Wired Intelligent Edge

last person joined: 3 hours ago 

Bring performance and reliability to your network with the HPE Aruba Networking Core, Aggregation, and Access layer switches. Discuss the latest features and functionality of your switching devices, and find ways to improve security across your network to bring together a mobile-first solution
Back to discussions
Expand all | Collapse all

Unable to reach 3810m Web UI from different VLAN/Subnet

This thread has been viewed 0 times

  • 1.  Unable to reach 3810m Web UI from different VLAN/Subnet

    Posted Jul 27, 2019 01:22 AM

    Hi all,

    I have a fairly simple network setup.

    2 watch guard fire boxes as a cluster doing our gateway routing, policies and DHCP.

    3 3810ms as a mesh stack.

    15 iap-315s just happily chattering away.

     

    I have about 7 VLANs that are all pretty basic with most ports being access ports except for the uplinks to the fire boxes and the links to the IAPs.  The gateway port carries all VLANs and the IAP ports carry the wireless VLANs

     

    I have a policy on the firebox, for testing, to allow all trusted and optional VLANs to speak to anything.  (Yes, that is bad but I'm just trying to solve  a problem).

     

    For the sake of simplicity I have an IP for the firebox, the switch stack and the iap virtual controller on the default vlan 1 using 10.0.1.0/24 (10.0.1.1, 10.0.1.2 and 10.0.1.3 respetively).

     

    So the problem is that if I'm on a trusted VLAN, let's say employee wireless, VLAN 20, 10.0.20.0/24, I can reach the firebox web ui and iap web ui but not the switch stack web ui.  I can access the switch stack webui from its subnet.

     

    I dont have a management-vlan configured.  Web management is enabled 

     

    This behavior persists if I move everything off the default VLAN and onto a dedicated VLAN for management (not management-vlan).

     

    Any thoughts?  This is the blocker for my dream of having centralized management via VPN through the firebox.

     

    Dave



  • 2.  RE: Unable to reach 3810m Web UI from different VLAN/Subnet

    MVP GURU
    Posted Jul 28, 2019 12:32 PM

    Hi, let us to understand...so your Aruba 3810M (three meshed in a stacked) isn't performing any IP routing between configured VLAN IDs since the router role belongs to your Cluster of Watchguard firewalls. Correct?

     

    Having necessary ports set as untagged members of, respectively, each relevant VLAN ID is OK (example: clients, servers, printers, etc.)...just uplink (or downlink) ports need to transport more than one (untagged) VLAN ID...and so are required to be tagged with various VLAN IDs you need to be transported.

     

    Would be nice to understand if you're tagging the uplink (to Watchguard Cluster) ports with all required VLAN IDs (including, I suppose, the one you're using for data, VLAN 1 if I understood you correctly)...an alternative would be enabling IP Routing on Aruba 3810m Stack and use a transport (dedicated) VLAN ID to speak with your Watchguard Firewall Cluster (so you will transport only that VLAN ID and use a /31 Subnet for that VLAN ID IP interface),,,clearly that approach will change the routing settings firewall side since you will just need one interface instead of many (sub-interfaces).