LAN Routing
cancel
Showing results for 
Search instead for 
Did you mean: 

Remote access to management (HP1910, 2920)

 
selfstranger
Occasional Visitor

Remote access to management (HP1910, 2920)

Hi folks!

 

I'm working on implementing management VLAN in the internal network. All network gear is planned to be managed only by ip addresses from this VLAN ("31"). The basic diagram is shown below:

 

basic network diagram

 

The point is: there should not be an direct access to switches management from VLAN 1. It must be possible only from VLAN 31.

I've created VLAN 31 (VLAN 1 is present by default), made some basic ip configuration for it and configured static routes as shown above. I've got the following trouble:

 

 

I can ping any of the switches by their VLAN 31 ip addresses but I can't access them byenabled management services (SSH, HTTP, etc.) At the same time the vise versa situation is possible:

 

 

How could I make these switches to be managed remotely from VLAN 1 by ip addresses of VLAN 31 ?

3 REPLIES
selfstranger
Occasional Visitor

Re: Remote access to management (HP1910, 2920)

Hmm.. a couple of days left, but still no answer.

If anything is unclear from my "drawings" or some point needs more clarification please let me know.

Apachez-
Trusted Contributor

Re: Remote access to management (HP1910, 2920)

When you setup a mgmt vlan make sure to follow these regular recommendations:

 

1) Dont use VLAN 1 to anything.

 

2) Trunk (tagg) uplinks, make sure you define which vlans are allowed.

 

3) On each device make sure you setup ACLs which you assign to all mgmt functions such as NTP, SNMP, SSH, TELNET, HTTP, HTTPS.

 

4) If possible use VRF that is one for MGMT and one for the other networks.

 

Common mistakes when mgmt vlans are setup is that ACLs is missing so any other interface or vlan with ip address set on the device can get to the mgmt parts. Another common mistake is when mgmt vlans are routed into the other vlans in your dist or core network (due to lack of VRF or proper ACLs) - this way your mgmt segmentation exists only on paper, not in reality.

Vince-Whirlwind
Honored Contributor

Re: Remote access to management (HP1910, 2920)

You need to remove the VLAN1 IP address from your 1910 switch.