/40
   tagged 1/21-1/22,2/46,3/21-3/22,4/21-4/22
   ip access-group "vlan20-acl" vlan-in
   ip address 172.16.50.254 255.255.255.0
   ip helper-address 10.0.0.10
   exit
vlan 60
   name "DIVERSEN"
   untagged 2/41-2/42
   tagged 2/46
   ip address 172.16.60.254 255.255.255.0
   ip helper-address 10.0.0.10
   exit
vlan 70
   name "MANAGEMENT"
   untagged 2/43-2/44
   ip access-group "vlan70-acl" vlan-in
   ip address 172.16.70.254 255.255.255.0
   ip helper-address 10.0.0.10
   exit
no tftp server
tftp server listen data
no autorun
no dhcp config-file-update
no dhcp image-file-update
password manager
password operator

 

0 Kudos
3 REPLIES 3
Vince-Whirlwind
Honored Contributor

‎05-14-2018 08:13 PM

‎05-14-2018 08:13 PM

Re: Management VLAN - HP STACK

Firstly, do a "show stacking" to make sure your stack is OK.

Then, please explain what you mean by "manage other VLANs" - what connectivity it failing, and what are the full IP addressing details of the relevant hosts.

0 Kudos
KleineMichel
Occasional Visitor

‎05-15-2018 12:41 AM

‎05-15-2018 12:41 AM

Re: Management VLAN - HP STACK

Thank you for your replcy!

Stack-Test# sh stacking

Stack ID         : 010098f2-b3fa1280

MAC Address      : d06726-8ea523
Stack Topology   : Ring
Stack Status     : Active
Split Policy     : One-Fragment-Up
Uptime           : 69d 12h 14m
Software Version : WB.16.02.0012

 Mbr
 ID  Mac Address   Model                                  Pri Status
 --- ------------- -------------------------------------- --- ---------------
  1  d06726-8ea500 HP J9727A 2920-24G-PoE+ Switch         128 Standby
  2  98f2b3-fa1280 HP J9729A 2920-48G-POE+ Switch         128 Member
  3  d06726-8ee080 HP J9727A 2920-24G-PoE+ Switch         128 Commander
  4  d06726-8ffcc0 HP J9727A 2920-24G-PoE+ Switch         128 Member

For example:

VLAN 20  =  VOIP
VLAN 40 = Access (Doors etc..)

I want to be able to access all of the IP-Addresses in these VLANs. But somehow I ‘am only able to access the clients (IP-Addresses) who are connected to the same physical switch I ‘am. (I can ping the gateway of every VLAN) But the weird thing is. I can access all IP-Addresses in the same vlan I ‘am.

I just want to be able to access all networks devices in the network (Different vlans)  from one specified Network (VLAN 70 172.16.70.x).

I hope this makes it clearer.

 Regards, Michel

0 Kudos
Vince-Whirlwind
Honored Contributor

‎05-16-2018 09:36 PM

‎05-16-2018 09:36 PM

Re: Management VLAN - HP STACK

What are the IP addressing details (including default gateway and subnet mask) of the two devices that cannot communicate?

0 Kudos
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.