Solved: Re: Consolidate all "Management" access to 1 Network [ISR,FP

TheGoob · ‎03-02-2024

So this would seem like it should be pretty easy...

Across the 3 devices, I have created a "vlan 98"

ISR, vlan98/SVI 10.0.0.1

FPR,vlan98/SVI 10.0.0.2

SMB [SG350XG], vlan98 10.0.0.3.

Everything connects to SMB and so from my WiFi, 192.168.5.0, I can access SMB GUI 10.0.0.3 no problem. But I can not even get a ping from 10.0.0.1 [ISR] or 10.0.0.2 [FPR].

On ISR I have associated 0/1/7 to vlan98, verified Interface and SVI 'up'

On FPR I have associated 1/8 to vlan98, verified Interface and SVI 'up'.

On SMB I have associated 1/11 to vlan98, verified up ..

Maybe this is not how I am supposed to do it? I have IP ROUTING On the SMB.. Just not sure best way to implement a system where I can access all 3 Devices via my main network, 192.168.5.0

Also, for simplicity, each Interface on each device is all connecting to a simple L2 switch... Again not sure if this was correct. Really, I just want the 3 devices to be on the 10.0.0.x and accessible from 192.168.5.0

shahseo · ‎03-11-2024

It seems your network setup is almost there, but there's one missing piece: a traffic cop! (that's the router in networking terms).

Right now, your devices in VLAN 98 (10.0.0.x) are like islands - they can't talk to your main network (192.168.5.0).

Here's the fix:

Turn on IP routing on your ISR (the router). This lets it forward messages between networks.
Set up a simple rule on the ISR telling it to send traffic for 10.0.0.x (VLAN 98) to your SMB switch (where the VLANs connect). This way, the ISR knows where to send messages for your VLAN devices.
Double-check any firewall rules - make sure they're not blocking the conversation between your networks.

Bonus Tip: If you only need to access the ISR and FPR management interfaces, you can set them up with separate IPs in your main network (192.168.5.0). This avoids routing but won't let the VLAN devices talk to each other.

Get that routing enabled on the ISR, and you should be able to chat with all your devices from your main network in no time! If you get stuck anywhere, feel free to share those router commands for a closer look.

View solution in original post

liviu.gheorghe · ‎03-11-2024

No, you are not experiencing a bug or a glitch - the way we configured it works as expected, or more accurately doesn't work as expected.

The issue you are facing is described in @shahseo post - you have the three devices connected in a separate vlan that you plan to use for management. The problem begins because you are not accessing the devices using a "management station" which would be part of the management vlan. You want to access it from one of the other vlans in your network - vlan 5. The reason it works when you access your SG350 on it's management IP 10.0.0.3 is that the SG350 knows firsthand about both vlans - management and vlan 5.

You cannot say the same thing about the ISR which has a connected interface in the management vlan with IP 10.0.0.1 and also has a static route to network 192.168.5.0/24, your vlan 5, which points to your FPR. The traffic from your vlan 5 host comes to your SG350 - it's default gateway, it knows about network 10.0.0.0/24, performs an ARP for the ISR IP address 10.0.0.1 and sends the packet to the ISR.

Now the ISR when he send the reply packet back to your vlan 5 host, looks at his routing table and finds a route pointing to 172.16.1.2 the FPR. The FPR will drop the packet because the original packet didn't go through it, so he doesn't have a translation for this traffic in order to match the return traffic. Conclusion is that accessing the ISR on 10.0.0.1 from your vlan 5 hosts doesn't work.

The first solution to solve this issue is to configure Policy Based Routing on the ISR in order to forward the traffic from 10.0.0.1 to the correct address 10.0.0.3:

ip access-list extended MGMT_TO_VLAN5

permit ip host 10.0.0.1 192.168.5.0 0.0.0.255

route-map SPLIT_ACCESS permit 10

match ip address extended MGMT_TO_VLAN5

set ip next-hop 10.0.0.3

interface Vlan9

ip address 10.0.0.1 255.255.255.0

ip policy route-map MGMT_ACCESS

The second solution is to configure Virtual Routing and Forwarding on the ISR:

ip vrf mgmt

interface Vlan9
ip vrf forwarding mgmt
ip address 10.0.0.1 255.255.255.0

ip route vrf mgmt 192.168.5.0 255.255.255.0 10.0.0.3

This way you will keep your management traffic separate from your Internet traffic that is routed based on the Global Routing Table.

On your FPR you should configure the management interface with IP 10.0.0.2/24 and the default gateway 10.0.0.3.

