thanks for your reply. We've figured out how to assign a static IP only to mgmt VLAN, removing the one from VLAN 1: out error was that we were setting static routes at device level rather than at group level. The assignement at device level made the switch to become unreacheable when we disabled DHCP from VLAN 1, while assigning at group level made the job.
Original Message:
Sent: Oct 20, 2023 09:05 AM
From: MoJoPBS
Subject: How to configure a management VLAN
Howdy!
I had the same/similar issue. With AOS-CX you need to put a ACL for the mgmt vlan on the default VRF. See below to see my configuration:
loop-protect trap loop-detected
ntp server 172.21.128.216
ntp server pool.ntp.org minpoll 4 maxpoll 4 iburst
ntp enable
!
!
!
!
!
!
ssh server vrf default
ssh server vrf mgmt
vsf member 1
type jl665a
link 1 1/1/52
vsf member 2
type jl665a
link 1 2/1/52
access-list ip MGMT
1 comment CONFIRM NUMBER TIER
2 comment 10-30 PERMITS MGMT VLAN IP
3 comment 40-60 DENYS ALL ELSE
4 comment 990-1000 ALLOWS PING/ALL ELSE
10 permit tcp 10.20.0.179/255.255.248.0 any eq ssh
11 permit tcp 10.20.0.179/255.255.248.0 any eq https
12 permit udp 10.20.0.179/255.255.248.0 any eq https
20 permit udp 10.20.0.179/255.255.248.0 any eq snmp
30 permit udp 10.20.0.179/255.255.248.0 any eq snmp-trap
40 deny tcp any any eq ssh count
41 deny udp any any eq https count
42 deny tcp any any eq https count
50 deny udp any any eq snmp count
60 deny udp any any eq snmp-trap count
990 comment ALLOW ALL
1000 permit any any any
apply access-list ip MGMT control-plane vrf default
client track ip
client device-fingerprint profile a
lldp
cdp
dhcp
http user-agent
vlan 1
vlan 2
name VOICE_VLAN
vlan 3
name MGMT_VLAN
vlan 100
name WLAN_VLAN
vlan 110
name VPN_VLAN
vlan 120
name ENS_VLAN
vlan 130
name PA_VLAN
vlan 140
name GATE3_VLAN
vlan 170
name IMG_VLAN
vlan 180
name GATE_VLAN
vlan 190
name SAS_VLAN
no spanning-tree
interface mgmt
no shutdown
ip dhcp
interface lag 1
description UPLINK LAG
no shutdown
no routing
vlan trunk native 1
vlan trunk allowed all
lacp mode active
interface 1/1/1
no shutdown
no routing
vlan trunk native 1
vlan trunk allowed all
loop-protect
client device-fingerprint apply-profile a
interface 1/1/2
no shutdown
no routing
vlan trunk native 1
vlan trunk allowed 1-2
loop-protect
client device-fingerprint apply-profile a
interface 1/1/3
no shutdown
no routing
vlan trunk native 1
vlan trunk allowed 1-2
loop-protect
client device-fingerprint apply-profile a
interface 1/1/4
no shutdown
no routing
vlan trunk native 1
vlan trunk allowed 1-2
loop-protect
client device-fingerprint apply-profile a
interface 1/1/5
no shutdown
no routing
vlan access 120
loop-protect
client device-fingerprint apply-profile a
interface 1/1/6
no shutdown
no routing
vlan trunk native 1
vlan trunk allowed 1-2
loop-protect
client device-fingerprint apply-profile a
interface 1/1/7
no shutdown
no routing
vlan trunk native 1
vlan trunk allowed 1-2
loop-protect
client device-fingerprint apply-profile a
interface 1/1/8
no shutdown
no routing
vlan trunk native 1
vlan trunk allowed 1-2
loop-protect
client device-fingerprint apply-profile a
interface 1/1/9
no shutdown
no routing
vlan trunk native 1
vlan trunk allowed 1-2
loop-protect
client device-fingerprint apply-profile a
interface 1/1/10
no shutdown
no routing
vlan trunk native 1
vlan trunk allowed 1-2
loop-protect
client device-fingerprint apply-profile a
