Wired Intelligent Edge (Campus Switching and Routing)

Reply
New Contributor

Unable to reach 3810m Web UI from different VLAN/Subnet

Hi all,

I have a fairly simple network setup.

2 watch guard fire boxes as a cluster doing our gateway routing, policies and DHCP.

3 3810ms as a mesh stack.

15 iap-315s just happily chattering away.

 

I have about 7 VLANs that are all pretty basic with most ports being access ports except for the uplinks to the fire boxes and the links to the IAPs.  The gateway port carries all VLANs and the IAP ports carry the wireless VLANs

 

I have a policy on the firebox, for testing, to allow all trusted and optional VLANs to speak to anything.  (Yes, that is bad but I'm just trying to solve  a problem).

 

For the sake of simplicity I have an IP for the firebox, the switch stack and the iap virtual controller on the default vlan 1 using 10.0.1.0/24 (10.0.1.1, 10.0.1.2 and 10.0.1.3 respetively).

 

So the problem is that if I'm on a trusted VLAN, let's say employee wireless, VLAN 20, 10.0.20.0/24, I can reach the firebox web ui and iap web ui but not the switch stack web ui.  I can access the switch stack webui from its subnet.

 

I dont have a management-vlan configured.  Web management is enabled 

 

This behavior persists if I move everything off the default VLAN and onto a dedicated VLAN for management (not management-vlan).

 

Any thoughts?  This is the blocker for my dream of having centralized management via VPN through the firebox.

 

Dave

Highlighted
MVP Guru

Re: Unable to reach 3810m Web UI from different VLAN/Subnet

Hi, let us to understand...so your Aruba 3810M (three meshed in a stacked) isn't performing any IP routing between configured VLAN IDs since the router role belongs to your Cluster of Watchguard firewalls. Correct?

 

Having necessary ports set as untagged members of, respectively, each relevant VLAN ID is OK (example: clients, servers, printers, etc.)...just uplink (or downlink) ports need to transport more than one (untagged) VLAN ID...and so are required to be tagged with various VLAN IDs you need to be transported.

 

Would be nice to understand if you're tagging the uplink (to Watchguard Cluster) ports with all required VLAN IDs (including, I suppose, the one you're using for data, VLAN 1 if I understood you correctly)...an alternative would be enabling IP Routing on Aruba 3810m Stack and use a transport (dedicated) VLAN ID to speak with your Watchguard Firewall Cluster (so you will transport only that VLAN ID and use a /31 Subnet for that VLAN ID IP interface),,,clearly that approach will change the routing settings firewall side since you will just need one interface instead of many (sub-interfaces).

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: