HPE Community
Aruba & ProVision-based
1753485 Members
4285 Online
108794 Solutions
New Discussion юеВ

Re: Move switch management from one VLAN to another

 
TheH0ff
Occasional Advisor

тАО03-01-2013 03:16 AM

тАО03-01-2013 03:16 AM

Move switch management from one VLAN to another

Hi

I have an HP 2510-24 that I'm trying to move from one VLAN with an IP to another VLAN with another IP. Both these subnets are connected to the same firewall but no traffic is allowed to pass between them. Setting the new IP to the new VLAN (VLAN 170 below) is no problem and not changing the default gateway either.  After the change I can connect to the switch from VLAN170.

Now my admin PC is located elsewhere over a VPN and I can initially ping the new IP (192.168.170.13) and connect with telnet but after a few seconds the ping and telnet dies, connection on the local VLAN170 is still possible. When I check the upstream switch from the one I'm trying to change IP on I see that the MAC address for the switch is found on both the old VLAN (VLAN 1) and the new one. It's like the switch is still answering MAC-requests on the old VLAN even when that IP has been removed.

 

Do I have to restart the switch or something for the change to have full effect?

 

Below is my config before I've removed the old IP (194.111.203.10) and it's default gateway.

 

 

Running configuration:

; J9019B Configuration Editor; Created on release #Q.11.17

console inactivity-timer 30
interface 25
speed-duplex 10-full
exit
ip default-gateway 194.111.203.1
vlan 1
name "DEFAULT_VLAN"
untagged 1-26
ip address 194.111.203.10 255.255.255.0
exit
vlan 171
name "ServerNet"
tagged 26
exit
vlan 172
name "ClientNet"
tagged 26
exit
vlan 170
name "AdminNet"
ip address 192.168.170.13 255.255.255.0
tagged 26
exit
fault-finder bad-driver sensitivity high
fault-finder bad-transceiver sensitivity high
fault-finder bad-cable sensitivity high
fault-finder too-long-cable sensitivity high
fault-finder over-bandwidth sensitivity high
fault-finder broadcast-storm sensitivity high
fault-finder loss-of-link sensitivity high
fault-finder duplex-mismatch-HDx sensitivity high
fault-finder duplex-mismatch-FDx sensitivity high
spanning-tree
spanning-tree force-version RSTP-operation
password manager
password operator

0 Kudos
5 REPLIES 5
Chrisd131313
Trusted Contributor

тАО03-01-2013 08:42 AM

тАО03-01-2013 08:42 AM

Re: Move switch management from one VLAN to another

Hi TheH0ff,

 

Where does the routing take place between the VPN connection and VLAN170? Also, what VLAN config do you have setup on your upstream switch and on the firewall - I am assuming both these switches are between the VLN connection and the switch in question?

-----------------------------------------------------

Don't forget to mark a post resolved if your question was answered.
paulgear
Esteemed Contributor

тАО03-01-2013 03:23 PM

тАО03-01-2013 03:23 PM

Re: Move switch management from one VLAN to another

I think Chris is on the right track - how are you routing to VLAN 170? If you haven't got routing switched on, i'm surprised it's responding at all on VLAN 170, given that the default route is your external address.
Regards,
Paul
0 Kudos
TheH0ff
Occasional Advisor

тАО03-03-2013 10:45 PM

тАО03-03-2013 10:45 PM

Re: Move switch management from one VLAN to another

Fist thing first: Thank you for quick follow ups.

 

I've included a network drawing of the site showing how the routing is done, switching is all done using VLANs distributed through all switches. What I'm trying to do is to migrate the switches from a transparent network (194.111.203.0/24) with only a router and some access-lists for protection to the Internet and set everything up on a NATed network behind a firewall. My VPN is a site to site VPN terminating at the firewall.

The switch 192.168.170.11 is a fresh installation and that switch has no problem being accessed on the new network either locally from the VLAN or over the VPN.

 

/Fredrik

 

0 Kudos
paulgear
Esteemed Contributor

тАО03-04-2013 02:53 AM

тАО03-04-2013 02:53 AM

Re: Move switch management from one VLAN to another

Hi Fredrik,

 

There's still one important missing piece: from which address are you trying to reach 192.168.170.13?

 

  1. If it is from within your new network, then there's likely a local LAN issue like an IP address conflict.
  2. If it is from the Internet behind "Firewall", it's probably because you've got asymmetric routing and your switch is trying to send to the Internet via 194.111.203.1.  Make sure your switch (or 194.111.203.1) has a route to your VPN address pool via "Firewall"'s address on 192.168.170.0/24.
  3. If it is from the Internet behind 194.111.203.1, make sure it has a route to 192.168.170.0/24 via "Firewall".

Do you have another system on 192.168.170.0/24 from which you can ssh to 192.168.170.13?  If so, i would recommend logging into the switch through that system, removing the default route and the external IP address from the switch, then adding "Firewall" as your default route on the switch.  Then you should be able to get to it via your VPN.

Regards,
Paul
0 Kudos
TheH0ff
Occasional Advisor

тАО03-06-2013 02:54 AM

тАО03-06-2013 02:54 AM

Re: Move switch management from one VLAN to another

My though exactly paulgear, I remove the IP for the old public IP and set the default gateway to be the IP of the firewall. Config is now exactly the same as it is on my newly installed switches. VLAN1 being handled by the switch but has no IP, only IP is on VLAN170.

After about a minute I loose connectivity with the switch on the new IP over the VPN, switch should at this point only know about VLAN170 on a L3 level, right?

 

On an upstream switch I get this when I look up the MAC of the switch. Should be only VLAN170 since the switch should only answer IP request on VLAN170

 

ELI-HEL-SW001# sh mac-address 002561-dca200

Status and Counters - Address Table - 002561-dca200

Port VLAN
----- ----
25 1
25 170

 

At this point the switch with the changed IP is only reachable from a computer on VLAN170. If I log in to the switch and ping the firewall interface on VLAN170 the switch becomes rechable over the VPN again but dies a minute later.

 

It's like it still tries to send answers on the old VLAN1 despite having lost the IP on that VLAN. I wish I could do a reboot just for checks but the switch is in almost constant use.

 

/Fredrik

0 Kudos
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.