interface 1/1/11
no shutdown
no routing
vlan trunk native 1
vlan trunk allowed 1-2
loop-protect
client device-fingerprint apply-profile a
interface 1/1/12
no shutdown
no routing
vlan trunk native 1
vlan trunk allowed 1-2
loop-protect
client device-fingerprint apply-profile a
interface 1/1/13
no shutdown
no routing
vlan trunk native 1
vlan trunk allowed 1-2
loop-protect
client device-fingerprint apply-profile a
interface 1/1/14
no shutdown
no routing
vlan trunk native 1
vlan trunk allowed 1-2
loop-protect
client device-fingerprint apply-profile a
interface 1/1/15
no shutdown
no routing
vlan trunk native 1
vlan trunk allowed 1-2
loop-protect
client device-fingerprint apply-profile a
interface 1/1/16
no shutdown
no routing
vlan trunk native 1
vlan trunk allowed 1-2
loop-protect
client device-fingerprint apply-profile a
interface 1/1/17
no shutdown
no routing
vlan trunk native 1
vlan trunk allowed 1-2
loop-protect
client device-fingerprint apply-profile a
interface 1/1/18
no shutdown
no routing
vlan trunk native 1
vlan trunk allowed 1-2
loop-protect
client device-fingerprint apply-profile a
interface 1/1/19
no shutdown
no routing
vlan trunk native 1
vlan trunk allowed 1-2
loop-protect
client device-fingerprint apply-profile a
interface 1/1/20
no shutdown
no routing
vlan trunk native 1
vlan trunk allowed 1-2
loop-protect
client device-fingerprint apply-profile a
interface 1/1/21
no shutdown
no routing
vlan trunk native 1
vlan trunk allowed 1-2
loop-protect
client device-fingerprint apply-profile a
interface 1/1/22
no shutdown
no routing
vlan trunk native 1
vlan trunk allowed 1-2
loop-protect
client device-fingerprint apply-profile a
interface 1/1/23
no shutdown
no routing
vlan trunk native 1
vlan trunk allowed 1-2
loop-protect
client device-fingerprint apply-profile a
interface 1/1/24
no shutdown
no routing
vlan trunk native 1
vlan trunk allowed 1-2
loop-protect
client device-fingerprint apply-profile a
interface 1/1/25
no shutdown
no routing
vlan trunk native 1
vlan trunk allowed 1-2
loop-protect
client device-fingerprint apply-profile a
interface 1/1/26
no shutdown
no routing
vlan trunk native 1
vlan trunk allowed 1-2
loop-protect
client device-fingerprint apply-profile a
interface 1/1/27
no shutdown
no routing
vlan trunk native 1
vlan trunk allowed 1-2
loop-protect
client device-fingerprint apply-profile a
interface 1/1/28
no shutdown
no routing
vlan trunk native 1
vlan trunk allowed 1-2
loop-protect
client device-fingerprint apply-profile a
interface 1/1/29
no shutdown
no routing
vlan trunk native 1
vlan trunk allowed 1-2
loop-protect
client device-fingerprint apply-profile a
interface 1/1/30
no shutdown
no routing
vlan trunk native 1
vlan trunk allowed 1-2
loop-protect
client device-fingerprint apply-profile a
interface 1/1/31
no shutdown
no routing
vlan trunk native 1
vlan trunk allowed 1-2
loop-protect
client device-fingerprint apply-profile a
interface 1/1/32
no shutdown
no routing
vlan trunk native 1
vlan trunk allowed 1-2
loop-protect
client device-fingerprint apply-profile a
interface 1/1/33
no shutdown
no routing
vlan trunk native 1
vlan trunk allowed 1-2
loop-protect
client device-fingerprint apply-profile a
interface 1/1/34
no shutdown
no routing
vlan trunk native 1
vlan trunk allowed 1-2
loop-protect
client device-fingerprint apply-profile a
interface 1/1/35
no shutdown
no routing
vlan trunk native 1
vlan trunk allowed 1-2
loop-protect
