Switches, Hubs, and Modems
cancel
Showing results for 
Search instead for 
Did you mean: 

Using a separate vlan for management (not "Secure Management VLAN"

Ugo Bellavance (ATQ)
Frequent Advisor

Using a separate vlan for management (not "Secure Management VLAN"

Hi,

We're currently using 4 procurve 2900 and 2 2610 switches and everything is fine up to now. However, We'd like to put all our management interfaces (switches, iLo, etc) in the vlan 1 (that has no equipment on it right now) instead of its current vlan, which is our LAN vlan (bad practice). For now, we don't have a dedicated management station, so we must be able to access the web and ssh interface of the switches through a firewall (CheckPoint NGX R65).

I've added the IP addresses and changed the default gateway and now the switches can ping themselves and we can ping the switches from the sysadmins workstations. However, we cannot access the switch via web-management or ssh, but from the firewall, we can.

The secure management vlan is disabled (when I enable it, I cannot ping the switch at all).
The firewall is configured to allow all traffic from the sysadmin's workstations to the management vlan. In the firewall log, we can see "Unexpected post SYN packet - RST or SYN expected tcp_flags: ACK", and if I disable the "drop out of state TCP packets", everything works fine.

Anyone has an idea of what could be happening? Can the SSH daemon be buggy? Here is the output of "sh ve"

Image stamp: /sw/code/build/mbm(t3a)
May 6 2009 06:39:29
T.13.63
867
Boot Image: Primary


Thanks,
1 REPLY
Ugo Bellavance (ATQ)
Frequent Advisor

Re: Using a separate vlan for management (not "Secure Management VLAN"

That is weird, as I was preparing for some debug operations specified by CheckPoint's staff, It started working correctly. Sorry for the noise.