Wired Intelligent Edge

 View Only
last person joined: 5 hours ago 

Bring performance and reliability to your network with the Aruba Core, Aggregation, and Access layer switches. Discuss the latest features and functionality of the ArubaOS-Switch and ArubaOS-CX devices, and find ways to improve security across your network to bring together a mobile first solution.
Expand all | Collapse all

Can't access to management vLAN

This thread has been viewed 38 times
  • 1.  Can't access to management vLAN

    Posted Feb 15, 2023 12:19 PM

    Hi, I have a strange problem with Aruba 2930M, this problem occurs with 3 different stacks connected to each other with a trunk.<o:p></o:p>

    For security reasons I want to move the switch management to a separate vlan which already exists on all stacks and is used for iLO, VMware console, Veeam, Backup NAS etc.<o:p></o:p>

    Until now all stacks were managed from 2 consoles (1 workstation and 1 VM) to the IP configured on the primary vLAN.<o:p></o:p>

    Now I want the switches to be managed by the two consoles using the IP that I assigned to the vLAN Management but both consoles don't access either via SSH or via https; the situation is as follows:<o:p></o:p>

    <o:p> </o:p>

    vlan 1<o:p></o:p>

       name "DEFAULT_VLAN"<o:p></o:p>

       no untagged 1/29-1/30,1/32-1/43,2/29-2/30,2/32-2/43,2/48,3/32-3/42<o:p></o:p>

       untagged 1/1-1/28,1/31,1/44-1/48,1/A3-1/A4,2/1-2/28,2/31,2/45-2/47,2/A3-2/A4,3/1-3/31,3/43,3/45-3/48,3/A1-3/A4,Trk1-Trk2,Trk6<o:p></o:p>

       ip address<o:p></o:p>


    vlan 10<o:p></o:p>

       name "Management"<o:p></o:p>

       untagged 1/33,1/43,2/43<o:p></o:p>

       tagged Trk1-Trk2<o:p></o:p>

       ip address<o:p></o:p>


    <o:p> </o:p>

    The physical workstation has IP and is connected to port 1/33 untagged for vlan 10, the VM has IP and it is in a portgroup of a VMware virtual Switch tagged for vLAN 10.<o:p></o:p>

    Both manage to ping both the IP and the IP but they manage to enter SSH or HTTPS only on the IP, if at this point I send the command management-vlan 10 I lose any possibility to manage the stack.<o:p></o:p>

    <o:p> </o:p>

    Yesterday I did some tests and I discovered that my laptop connected to port 1/33 is perfectly able to access via SSH and HTTPS also the IP<o:p></o:p>

    My laptop had IP and it had never been used to manage switches, I tried swapping IPs between my laptop and the physical console: my laptop stopped working and the console started working!<o:p></o:p>

    For this reason I think the switches don't allow access to management's IP from IPs that have already accessed vLAN 1 IP before.<o:p></o:p>

    How can I reset the condition without restarting stacks or changing console IPs?<o:p></o:p>

    Thanks in advance<o:p></o:p>

  • 2.  RE: Can't access to management vLAN

    Posted Feb 16, 2023 03:31 AM

    You are aware that the management VLAN is exempt from L3 switching?

    If you activate management-vlan 10 you need to either connect the management consoles directly to VLAN 10 or provide routing via other means, e.g. a firewall.

  • 3.  RE: Can't access to management vLAN

    Posted Feb 16, 2023 03:45 AM

    Hi Zac67, thanks for answer.

    Yes I know and I think it's a feature and not a problem, that's why I intend to use it to further isolate the management network.
    In fact, if you see from the show run, port 1/33 is untagged for vLAN 10 and that's where the console is connected.
    The problem is that with the current IP ( the console is unable to connect either in SSh or in HTTPS to the IP which I assigned to the vLAN10 of the switch.
    If I change the IP at the console (e.g. then everything works.
    I think the switches don't allow access to management's IP from IPs that have already accessed vLAN 1 IP before.
    Since I can't change the IP of the other console, the virtual one ( I wanted to know if there is a command to "reset" the cache or whatever it is that prevents me from connecting.

  • 4.  RE: Can't access to management vLAN

    Posted Feb 16, 2023 01:36 PM

    Hi, could you share a sanitized running configuration of one of your three Aruba 2930M backplane stacks? are you testing SSH (or HTTPS) access within a stack (example: workstation connected to - say - interface 1/n untagged member of Management VLAN 10 with proper IP addressing of the stack where you defined VLAN 10 as the "Management (non-routable) VlAN")?

  • 5.  RE: Can't access to management vLAN

    Posted Feb 17, 2023 09:39 AM

    Hi parnassus,

    below I send you an ipconfig of the console and the show run of a stack.
    The console is a physical workstation directly attached to port 33 of stack member 1 and as you see port 1/33 is untagged for vlan 10.

