Wired Intelligent Edge

Hi,

 

I am confused about the behaviour of the "management-vlan" command. Experimenting with an HP ProCurve 2626 and an Aruba 2930F led to identical results.

 

An excerpt from the running configuration, identical for both ProCurve and Aruba switches:

ProCurve Switch 2626 / Aruba 2930F# show running-config 
[...]
ip routing
[...]
vlan 1 
   name "DATA" 
   untagged 1-26 
   ip address 192.168.1.14 255.255.255.240 
   exit 
vlan 9 
   name "MGMT" 
   ip address 192.168.9.6 255.255.255.248 
   tagged 1 
   exit 
management-vlan 9
[...]

As you can see, ethernet 1 is assigned to both VLAN 1 (untagged), and VLAN 9 (tagged).

A PC connected to ethernet 1 has the following IP configuration:

Ethernet adapter Ethernet:

   Connection-specific DNS Suffix  . :
   [...]
   IPv4 Address. . . . . . . . . . . : 192.168.1.1
   Subnet Mask . . . . . . . . . . . : 255.255.255.240
   Default Gateway . . . . . . . . . : 192.168.1.14

Pinging VLAN 1 SVI:

C:\Users\vvoica>ping -n 1 192.168.1.14

Pinging 192.168.1.14 with 32 bytes of data:
Reply from 192.168.1.14: bytes=32 time=1ms TTL=64

Ping statistics for 192.168.1.14:
    Packets: Sent = 1, Received = 1, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 1ms, Maximum = 1ms, Average = 1ms

Pinging VLAN 9 SVI:

C:\Users\vvoica>ping -n 1 192.168.9.6

Pinging 192.168.9.6 with 32 bytes of data:
Request timed out.

Ping statistics for 192.168.9.6:
    Packets: Sent = 1, Received = 0, Lost = 1 (100% loss),

After issuing "no management-vlan 9" pinging VLAN 9 SVI succeeded.

 

My expectation would have been to still be able to connect to the switch after issuing "management-vlan 9" but only from the ports on which VLAN 9 is tagged (in this case only from a PC connected to ethernet 1); this does not happen.

 

I had a thorough look at the "ArubaOS-Switch – How to Configure a Management VLAN" article by "esupport" but that only strengthen what I was already expecting from using this command.

 

I hope I made myself clear, any feedback will be appreciated.

---

@valentin wrote: My expectation would have been to still be able to connect to the switch after issuing "management-vlan 9" but only from the ports on which VLAN 9 is tagged (in this case only from a PC connected to ethernet 1); this does not happen.

Is the host from what you're trying connecting VLAN 9 able to tag egress traffic with that VLAN Id?

Thank you both for your input.

 

@parnassus: No, the host is not able to tag the egress traffic. My understanding was that the traffic would be routed by the switch.

 

@Mathew Fern: thnaks to your reply I fully understand now how the management-vlan command is working. I think, for me, the best approach will be to use an ACL fo limit the management access to the switch.

 wrote: No, the host is not able to tag the egress traffic. My understanding was that the traffic would be routed by the switch.
Well, routing and VLAN Tagging/Untagging are not necessarily related...if your host is not able to perform VLAN Tagging then you should configure switch interfaces dedicated to management as untagged members of your "Management VLAN" (or as untagged members of the VLAN you're going to reserve for management if you are not going to use the "Managment VLAN" feature applied to a generic VLAN)

Greetings!

 

The management VLAN does not participate in IP routing on a switch, when configured; the only devices that will be able to reach the management VLAN by IP address are those that are directly connected to a management VLAN port (or another port on the same management VLAN on another switch in the network) with an IP address on the same subnet. 

 

This behavior, and other restrictions, are detailed in the Management VLAN section of the ArubaOS-Switch Hardening Guide. 

 

If you require your management connection to be part of a routed VLAN, you may wish to use either the Authorized IP Managers feature or utilize Access Control Lists to control access to the switch.