Wired Intelligent Edge

 View Only
last person joined: 10 hours ago 

Bring performance and reliability to your network with the HPE Aruba Networking Core, Aggregation, and Access layer switches. Discuss the latest features and functionality of your switching devices, and find ways to improve security across your network to bring together a mobile-first solution
Expand all | Collapse all

6300M - New vlan IP - Able to access the Management GUI with this IP

This thread has been viewed 19 times
  • 1.  6300M - New vlan IP - Able to access the Management GUI with this IP

    Posted Apr 10, 2024 01:50 PM

    Hi Friends,

    Please advise me on the following

    1. In the show running config the switch is not showing the all access list configured
    2. Configured a new vlan for the device registration as 172.16.2.2/24. Now this IP is shown as the neighor IP in the connected clients. What is the reason?
    3. Management vlan is 172.16.10.2/24. Can I change the IP as 172.16.10.1/24?
    4. The switch GUI is available in 172.16.2.2 and 172.16.10.2. What is wrong part in my side?
    5. From the Mgmt vlan I want to see other vlans, but not from all the vlans to the Mgmt vlan, only few vlans I want to permit to see the mgmt vlan. is it possible?



  • 2.  RE: 6300M - New vlan IP - Able to access the Management GUI with this IP

    Posted Apr 11, 2024 08:16 AM

    It may be good to share your configuration, as management VLAN can mean different things, like a VLAN for your switch management interfaces, or a VLAN in which you place your management clients, or something completely different. In AOS-CX there also is an out-of-band management interface, which you may be considered management VLAN as well.

    The solution to your question probably is in vrf to isolate traffic.



    ------------------------------
    Herman Robers
    ------------------------
    If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

    In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
    ------------------------------



  • 3.  RE: 6300M - New vlan IP - Able to access the Management GUI with this IP

    Posted Apr 16, 2024 08:01 AM

    Hi 

    I sent the configuration to you in private message.

    Plz check and reply me 

    Thanks & Regards,

    Thirunavukkarasu




  • 4.  RE: 6300M - New vlan IP - Able to access the Management GUI with this IP
    Best Answer

    Posted Apr 16, 2024 09:13 AM

    From the config, it seems like you use vlan 5 for your management, but it's part of the default VRF, which means that you can reach that IP from anywhere. Also you enabled ssh & web management on both the mgmt-vrf (not used) and the default-vrf:

    ssh server vrf default
    ssh server vrf mgmt
    
    https-server vrf default
    https-server vrf mgmt

    Which means that switch management (HTTPS/SSH) is accessible from any IP address. You can lock that down with a control plane ACL to just a few IPs/subnets.

    Further, you started with applying some acls, but those are not applied everywhere, for example not in your VLAN2 for Device Onboarding, so from there you have access to anywhere, unless an ACL on the destination VLAN blocks the traffic (and it's not the switch itself). What you want to do may be to put ACLs everywhere, but with this many VLANs it's really hard to maintain/troubleshoot and adding a dedicated stateful firewall may bring better management/control/visibility.

    The 'from the management vlan I want to be able to reach other VLANs, but from those other VLANs I don't want access to the management VLAN is really hard to implement with stateless ACLs, it's trivial with a stateful firewall. With VRFs you can isolate parts of your network from routing between eachother, but that is also bi-directional, so it will work in both directions. A switch may not be the best tool to implement what you have in mind.



    ------------------------------
    Herman Robers
    ------------------------
    If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

    In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
    ------------------------------



  • 5.  RE: 6300M - New vlan IP - Able to access the Management GUI with this IP

    Posted Apr 17, 2024 06:38 AM

    Hi,

    Thanks for the detailed reply. 

    Now I am clear on what to do further in our configuration

    Thanks and Regards,

    Thirunavukkarasu