client device-fingerprint apply-profile a
interface 1/1/36
no shutdown
no routing
vlan trunk native 1
vlan trunk allowed 1-2
loop-protect
client device-fingerprint apply-profile a
interface 1/1/37
no shutdown
no routing
vlan access 100
loop-protect
client device-fingerprint apply-profile a
interface 1/1/38
no shutdown
no routing
vlan trunk native 1
vlan trunk allowed 1-2
loop-protect
client device-fingerprint apply-profile a
interface 1/1/39
no shutdown
no routing
vlan trunk native 1
vlan trunk allowed 1-2
loop-protect
client device-fingerprint apply-profile a
interface 1/1/40
no shutdown
no routing
vlan trunk native 1
vlan trunk allowed 1-2
loop-protect
client device-fingerprint apply-profile a
interface 1/1/41
no shutdown
no routing
vlan trunk native 1
vlan trunk allowed 1-2
loop-protect
client device-fingerprint apply-profile a
interface 1/1/42
no shutdown
no routing
vlan trunk native 1
vlan trunk allowed 1-2
loop-protect
client device-fingerprint apply-profile a
interface 1/1/43
no shutdown
no routing
vlan trunk native 1
vlan trunk allowed 1-2
loop-protect
client device-fingerprint apply-profile a
interface 1/1/44
no shutdown
no routing
vlan trunk native 1
vlan trunk allowed 1-2
loop-protect
client device-fingerprint apply-profile a
interface 1/1/45
no shutdown
no routing
vlan trunk native 1
vlan trunk allowed 1-2
loop-protect
client device-fingerprint apply-profile a
interface 1/1/46
no shutdown
no routing
vlan trunk native 1
vlan trunk allowed 1-2
loop-protect
client device-fingerprint apply-profile a
interface 1/1/47
no shutdown
no routing
vlan trunk native 1
vlan trunk allowed 1-2
loop-protect
client device-fingerprint apply-profile a
interface 1/1/48
no shutdown
no routing
vlan trunk native 1
vlan trunk allowed all
loop-protect
client device-fingerprint apply-profile a
interface 1/1/49
no shutdown
lag 1
interface 1/1/50
no shutdown
no routing
vlan trunk native 1
vlan trunk allowed all
interface 1/1/51
no shutdown
no routing
vlan trunk native 1
vlan trunk allowed all
interface 1/1/52
no shutdown
interface 2/1/1
no shutdown
no routing
vlan trunk native 1
vlan trunk allowed 1-2
loop-protect
client device-fingerprint apply-profile a
interface 2/1/2
no shutdown
no routing
vlan trunk native 1
vlan trunk allowed 1-2
loop-protect
client device-fingerprint apply-profile a
interface 2/1/3
no shutdown
no routing
vlan trunk native 1
vlan trunk allowed 1-2
loop-protect
client device-fingerprint apply-profile a
interface 2/1/4
no shutdown
no routing
vlan trunk native 1
vlan trunk allowed 1-2
loop-protect
client device-fingerprint apply-profile a
interface 2/1/5
no shutdown
no routing
vlan trunk native 1
vlan trunk allowed 1-2
loop-protect
client device-fingerprint apply-profile a
interface 2/1/6
no shutdown
no routing
vlan trunk native 1
vlan trunk allowed 1-2
loop-protect
client device-fingerprint apply-profile a
interface 2/1/7
no shutdown
no routing
vlan access 100
loop-protect
client device-fingerprint apply-profile a
interface 2/1/8
no shutdown
no routing
vlan trunk native 1
vlan trunk allowed 1-2
loop-protect
client device-fingerprint apply-profile a
interface 2/1/9
no shutdown
no routing
vlan trunk native 1
vlan trunk allowed 1-2
loop-protect
client device-fingerprint apply-profile a
interface 2/1/10
no shutdown
no routing
vlan trunk native 1
vlan trunk allowed 1-2
loop-protect
client device-fingerprint apply-profile a
interface 2/1/11
no shutdown
no routing
vlan trunk native 1
vlan trunk allowed 1-2
loop-protect
client device-fingerprint apply-profile a
interface 2/1/12
no shutdown
no routing
vlan trunk native 1
vlan trunk allowed 1-2
loop-protect
client device-fingerprint apply-profile a
interface 2/1/13
no shutdown
no routing
vlan trunk native 1
vlan trunk allowed 1-2
loop-protect
client device-fingerprint apply-profile a
interface 2/1/14
no shutdown
no routing
vlan trunk native 1
vlan trunk allowed 1-2
loop-protect
client device-fingerprint apply-profile a
interface 2/1/15
no shutdown
no routing
vlan trunk native 1
vlan trunk allowed 1-2
loop-protect
client device-fingerprint apply-profile a
interface 2/1/16
no shutdown
no routing
vlan trunk native 1
vlan trunk allowed 1-2
loop-protect
client device-fingerprint apply-profile a
interface 2/1/17
no shutdown
no routing
vlan trunk native 1
vlan trunk allowed 1-2
loop-protect
client device-fingerprint apply-profile a
interface 2/1/18
no shutdown
no routing
vlan trunk native 1
vlan trunk allowed 1-2
loop-protect
client device-fingerprint apply-profile a
interface 2/1/19
no shutdown
no routing
vlan trunk native 1
vlan trunk allowed 1-2
loop-protect
client device-fingerprint apply-profile a
interface 2/1/20
no shutdown
no routing
vlan trunk native 1
vlan trunk allowed 1-2
loop-protect
client device-fingerprint apply-profile a
interface 2/1/21
no shutdown
no routing
vlan trunk native 1
vlan trunk allowed 1-2
loop-protect
client device-fingerprint apply-profile a
interface 2/1/22
no shutdown
no routing
vlan trunk native 1
vlan trunk allowed 1-2
loop-protect
client device-fingerprint apply-profile a
interface 2/1/23
no shutdown
no routing
vlan trunk native 1
vlan trunk allowed 1-2
loop-protect
client device-fingerprint apply-profile a
interface 2/1/24
no shutdown
no routing
vlan trunk native 1
vlan trunk allowed 1-2
loop-protect
client device-fingerprint apply-profile a
interface 2/1/25
no shutdown
no routing
vlan trunk native 1
vlan trunk allowed 1-2
loop-protect
client device-fingerprint apply-profile a
interface 2/1/26
no shutdown
no routing
vlan trunk native 1
vlan trunk allowed 1-2
loop-protect
client device-fingerprint apply-profile a
interface 2/1/27
no shutdown
no routing
vlan trunk native 1
vlan trunk allowed 1-2
loop-protect
client device-fingerprint apply-profile a
interface 2/1/28
no shutdown
no routing
vlan trunk native 1
vlan trunk allowed 1-2
loop-protect
client device-fingerprint apply-profile a
interface 2/1/29
no shutdown
no routing
vlan trunk native 1
vlan trunk allowed 1-2
loop-protect
client device-fingerprint apply-profile a
interface 2/1/30
no shutdown
no routing
vlan trunk native 1
vlan trunk allowed 1-2
loop-protect
client device-fingerprint apply-profile a
interface 2/1/31
no shutdown
no routing
vlan trunk native 1
vlan trunk allowed 1-2
loop-protect
client device-fingerprint apply-profile a
interface 2/1/32
no shutdown
no routing
vlan trunk native 1
vlan trunk allowed 1-2
loop-protect
client device-fingerprint apply-profile a
interface 2/1/33
no shutdown
no routing
vlan trunk native 1
vlan trunk allowed 1-2
loop-protect
client device-fingerprint apply-profile a
interface 2/1/34
no shutdown
no routing
vlan trunk native 1
vlan trunk allowed 1-2
loop-protect
client device-fingerprint apply-profile a
interface 2/1/35
no shutdown
no routing
vlan trunk native 1
vlan trunk allowed 1-2
loop-protect
client device-fingerprint apply-profile a
