HPE Community
Switches, Hubs, and Modems
1752299 Members
4863 Online
108786 Solutions
New Discussion юеВ

Re: Unexpected results when applying management-vlan command

 
SOLVED
Go to solution
swaize
Frequent Advisor

тАО01-27-2011 04:59 AM

тАО01-27-2011 04:59 AM

Unexpected results when applying management-vlan command

All our switches and monitoring servers (PCM etc) have an address on our management VLAN (192.168.255.0/24). Management VLAN id is 100

Default VLAN for network devices (PCs, servers etc) is 10.1.0.0/16

Basically I want to only be able to manage our switches form workstations or servers also on the management VLAN.

Believed this command would do the trick:
management-vlan 100

However, once this is configured, my switches suddenly stop responding to polls on our SNMP monitoring system (also on the man' VLAN), and yet I can still SSH to manage them from 10.1.0.0/16 addresses as well as 192.168.255.0/24.

This is completely the opposite effect I would expect.

Can anyone shed some light on this?

Thanks, Pat.
0 Kudos
7 REPLIES 7
Michael_Breuer
Esteemed Contributor

тАО01-27-2011 09:13 AM

тАО01-27-2011 09:13 AM

Re: Unexpected results when applying management-vlan command

Hello Pat,

the management VLAN is very restricting. Have a look at the following document:

http://www.hp.com/rnd/pdfs/Hardening_ProCurve_Switches_White_Paper.pdf

Cheers,

Michael
Ingentive Networks GmbH
0 Kudos
Mohammed Faiz
Honored Contributor

тАО01-28-2011 01:48 AM

тАО01-28-2011 01:48 AM

Re: Unexpected results when applying management-vlan command

Hi,

That does sound strange.
A few questions:
Does your SNMP monitoring system have multiple interfaces?
Do you the same behaviour across all your switches? Are they the same model running the same firmware or does it vary?
Can you post up the config of one of the switches?
0 Kudos
Yan Henrichon
Frequent Advisor

тАО01-28-2011 06:31 AM

тАО01-28-2011 06:31 AM

Re: Unexpected results when applying management-vlan command

I'm having the same behavior here.

All my switches (routing switches and edges as well) are untagged in the management VLAN. As soon as I turn on the Management-Vlan on the routing switches, I can't ping edges anymore.

Any thought?

Yan
0 Kudos
Pieter 't Hart
Honored Contributor

тАО01-28-2011 07:33 AM

тАО01-28-2011 07:33 AM

Re: Unexpected results when applying management-vlan command

To Yan
>>>As soon as I turn on the Management-Vlan on the routing switches, I can't ping edges anymore<<<

from where to where do you "ping"?
from the routing switch or from a management station?

the switch does not "route" from-or-to the management vlan.
And the switch may not use it's management-vlan ip-adress to ping to the edges, but its primary-vlan address wich is not routed to the management vlan :-(
0 Kudos
Yan Henrichon
Frequent Advisor

тАО01-28-2011 08:16 AM

тАО01-28-2011 08:16 AM

Re: Unexpected results when applying management-vlan command

Pieter,

I ping from the routing core on witch I just turned on management-vlan (M-VLAN). I know that it's not possible to route to or route from this VLAN. The DEFAULT_VLAN (Primary VLAN) doesn't have a IP address.

So does this mean that the management station will not be able to "see" the switches event if it is untagged in the M-VLAN? How can we ensure that the station in M-VLAN will be able to communicate with the swiches?
0 Kudos
swaize
Frequent Advisor

тАО01-31-2011 03:10 AM - last edited on тАО09-12-2011 03:34 AM by

тАО01-31-2011 03:10 AM - last edited on тАО09-12-2011 03:34 AM by

Re: Unexpected results when applying management-vlan command

>>> Michael
I read that document already, and the behaviour I am seeing is not what is written in there.

>>> Mohammed
1. SNMP monitoring server (Castelrock SNMPc) only has one interface.
2. Yes am seeing same behaviour on all switches I enabled the command on. (2650 & 5412).
3. Config attached for 2650

>>> Yan
Believe I saw same as you when I enabled the command on the 5412, although I quickly reversed the change once I saw all my switchers turn red.

>>> All
I have even put my work station on same switch as our monitoring server, all of which with IP's (and ports untagged) on Man VLAN; and still the switch would not respond to SNMP from the monitoring station.

However it will respond to pings and allow SSH sessions from servers on either Management VLAN or our default 10.1.0.0/16 subnet.

0 Kudos
Mohammed Faiz
Honored Contributor

тАО02-02-2011 03:51 AM

тАО02-02-2011 03:51 AM

Solution

Re: Unexpected results when applying management-vlan command

Ok, after a quick bit of testing here's what I found.
I'm not sure what the issue is with your SNMPc server (we're also running SNMPc but the server's not on the same subnet as our management vlan so I don't have much scope for testing that).
If you enable the "management-vlan" setting on one switch alone you'll still be able to ssh/ping it from other vlans if the routing for the management vlan is done elsewhere. i.e. as the ping request has been routed by the management-vlan default gateway the locked-down switch see's the ping request coming from the management network (source-ip isn't checked).

I tested by enabling routing on a 2610 and adding two IPs to it (say VLAN 1, the mgmt vlan, and VLAN 2). Connecting a client directly to a VLAN 2 port I could ping both IPs on the switch and ssh to them.
Enabling "management-vlan 1" meant I could only ping the vlan 2 address and could not ssh to either address (the behaviour we'd expect).

Personally I don't use the management-vlan function and prefer to make use of "ip authorized managers instead".

HTH
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.