I am confused about the behaviour of the "management-vlan" command. Experimenting with an HP ProCurve 2626 and an Aruba 2930F led to identical results.
An excerpt from the running configuration, identical for both ProCurve and Aruba switches:
ProCurve Switch 2626 / Aruba 2930F# show running-config
ip address 192.168.1.14 255.255.255.240
ip address 192.168.9.6 255.255.255.248
As you can see, ethernet 1 is assigned to both VLAN 1 (untagged), and VLAN 9 (tagged).
A PC connected to ethernet 1 has the following IP configuration:
Ethernet adapter Ethernet:
Connection-specific DNS Suffix . :
IPv4 Address. . . . . . . . . . . : 192.168.1.1
Subnet Mask . . . . . . . . . . . : 255.255.255.240
Default Gateway . . . . . . . . . : 192.168.1.14
Pinging VLAN 1 SVI:
C:\Users\vvoica>ping -n 1 192.168.1.14
Pinging 192.168.1.14 with 32 bytes of data:
Reply from 192.168.1.14: bytes=32 time=1ms TTL=64
Ping statistics for 192.168.1.14:
Packets: Sent = 1, Received = 1, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 1ms, Maximum = 1ms, Average = 1ms
Pinging VLAN 9 SVI:
C:\Users\vvoica>ping -n 1 192.168.9.6
Pinging 192.168.9.6 with 32 bytes of data:
Request timed out.
Ping statistics for 192.168.9.6:
Packets: Sent = 1, Received = 0, Lost = 1 (100% loss),
After issuing "no management-vlan 9" pinging VLAN 9 SVI succeeded.
My expectation would have been to still be able to connect to the switch after issuing "management-vlan 9" but only from the ports on which VLAN 9 is tagged (in this case only from a PC connected to ethernet 1); this does not happen.
I had a thorough look at the "ArubaOS-Switch – How to Configure a Management VLAN" article by "esupport" but that only strengthen what I was already expecting from using this command.
I hope I made myself clear, any feedback will be appreciated.
@valentin wrote: My expectation would have been to still be able to connect to the switch after issuing "management-vlan 9" but only from the ports on which VLAN 9 is tagged (in this case only from a PC connected to ethernet 1); this does not happen.
Is the host from what you're trying connecting VLAN 9 able to tag egress traffic with that VLAN Id?
Thank you both for your input.
@parnassus: No, the host is not able to tag the egress traffic. My understanding was that the traffic would be routed by the switch.
@Mathew Fern: thnaks to your reply I fully understand now how the management-vlan command is working. I think, for me, the best approach will be to use an ACL fo limit the management access to the switch.
The management VLAN does not participate in IP routing on a switch, when configured; the only devices that will be able to reach the management VLAN by IP address are those that are directly connected to a management VLAN port (or another port on the same management VLAN on another switch in the network) with an IP address on the same subnet.
This behavior, and other restrictions, are detailed in the Management VLAN section of the ArubaOS-Switch Hardening Guide.
If you require your management connection to be part of a routed VLAN, you may wish to use either the Authorized IP Managers feature or utilize Access Control Lists to control access to the switch.
At Aruba, we believe that the most dynamic customer experiences happen at the Edge. Our mission is to deliver innovative solutions that harness data at the Edge to drive powerful business outcomes.
© Copyright 2020 Hewlett Packard Enterprise Development LPAll Rights Reserved.