interface 2/1/36
no shutdown
no routing
vlan trunk native 1
vlan trunk allowed 1-2
loop-protect
client device-fingerprint apply-profile a
interface 2/1/37
no shutdown
no routing
vlan trunk native 1
vlan trunk allowed 1-2
loop-protect
client device-fingerprint apply-profile a
interface 2/1/38
no shutdown
no routing
vlan trunk native 1
vlan trunk allowed 1-2
loop-protect
client device-fingerprint apply-profile a
interface 2/1/39
no shutdown
no routing
vlan trunk native 1
vlan trunk allowed 1-2
loop-protect
client device-fingerprint apply-profile a
interface 2/1/40
no shutdown
no routing
vlan trunk native 1
vlan trunk allowed 1-2
loop-protect
client device-fingerprint apply-profile a
interface 2/1/41
no shutdown
no routing
vlan trunk native 1
vlan trunk allowed 1-2
loop-protect
client device-fingerprint apply-profile a
interface 2/1/42
no shutdown
no routing
vlan trunk native 1
vlan trunk allowed 1-2
loop-protect
client device-fingerprint apply-profile a
interface 2/1/43
no shutdown
no routing
vlan trunk native 1
vlan trunk allowed 1-2
loop-protect
client device-fingerprint apply-profile a
interface 2/1/44
no shutdown
no routing
vlan trunk native 1
vlan trunk allowed 1-2
loop-protect
client device-fingerprint apply-profile a
interface 2/1/45
no shutdown
no routing
vlan trunk native 1
vlan trunk allowed 1-2
loop-protect
client device-fingerprint apply-profile a
interface 2/1/46
no shutdown
no routing
vlan trunk native 1
vlan trunk allowed 1-2
loop-protect
client device-fingerprint apply-profile a
interface 2/1/47
no shutdown
no routing
vlan trunk native 1
vlan trunk allowed 1-2
loop-protect
client device-fingerprint apply-profile a
interface 2/1/48
no shutdown
no routing
vlan trunk native 1
vlan trunk allowed 1-2
loop-protect
client device-fingerprint apply-profile a
interface 2/1/49
no shutdown
lag 1
interface 2/1/50
no shutdown
no routing
vlan trunk native 1
vlan trunk allowed all
interface 2/1/51
no shutdown
no routing
vlan trunk native 1
vlan trunk allowed all
interface 2/1/52
no shutdown
interface vlan 1
ip address 172.21.148.251/17
ip dhcp
! ip dhcp is ignored when static ip is configured
interface vlan 3
ip address 10.20.0.179/21
snmp-server vrf default
snmp-server trap-source 172.21.128.213 vrf default
snmp-server trap snmp authentication coldstart warmstart vrf default
snmp-server system-location OLII
snmp-server system-contact ISC
snmp-server community Public
ip route 0.0.0.0/0 172.21.128.100
ip dns server-address 172.21.128.50
ip dns server-address 172.21.128.51
Original Message:
Sent: Oct 19, 2023 07:02 AM
From: Luca
Subject: How to configure a management VLAN
Hello,
we have some 6100 and 6200F switches centrally managed by Aruba Central, and we would like to add them to our management VLAN so that nobody except authorized personnel can access them via HTTPS, via SSH or via any other way, but we're facing several issues. Do you have a best practice about that, please?
What we tried:
- We cannot use mgmt VRF on 6100 since it's not available
- We gave static IP address to the switch at mgmt VLAN level, but we cannot set the gateway. We tried to do that at sttic route level, but it doesn't work
- We tried to set the source interface, but still no effect
Most of the times, the switch goes offline and we need to zeroing it and restart from scratch, so we must be missing something.
Thank you if anyone of you has a clue!
Bye,
Luca