Comware Based
cancel
Showing results for 
Search instead for 
Did you mean: 

Re: Management on non-vlan1 Interface

 
Highlighted

Management on non-vlan1 Interface

Hello,

Sorry to post this stupid question but I'm having a complete brainfart.

I can't seem to move switch management over to another Vlan. At the moment all the switches are managed on Vlan1 which is the untagged vlan and PVID on all the trunk interfaces. SSH and Web interface responds on this interface.

I'm trying to move management to another Vlan. Let's say 99. The vlan is created and it is tagged on all the uplink ports. It has IP and I can ping this IP from management station so routing seems to be ok also. But I can't connect to it over SSH or Web interface. Obviously missing something simple here.

I'm trying to get rid from Vlan1 in this network as it's not best practice anyway but first need to move all the switch management IP's to a new Vlan / Subnet.

On Comware 5 there was a management-vlan command but it's not available on Comware 7.

2 REPLIES 2
Highlighted
HPE Pro

Re: Management on non-vlan1 Interface

Hello,

If you can ping it but can't access it over SSH, it sounds like you have applied an ACL or Firewall between that prevents this. Can you please share the full config with sensitive information removed?

Generally, a "Management VLAN" command is not necessary to secure your management access - you should simply create a basic ACL that allows only the source IP subnet that is your management subnet through and drops anything else, and then apply that ACL to the virtual interfaces (like the user-interface vty 0 63 for SSH) to prevent access from anywhere except the "management" VLAN.

Hope that helps.

Best regards,
Justin

Working @ HPE
Accept or Kudo
Highlighted

Re: Management on non-vlan1 Interface

So here's a cut down config. I removed all the unneccesary information.

Currently the management ip is 10.10.0.150. I have created vlan 99  and added the ip 10.10.90.150

Management is done from server with an ip 10.10.0.10. Management station is connected throught antoher switch which has all the needed vlans tagged on it's uplink port. This switch connects to GigabitEthernet1/0/1. Routing/Firewall device is connected to Ten-GigabitEthernet1/0/49. Routing itself seems to be ok between the vlans as I can ping the ip 10.10.90.150 from 10.10.0.10. Also I have already moved a bunch of devices management interfaces to this vlan (99) and everything including ping, ssh, snmp and https works. I left the switches last there's plenty of IP's that need changing.  

ACL's on router/firewall should be ok as everything else works. There's also ACL 2000 on the switch that limits management access. For troubleshooting I have disabled this but it makes no difference.

#
version 7.1.070, Release 3208P08
#
sysname 5130EI-48G-15
#
irf mac-address persistent timer
irf auto-update enable
undo irf link-delay
irf member 1 priority 1
#
igmp-snooping
#
sflow agent ip 10.10.0.150
sflow collector 1 ip 10.10.0.10 description NSM
sflow collector 2 ip 10.10.0.12 description Scrutinizer
#
mirroring-group 1 local
#
lldp global enable
#
password-recovery enable
#
vlan 1
description Default VLAN
#
vlan 10
description Servers
#
vlan 20
description Workstations
#
vlan 99
description Management
#
stp global enable
#
interface NULL0
#
interface Vlan-interface1
ip address 10.10.0.150 255.255.255.0
#
interface Vlan-interface99
ip address 10.10.90.150 255.255.255.0
#
interface GigabitEthernet1/0/1
description GigabitEthernet1/0/1 Interface
port link-type trunk
port trunk permit vlan all
jumboframe enable 9216
sflow flow collector 2
sflow sampling-rate 2000
sflow counter collector 2
sflow counter interval 120
mirroring-group 1 mirroring-port both
#
interface GigabitEthernet1/0/47
description GigabitEthernet1/0/47 Interface (Network Tap1)
jumboframe enable 9216
#
interface GigabitEthernet1/0/48
description GigabitEthernet1/0/48 Interface (Network Tap2)
jumboframe enable 9216
#
interface Ten-GigabitEthernet1/0/49
description Ten-GigabitEthernet1/0/49 (XGE1/0/49) (Uplink1)
port link-type trunk
port trunk permit vlan all
jumboframe enable 9216
mirroring-group 1 monitor-port
#
interface Ten-GigabitEthernet1/0/50
description Ten-GigabitEthernet1/0/50 (XGE1/0/50) (Uplink2)
port link-type trunk
port trunk permit vlan all
jumboframe enable 9216
#
interface Ten-GigabitEthernet1/0/51
description Ten-GigabitEthernet1/0/51 (XGE1/0/51) (Uplink3)
port link-type trunk
port trunk permit vlan all
jumboframe enable 9216
#
interface Ten-GigabitEthernet1/0/52
description Ten-GigabitEthernet1/0/52 (XGE1/0/52) (Uplink4)
port link-type trunk
port trunk permit vlan all
jumboframe enable 9216
#
scheduler logfile size 16
#
line class aux
user-role network-admin
#
line class vty
user-role network-operator
#
line aux 0
user-role network-admin
#
line vty 0 63
authentication-mode scheme
user-role network-operator
#
ip route-static 0.0.0.0 0 10.10.0.1
#
info-center loghost 10.10.0.10
#
snmp-agent
snmp-agent local-engineid 800063A2805C8A38B1763B00000001
snmp-agent community write *** acl 2000
snmp-agent community read *** acl 2000
snmp-agent log authfail
snmp-agent sys-info contact ***
snmp-agent sys-info location ***
snmp-agent sys-info version v2c v3
snmp-agent target-host trap address udp-domain 10.10.0.10 params securityname *** v2c
snmp-agent target-host trap address udp-domain 10.10.0.10 params securityname *** v2c
snmp-agent trap enable arp
snmp-agent trap enable radius
snmp-agent trap enable stp
snmp-agent trap log
#
ssh server enable
sftp server enable
ssh server authentication-retries 5
ssh user admin service-type all authentication-type password
ssh server acl 2000
#
ntp-service enable
ntp-service source Vlan-interface1
ntp-service unicast-server 10.10.0.5
#
acl basic 2000
description Allow management traffic
rule 0 permit source 10.10.0.10
rule 0 comment Allow traffic from NMS
#
radius scheme system
user-name-format without-domain
#
domain system
#
domain default enable system
#
role name level-0
description Predefined level-0 role
#
role name level-1
description Predefined level-1 role
#
role name level-2
description Predefined level-2 role
#
role name level-3
description Predefined level-3 role
#
user-group system
#
local-user *** class manage
password hash ***
service-type http https ssh terminal
authorization-attribute user-role network-admin
#
ip http acl 2000
ip http enable
ip https acl 2000
ip https enable
#
return