    There is no doubt that this works at the connection/network level because if I simply change the workstation's IP to, for example,, I manage to administer everything correctly.

    The problem is that with the IPs of the workstation and of the server dedicated to management (which also acts as the DNS of Network) I can't connect to the IPs of the stacks that I gave to vLAN 10.

    As strange as this is, I think it's because the switches somewhere wrote that the IPs 171 and 21 have so far been used to administer the switches using the native vLAN IPs ( in this example) and for some reason I don't allow for the change to new IP.


    Configurazione IP di Windows

    Scheda Ethernet Ethernet:

       Suffisso DNS specifico per connessione:
       Indirizzo IPv4. . . . . . . . . . . . :
       Subnet mask . . . . . . . . . . . . . :
       Gateway predefinito . . . . . . . . . :


    SW-A-CED02# sh run

    Running configuration:

    ; hpStack_WC Configuration Editor; Created on release #WC.16.07.0003
    ; Ver #14:01.4f.f8.1d.9b.3f.bf.bb.ef.7c.59.fc.6b.fb.9f.fc.ff.ff.37.ef:02

       member 1 type "JL323A" mac-address 883a30-a15d00
       member 1 priority 250
       member 1 flexible-module A type JL083A
       member 2 type "JL323A" mac-address 883a30-a03d80
       member 2 priority 200
       member 2 flexible-module A type JL083A
       member 3 type "JL323A" mac-address 883a30-a0af40
       member 3 priority 150
       member 3 flexible-module A type JL083A
    hostname "SW-A-CED02"
    trunk 1/A1,2/A1 trk1 lacp
    trunk 1/A2,2/A2 trk2 lacp
    trunk 2/44,3/44 trk6 lacp
    timesync ntp
    ntp unicast
    ntp server
    ntp enable
    telnet-server listen data
    time daylight-time-rule western-europe
    time timezone 60
    web-management listen data
    ip default-gateway
    ip ssh listen data
    snmp-server community "public" unrestricted
    snmp-server host community "public" trap-level critical
    snmp-server listen data
    snmp-server contact "*************" location "Divisione Attrezzature - Rack02 CED"
       ip address dhcp-bootp
       member 1
          ip address dhcp-bootp
       member 2
          ip address dhcp-bootp
       member 3
          ip address dhcp-bootp
    vlan 1
       name "DEFAULT_VLAN"
       no untagged 1/29-1/30,1/32-1/43,2/29-2/30,2/32-2/43,2/48,3/32-3/42
       untagged 1/1-1/28,1/31,1/44-1/48,1/A3-1/A4,2/1-2/28,2/31,2/45-2/47,2/A3-2/A4,3/1-3/31,3/43,3/45-3/48,3/A1-3/A4,Trk1-Trk2,Trk6
       ip address
       ipv6 enable
       ipv6 address dhcp full
    vlan 10
       name "Management"
       untagged 1/33,1/43,2/43
       tagged Trk1-Trk2
       ip address
    vlan 20
       name "DMZ"
       untagged 2/33,3/33
       tagged Trk1-Trk2
       no ip address
    vlan 30
       name "Fonia"
       untagged 1/29-1/30,1/32,1/41-1/42,2/29-2/30,2/32,2/41-2/42,3/41-3/42
       tagged Trk1-Trk2
       no ip address
    vlan 40
       name "Sorveglianza"
       untagged 1/35-1/37,2/35-2/37,2/48,3/35-3/37
       tagged 3/47,Trk1-Trk2
       no ip address
    vlan 50
       name "ProdA"
       untagged 1/34,1/38-1/40,2/34,2/38-2/40,3/32,3/34,3/38-3/40
       tagged 3/47,Trk1-Trk2
       no ip address
    vlan 90
       name "Isolamento"
       no ip address
    management-vlan 10
    spanning-tree Trk1 priority 4
    spanning-tree Trk2 priority 4
    spanning-tree Trk6 priority 4
    no tftp server
    tftp server listen data
    no autorun
    no dhcp config-file-update
    no dhcp image-file-update
    password manager

  • 6.  RE: Can't access to management vLAN

    Posted Feb 17, 2023 02:22 PM
    Ciao Stefano, probably I should take my time to better read this whole thread from beginning...è sera e sono cotto...let me just ask you why VLAN 10 (a quite normal VLAN, as far as I see) has IP address set to when instead your Admin Console server was configured with as its default gateway?


  • 7.  RE: Can't access to management vLAN

    Posted Feb 20, 2023 10:57 AM

    Hi parnassus,

    the switches do not take care of vlan-routing but it is managed by the firewall which in vlan 10 has an interface with IP
    I wrote you the details in private, let me know if you received the answer.
    Thank you