HPE Community
HPE Aruba Networking & ProVision-based
1829464 Members
1373 Online
109991 Solutions
New Discussion

Cross VLAN Access to 2600/2800 Web Interface Fails

 
Dale Magnant
Occasional Advisor

‎06-12-2012 03:55 PM

‎06-12-2012 03:55 PM

Cross VLAN Access to 2600/2800 Web Interface Fails

Hello,

 

I have a question regarding cross-vlan access to the web interface on 2600 and 2800 series switches:

 

On these switches I have multiple VLANs configured.  Routing between VLANs is handled by a Sonicwall NSA series.  In general this works great.  The one thing that I have not been able to accomplish is accessing the HP switch web interface across VLANs.  If I assign a specific VLAN an IP address I can access the web interface at the IP address from a PC located on that VLAN.  As long as the browser is pointing to an IP that is of the same subnet as the PC there is no problem.  But if, for example, I assign the “Server” VLAN an IP address and try to access the web interface at that IP address from a PC sitting on the “Office” VLAN, no go. 

 

In the above scenario, I can ping the switch across VLANs ok.  Port 80 traffic is in fact permitted.  I can access any other device I wish across VLANs.  The same switch issue exists with cross VLAN telnet.

 

In short, the only way I can access the switch web interface, is to assign the switch an IP address on a given VLAN, and hit that IP from a PC on the same VLAN.  Anything else fails.

 

I would be grateful to hear of anyone else’s comments / experience in this area.

 

Thank You,

0 Kudos
5 REPLIES 5
JWag44
Occasional Advisor

‎06-12-2012 04:17 PM

‎06-12-2012 04:17 PM

Re: Cross VLAN Access to 2600/2800 Web Interface Fails

When you "assign the switch an IP address on a given VLAN", are you also giving it a default gateway?

0 Kudos
Arimo
Respected Contributor

‎06-13-2012 04:32 AM

‎06-13-2012 04:32 AM

Re: Cross VLAN Access to 2600/2800 Web Interface Fails

Hi

 

I assume your VLANs are on different subnets as well. Do you have something in the network that is routing between the subnets?


HTH,

Arimo
HPE Networking Engineer
0 Kudos
Dale Magnant
Occasional Advisor

‎06-13-2012 12:16 PM

‎06-13-2012 12:16 PM

Re: Cross VLAN Access to 2600/2800 Web Interface Fails

Arimo,

 

Thank you for your response -

 

Yes, the Sonicwall NSA is handling routing between VLANs - each VLAN is in fact a different subnet.  Accessing any other type of device across VLANs works fine - within the constraints I've configured on the Sonicwall.

 

0 Kudos
Dale Magnant
Occasional Advisor

‎06-13-2012 12:29 PM

‎06-13-2012 12:29 PM

Re: Cross VLAN Access to 2600/2800 Web Interface Fails

JWag -

 

Thank you for your reply -

 

Yes, I have assigned a default gateway.  In my case I have eight VLANs configured.  As you probably know, you can assign the switch an IP address on as many of the VLANs as desired.  In my case, I have manually assigned the switch an IP address on two of the VLANs, plus the original DEFAULT_VLAN.  You can, however, only assign the switch a single Gateway Address.  One of my VLANs is a network management VLAN (VLAN 20), so I've assigned the switch an IP address on that VLAN and configured its default gateway for this VLAN.  I've also given the switch an IP address on a more general use VLAN (VLAN 10).  From a workstation on VLAN 10, I cannot access the switch at its VLAN 20 IP address - even though I can access other types of devices on that VLAN.  I can ping the device across VLANs however.  ( can of course access the switch at its VLAN 10 IP address.)

 

I took a quick look at an attempt to access the switch's web interface across VLANs using WireShark (with which I'm no expert)  At the outset of the conversation, the SYN-ACK was received back from the switch but Wireshark indicated a TCP header checksum error.  I'm not sure if that was a red herring or something to be concerned about.

0 Kudos
Dale Magnant
Occasional Advisor

‎06-15-2012 04:44 PM - edited ‎06-15-2012 04:47 PM

‎06-15-2012 04:44 PM - edited ‎06-15-2012 04:47 PM

Re: Cross VLAN Access to 2600/2800 Web Interface Fails

I've done some more playing around with this and still no luck.  Am using 2600 series switches. 

 

What it seems to boil down to is this:

 

We choose, for example, two VLANs, VLAN 10 and VLAN 20, and assign the switch a management IP address on each VLAN.  If I place a PC on the 10 VLAN I can access the switch web interface at its VLAN 10 IP address.  If I place a PC on the 20 VLAN, I can access the switch web interface at its VLAN 20 IP address.  But if I try to access the switch web interface from the VLAN 10 PC using the switches VLAN 20 IP address - no go.  And the same with vice-versa.  What's strange is that I can access anything else across VLANs with no issues.  For example, I can RDP from the VLAN 10 PC to the VLAN 20 PC, and vice versa.  But try to hit the switch web interface from any address other than the one associated with the VLAN on which one is sitting, and it will fail.

 

Right now I have the default gateway on each switch set to that of VLAN 10.  I've also set VLAN 10 as the primary VLAN - not that it seems to make any difference.  From my reading of the HP documentation, what I'm attempting should be possible, even on those switches like the 2600 series that only allow one gateway address.  (see link below)

 

http://www.hp.com/rnd/pdfs/switch_25xx_vlan_default_gateway_faq.pdf

 

I would welcome any suggestions.

 

Thank You

 

0 Kudos
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.