Wireless Access

Reply
Occasional Contributor II
Posts: 12
Registered: ‎12-23-2013

Default route and Management Interface

I have a M3 series controller, and would like to utilize it's ethernet management interface. I assume I will need to add a static route for the the defualt route of the VLAN I am going to use for the management interface. 

 

I already have a static route (default route) added for the controllers production IP address (differing vlan than out-of-band management). To ensue that I have management access to the device when the production network goes down, do I simply have to add a second static (default gateway) route, with a higher cost?  Will adding a second default gateway (static route) impact the current production default gateway?

 

 

Thanks!

Guru Elite
Posts: 20,821
Registered: ‎03-29-2007

Re: Default route and Management Interface

nMethod,

 

The management interface is designed to be standalone and out of band.  You should not be able to route any traffic through it from any other interface.  It expects to be standalone.



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Occasional Contributor II
Posts: 12
Registered: ‎12-23-2013

Re: Default route and Management Interface

[ Edited ]

Thanks for your reply Cjoseph,

 

During a previous change window, while taking down the interface of our production interface (which provides our production LMS IP) on our M3 Controller, even the management interface became unavailable. The management interface is configured with a subnet and IP unrealted to prod (the mgmt is out of band), and is connected to an out of band switch (access port with a OOB vlan assigned).

 

I assumed I was unable to connect to the mgmt interface because I was trying to connect to connect to it from a PC on a separate VLAN/subnet, and while traffic presumably could reach the mgmt interface  (when the main interfaces were down), it could not send anything back as it had no knowledge of a default gateway to use to send traffic off of its OOB subnet. I should have tried dropping my PC on the OOB vlan to test this out.

 

It seemed odd to be that while our prod trunks/interfaces were offline, the mgmt interface was down too, which is what lead me to think that a default gateway for the OOB subnet is required so I can speak to the management  from other VLANs while our main links (and their default gateway) is down.

 

Am I wrong in my thinking?

 

 

Guru Elite
Posts: 8,338
Registered: ‎09-08-2010

Re: Default route and Management Interface

Yes. Management interfaces are effectively single broadcast domains because
there is no default or static routes tied to that interface. Return traffic
doesn't know where to go.

You can play with ICMP redirects upstream but it gets messy.

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Occasional Contributor II
Posts: 12
Registered: ‎12-23-2013

Re: Default route and Management Interface

Ah, so mgmt is isolated in the sense that any default/static/learned routes configured on the controller are used only for the standard (non-management interfaces)?

 

 

Guru Elite
Posts: 8,338
Registered: ‎09-08-2010

Re: Default route and Management Interface

Right. Its just an IP interface with a static route. If the management
client is not in the same subnet, return traffic to the client will be
dropped.

When your main LMS IP is up and you have a default route set on the
controller, your return traffic may get to the client if it is routable
through the rest of your upstream network.

This is hard to put into written form. Let me know if you need some
clarification. We just went through building out a dark management network
and discovered the same thing.

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Occasional Contributor II
Posts: 12
Registered: ‎12-23-2013

Re: Default route and Management Interface


cappalli wrote:

When your main LMS IP is up and you have a default route set on the
controller, your return traffic may get to the client if it is routable
through the rest of your upstream network.

You're right - it is hard to put this into writing, but your above statement makes fits with what I assumed was happening during this attempted change. The necessary routing upstream is in place to allow return traffic via the prod default gateway, as the OOB vlan is not isolated (I know... I know) and one of our cores provides inter-vlan routing to it.

 

Hopefully during testing tomorrow this is the answer.

 

Thanks so much for your time.

 

Search Airheads
Showing results for 
Search instead for 
Did you mean: