Thats correct.
You can rely on the switch for inter-vlan routing if the endpoint uses the switches SVI as a default gateway. (No additional routes required)
For this your FW would need return routes for each VLAN subnet, back to your Primary VLAN address.
Or use the firewall for that same routing (could be some zone-based caveats here, depending on your FW config)
Generally speaking, most campus/branch environments, use an IP address (SVI) on the Primary VLAN for management. This configuration is much more conducive to environments where you manage the switch from another L3 network segment.
If my post was useful, please Accept Solution and Give Kudos.
Ideas expressed here are solely my own and not necessarily that of HPE Aruba.
Original Message:
Sent: May 09, 2023 01:42 PM
From: desong1011
Subject: 2540 SSH no connetion
My intention was using SVI inter-vlan routing for three vlans on the switch, but I also created sub-interface on the firewall, which I just heard this is a triangle routing, may cause some troubleshoot later on.
Thanks so much for going back and forth to help me out on this thread. I will correct it by testing both RoAS and SVI inter-vlan routing for my next visit, and hopefully the SSH will work.
My last question is: what's the best practice for SSH option on the layer 2 switch?
Creating a management vlan and tagged the uplink port?
Or add an IP address to the primary vlan for SSH?
Original Message:
Sent: May 09, 2023 01:23 PM
From: Zak Chalupka
Subject: 2540 SSH no connetion
That's correct. I cannot think of any reason those routes will be necessary.
But it really just depends on what SVI/L3 interfaces your endpoints (per VLAN) are using as a default gateway. Are they using the switch or the firewall? What's the design intention?
------------------------------
If my post was useful, please Accept Solution and Give Kudos.
------------------------------
Zak Chalupka
Principal Engineer - HPE Aruba
ACDX | ACMP | ACSP | ACCP
wifizak@hpe.com
------------------------------
Ideas expressed here are solely my own and not necessarily that of HPE Aruba.
Original Message:
Sent: May 09, 2023 01:07 PM
From: desong1011
Subject: 2540 SSH no connetion
Thanks for noticing it. I am also having another thread in Network Management section 2540, 2930F, 3810M SVI Inter-vlan routing vs RoaS to get a better understanding of RoAS and SVI inter-vlan routing.
ip route 10.6.2.0 255.255.255.248 10.6.2.1 (my vlan 62 interface IP address, the sub-interface of the Firewall acting the vlan 62 default gateway)
I assume since I have a default route ip route 0.0.0.0 0.0.0.0 10.4.1.1 to the physical interface of the Firewall. I do not need any static route for my other vlan to the sub-interface of the Firewall?
Original Message:
Sent: May 08, 2023 06:09 PM
From: 802.zak
Subject: 2540 SSH no connetion
What is the purpose for these routes in both configurations?
ip route 10.6.1.0 255.255.255.248 10.6.1.1
ip route 10.6.2.0 255.255.255.248 10.6.2.1
ip route 10.6.3.0 255.255.255.248 10.6.3.1
ip route 10.6.4.0 255.255.255.248 10.6.4.1
ip route 10.6.5.0 255.255.255.240 10.6.5.1
ip route 10.6.6.0 255.255.255.248 10.6.6.1
ip route 10.4.2.0 255.255.255.248 10.4.2.1
ip route 10.4.5.0 255.255.255.248 10.4.5.1
------------------------------
If my post was useful, please Accept Solution and Give Kudos.
------------------------------
Zak Chalupka
Principal Engineer - HPE Aruba
ACDX | ACMP | ACSP | ACCP
wifizak@hpe.com
------------------------------
Ideas expressed here are solely my own and not necessarily that of HPE Aruba.
Original Message:
Sent: May 08, 2023 05:37 PM
From: desong1011
Subject: 2540 SSH no connetion
Both of them are running #YC.16.11.0010 firmware that I updated them in January.
When they were in the main office, I was able to SSH to them.
Original Message:
Sent: May 08, 2023 05:33 PM
From: 802.zak
Subject: 2540 SSH no connetion
What firmware version are these running?
------------------------------
If my post was useful, please Accept Solution and Give Kudos.
------------------------------
Zak Chalupka
Principal Engineer - HPE Aruba
ACDX | ACMP | ACSP | ACCP
wifizak@hpe.com
------------------------------
Ideas expressed here are solely my own and not necessarily that of HPE Aruba.
Original Message:
Sent: May 08, 2023 05:09 PM
From: desong1011
Subject: 2540 SSH no connetion
Yes, that was my purpose. When testing, I assigned a untagged port to VLAN 47, and I could not SSH to either VLAN 47 IP address or any other VLAN interface IP.
Today, I just configured a 2540 switch for another branch office. This time I did not include the management VLAN, but could not SSH or access to the web management interface with any VLAN interface ip address.
web-management ssl
web-management management-url "10.4.1.2"
ip dns domain-name "acrs.sea.lcl"
ip dns server-address priority 2 8.8.8.8
ip ssh filetransfer
ip route 0.0.0.0 0.0.0.0 10.4.1.1
ip route 10.4.2.0 255.255.255.248 10.4.2.1
ip route 10.4.5.0 255.255.255.248 10.4.5.1
ip routing
interface 47
name "uplink"
exit
vlan 1
name "default"
no untagged 1-52
no ip address
exit
vlan 41
name "DATA"
untagged 1-18,21-52
ip address 10.4.1.2 255.255.255.224
ip helper-address 10.4.1.1
exit
vlan 42
name "VIDEO"
untagged 19-20
tagged 47
ip address 10.4.2.2 255.255.255.248
ip helper-address 10.4.2.1
exit
vlan 45
name "VOICE"
tagged 1-18,21-52
ip address 10.4.5.2 255.255.255.248
voice
exit
primary-vlan 41
no tftp server
no autorun
no dhcp config-file-update
no dhcp image-file-update
no dhcp tr69-acs-url
password manager
password operator
Original Message:
Sent: May 08, 2023 01:53 PM
From: 802.zak
Subject: 2540 SSH no connetion
In looking at your config, it looks like you setup a management VLAN (66) - This means things like SSH/GUI/SNMP/etc will only work from that VLAN.
It also looks like that VLAN only has a tag of 47 (presumably an uplink).
Are you attempting to connect to the switch from an endpoint on that VLAN?
------------------------------
If my post was useful, please Accept Solution and Give Kudos.
------------------------------
Zak Chalupka
Principal Engineer - HPE Aruba
ACDX | ACMP | ACSP | ACCP
wifizak@hpe.com
------------------------------
Ideas expressed here are solely my own and not necessarily that of HPE Aruba.
Original Message:
Sent: May 08, 2023 01:32 PM
From: desong1011
Subject: 2540 SSH no connetion
Hi Zak,
Yes, I was able to ping bidirectionally. Based on the configuration, I set up manager and operator password, but it should still allow me to go to EXEC mode to enter manager or admin password.
Original Message:
Sent: May 08, 2023 12:11 PM
From: 802.zak
Subject: 2540 SSH no connetion
Is the switch accessible by ping?
Do you have admin credentials configured?
------------------------------
If my post was useful, please Accept Solution and Give Kudos.
------------------------------
Zak Chalupka
Principal Engineer - HPE Aruba
ACDX | ACMP | ACSP | ACCP
wifizak@hpe.com
------------------------------
Ideas expressed here are solely my own and not necessarily that of HPE Aruba.
Original Message:
Sent: May 05, 2023 01:58 PM
From: desong1011
Subject: 2540 SSH no connetion
Hi all,
I have been working on Aruba devices for about 6 months. In my role, I am trying to re-design our network. I have a lot of questions. Happy to find the community here.
My first question would be, in one of our branch office, I cannot ssh or use web interface to log into the Aruba 2540 switch even I am directly connected to the switchport. Here is the config file:
ip dns server-address priority 1 8.8.8.8
ip dns server-address priority 2 75.75.75.75
ip route 0.0.0.0 0.0.0.0 10.0.130.1
ip route 10.6.1.0 255.255.255.248 10.6.1.1
ip route 10.6.2.0 255.255.255.248 10.6.2.1
ip route 10.6.3.0 255.255.255.248 10.6.3.1
ip route 10.6.4.0 255.255.255.248 10.6.4.1
ip route 10.6.5.0 255.255.255.240 10.6.5.1
ip route 10.6.6.0 255.255.255.248 10.6.6.1
ip routing
vlan 1
name "Data"
no untagged 1,9,11-12,15-16,18-19,25-26
untagged 2-8,10,13-14,17,20-24,27-52
no ip address
exit
vlan 61
name "Staff"
untagged 9,15-16,18
tagged 47
ip address 10.6.1.2 255.255.255.248
ip helper-address 10.6.1.1
exit
vlan 62
name "Video"
untagged 25-26
tagged 47
ip address 10.6.2.2 255.255.255.248
ip helper-address 10.6.2.1
exit
vlan 63
name "AP"
untagged 19
tagged 47
ip address 10.6.3.2 255.255.255.248
ip helper-address 10.6.3.1
exit
vlan 64
name "Printer"
untagged 11-12
tagged 47
ip address 10.6.4.2 255.255.255.248
ip helper-address 10.6.4.1
exit
vlan 65
name "Voice"
tagged 1-52
ip address 10.6.5.2 255.255.255.240
ip helper-address 10.6.5.1
voice
exit
vlan 66
name "VLAN66"
tagged 47
ip address 10.6.6.2 255.255.255.248
exit
primary-vlan 61
management-vlan 66
no tftp server
no autorun
no dhcp config-file-update
no dhcp image-file-update
no dhcp tr69-acs-url
password operator
Thank you so much for taking time to help me.