Re: Management VLAN routing problem on 5304

Igoris_1 · ‎09-29-2008

"which device have 10.27.58.244 ip"
it's cisco firewall.
Before 5304 was manageable over any of it's interfaces, by defining VID9 as management I wanted to restrict it to only one and also keep it accessible from other networks, that's why static route to reach it over external router/firewall.

cenk sasmaztin · ‎09-29-2008

vlan 9 L3 interface on your switch if you write managemet vlan command on switch for vlan 9 unable routing other L3 interface (namely vlan's)

but if you write static routing command vlan 9 (L3 interface) between other L3 interface (router or firewall) able routing vlan 9

if you can want protech managemet
if you can want remote control your network switch

you can use
managemet vlan
ip authorize manager
ssh
ssl
acl for managemet vlan network

cenk

cenk sasmaztin · ‎09-29-2008

Issuing the management-vlan command will have several effects:
ô First, it disables the ability for a switch to receive management traffic on any
IP address other than the one assigned to the management VLAN.
When you attempt to connect to the switch by specifying any other IP address
other than the one assigned to the Secure Management VLAN, you will
receive a typical error message for the application you are using (Telnet,
SSH, or web browser) indicating a connection could not be established. It
will appear not unlike a situation where a typical network disruption appears
to be the problem.
For example, for Telnet you will receive a message similar to the following:
â Connecting To 10.1.2.1...Could not open connection to the host, on
port 23: Connect failedâ .
ProCurve Device Management Security
Rev. 7.31 2 â 187
ô Second, it disables any communication from outside the Secure Management
VLAN network.
Hidden ACLs are placed on the Secure Management VLAN, preventing any
and all network traffic from getting into Secure Management VLAN. So, for
example, you will not be able to ping the IP address of the Secure
Management VLAN from an IP address associated with any other VLAN.
In the case of a ping command, you will receive a â Request timed-outâ error
message.
ô Third, it will allow management stations within the Secure Management
VLAN to source IP packets from that VLAN. For example, a management
station will be able to ping destinations in other user VLANs.
Operating notes for a Secure Management VLAN
ô You can only use a static, port-based VLAN for the Secure Management
VLAN.
ô The Secure Management VLAN does not support IGMP.
ô If there are more than 25 VLANs configured on the switch, reboot the switch
after configuring the Secure Management VLAN.
ô If you implement a Secure Management VLAN in a switch mesh
environment, all meshed ports will be members of the Secure Management
VLAN.
ô Only one Secure Management VLAN can be defined on a switch. If one
Secure Management VLAN ID is saved in the startup-config file and you
configure a different VLAN ID in the running-config file without saving the
running-config to the startup-config, then the switch uses the running-config
version until you reboot the switch, at which time the Secure Management
VLAN will revert to the one in the startup-config.
ô During a management session with the switch, if you define the Secure
Management VLAN that excludes the port through to which you are
connected on the switch, you will continue to have access only until you
terminate the session by logging out or rebooting the switch.
ô Enabling Spanning Tree Protocol where there are multiple links using
separate VLANs, including the Secure Management VLAN, between a pair
of switches, Spanning Tree will force the blocking of one or more links. This
may include the link carrying the Secure Management VLAN, which will
cause loss of management access to some devices.

cenk

Igoris_1 · ‎09-29-2008

"Second, it disables any communication from outside the Secure Management
VLAN network. "
Is it true even using external router? Let's say I have several SNMP servers, located in different networks, so the only server able to reach switch is the one from management VLAN ip range? And what about desktops, located in management VLAN, isolated from outside?

Igoris_1 · ‎10-02-2008

so, no solution for my problem. I will try to explain better what I'm trying to achieve:
1.restrict management access to only one VLAN, instead of many VLAN IP interfaces on my core 5304 switches. This is done by management VLAN statement.
2.Keep management VLAN accessible from other VLANs over external router/firewall, that means management VLAN 9 should be accessible from let's say VLAN 5 over static route to external router/firewall. At the moment static route can't be inserted into routing table, as same network is already there as 'connected', regardless it is defined as 'management'.

RicN · ‎10-02-2008

I do not think you accomplish both those things when using the management-vlan command, since that actually forbids any connections from outside this perticular VLAN.

A solution would be to define some random VLAN with a IP address, but NOT as a "hard" management-vlan, and define your own accesslists which only allows telnet/ssh/snmp traffic from your desired VLANs, and the set up the correct routing on the switch and on your firewall.

Categories

Company

Local Language

Forums

Discussions

Forums

Discussions

Discussions

Forums

Discussions

Forums

Discussions

Forums

Forums

Discussions

Forums

Discussions

Forums

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Community

Resources

Other HPE Sites

Discussions

Forums

Blogs

Re: Management VLAN routing problem on 5304