Wired Intelligent Edge

Stupid switch configuration question. I've got some 2930M switches configured with several different VLANS. I'm trying to move the management functions off of the Default VLAN1. When trying to set "Management VLAN" the In the web interface to the new Management VLAN, I check the Management CheckBox and it says it will configure it as management, but when I click save it says "Error setting management vlan. - Properties were not configured". Any idea for what properties it's refering to? The new vlan is configured and has IP addresses assigned. I can connect to the default vlan and manage the switches using the default VLAN's IP addresses, or I can connect to the new Management VLAN and manage the switches using the Management VLAN's IP addresses. I would like to set the "Management VLAN" to the new vlan and remove that functionality from the default VLAN1, as well as any of the other VLANS that might happen to have an IP assigned. Thanks

Hi

Management Vlan don't limit the acces to WebGui

Only disable for this vlan, the routing of this network... (need a dedicated network on this case)

For limit the acces to management interface, you need use CoPP

Greetings!

Moving management functionality off of VLAN 1 does not explicitly require configuring a management VLAN, though you are certainly able to do so, keeping in mind the associated functional caveats — in particular, the fact that the management VLAN does not participate in switch IP routing, so any management workstations would need to be part of the same VLAN/IP subnet as the switch.

As far as the error message you are encountering — are there any highlighted fields in the GUI that might indicate what the switch is expecting to be configured? If not, please PM me a screenshot of what you're seeing, in addition to a sanitized version of the switch running configuration and firmware version so we can investigate the issue.

Thanks for reply Mathew:

Here is a screen shot with ip, VLAN ID's and names blocked out. There is no additional info or highlighted fields, just the parameter not set message. The switch is running WC.16.04.0016. Sure, I can remove IP address from other VLANS to restrict Mgmt functions, but on at least 1 switch there is a seperate vlan that needs an IP because it provides DHCP. I want to make sure that switch can only manage from the port based mgmt vlan.

Thanks, Cla.

Attachment(s)

2930Error.pdf   831 KB 1 version

Error.txt   674 B 1 version

I think I have an idea of what may be happening here: you appear to have the OOBM port enabled, and the OOBM port and management VLAN functions are mutually exclusive — a management VLAN cannot be set with the OOBM port enabled, and vice versa. Try disabling the OOBM port first, then enabling the management VLAN (you will need to do this in the CLI via the serial console or from a workstation that is already on the management VLAN subnet, if you're currently using the OOBM port to connect to the web GUI). 

In the CLI, use the following commands:

switch(config)# oobm disable
switch(config)# management-vlan xx

I'll ping the engineering team about that error message and find out if they can get it clarified in a future maintenance release.

OK, so to verify that I understand, if I disable OOBM I will be able to enable a management VLAN.

1. That will DISABLE management functions, WEB UI and CLI on all other VLANS, even if they have IP assignments on the switch.

2. The  micro USB Console port and RJ45 Serial Console port will still function normally.

Both points are correct. Keep in mind that, to protect from unauthorized access on the console port, you'll also want to use password protection and/or an external authentication server.

For more security guidelines, don't forget to check out the ArubaOS-Switch Hardening Guide, which was just updated today.