Regards, LG
*** Please Rate All Helpful Responses ***

View solution in original post

balaji.bandi · ‎03-02-2024

 from my WiFi, 192.168.5.0, I can access SMB GUI 10.0.0.3 no problem

as per information - this show that the VLAN SVI in SMB switch and it knows how to reach back to device you try to connect from 192.168.5.0 network.

how is your other device config looks like in ISR and FPR, they have routing and able to reach using source vlan 98 to 192.168.5.0 network ?

how is your configuration betweek ISR and SMB switch (layer 2 or layer 3 ?) same with FTD ?

why do you need vlan 98 ? for Management, best to use P2P Layer 3 IP to connect that devices from your Wifi.

post some latest diagram for us to understand here.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

TheGoob · ‎03-02-2024

Hey there, currently unable to post clarity..

Alright so I can maybe describe it easier.

ISR connects to FPR connects to SMB. SMB has vlan 2-7. 192.168.5.0 [WiFi] just happens to be my "main" network... It is also vlan7 on SMB.

ISR has 0/1/7 associated with vlan98 SVI [10.0.0.1]

FPR has 1/8 associated with vlan98 SVI [10.0.0.2]

SMB has 1/11 associated with vlan98 SVI [10.0.0.3]

ALL THREE of those are connected to a L2 simple switch... I assume I can connect to 10.0.0.3 because it is "local" to my vlan 7, as vlan 98 is also on it and has routing. It seems that even though ISR and FPR are both vlan98 and have SVI's in those same Network as the SMB [10.0.0.0] the SMB is not routing to it. I had "assumed" being all 3 were same network and same vlan, it would do so.

Why 98? I don't know, no reason, I just wanted it away from the 2-7 and normal vlans I use. I tried using the management ports but I got an error here, error there.

balaji.bandi · ‎03-03-2024

This information you already provided in the first post, what we dont have visibility how these devices connected

they are Pure Layer 2 or p2p Layer3 ?

by just adding in each device IP does not mean they are in the same network, we need to know how these vlan extended Layer2?

if device to device have Layer 3 p2p, that does not work.

post SMB and ISR config to understand better.

basic tests - on ISR using source of 10.0.0.1 can ping PC ? or 192.168.5.X

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

TheGoob · ‎03-02-2024

I wanted to mention this...

If I make my Linux PC IP 10.0.0.5 and connect directly to 1/8 [10.0.0.2] on FPR, it connects. If I do the same to ISR [10.0.0.1] it connects. So both FPR and ISR when connected directly to those ports, I get access to GUI, but when I connect them to a L2 switch alongside with my SMB, it does not "route". It seems an issue on the SG350XG.

liviu.gheorghe · ‎03-02-2024

Hello @TheGoob ,

if your topology is the same like the one in your last post: ISR---172.16.1.0/24----FPR----172.16.2.0/24----SMB

then adding an interface from 10.0.0.0/24 on each device doesn't make it a management network or OOB network. All your devices are L3 and they need some sort of routing, static or dynamic, to reach every IP in your new defined 10.0.0.0/24 network.

For example, your wifi network which is 192.168.5.0/24 has a connection and a SVI in your SMB switch. You can reach 10.0.0.3 from your wifi connected devices because they both are connected interfaces in your SMB switch that routes packets between the two interfaces.

But for the other 2 devices connected to network 10.0.0.0, the SMB switch doesn't know how to route the packets and you need a route to do that: ip route 10.0.0.0 /24 172.16.2.1 metric 2

The same goes for your other devices:

ISR: ip route 10.0.0.0 255.255.255.0 172.16.1.2

FPR: route to 10.0.0.1/32 point to ISR 172.16.1.1 and route to 10.0.0.3/32 point to SMB 172.16.2.2

Regards, LG
*** Please Rate All Helpful Responses ***

TheGoob · ‎03-02-2024

Howdy. I shall input that in a bit.

I guess this is why I need more understanding of routing. In my mind, I felt it was none of ISR or FOR’s business to know the 10.x network, because they all had SVI’s and are connected to the SVI on the SMB, along with 192.168.5.0 so I assumed it would be able to find its “family” in same 10.0.0.x network.
This to me suggests that routing is not done on SG350XG along with all the glans but still goes back to the ISR/FPR for routing. Hmmm, makes me wonder if my 10GB interfaces aren’t being utilized as it has to go back to the 1Gb interface to route.

liviu.gheorghe · ‎03-03-2024

@TheGoob wrote:

Howdy. I shall input that in a bit.

I guess this is why I need more understanding of routing. In my mind, I felt it was none of ISR or FOR’s business to know the 10.x network, because they all had SVI’s and are connected to the SVI on the SMB, along with 192.168.5.0 so I assumed it would be able to find its “family” in same 10.0.0.x network.

This setup you described would have worked if the ISR and FPR where physically connected with a link in the SG350 in that management vlan 98. In this case you wouldn't need to configure static routes on the other devices because the management vlan and the other IP you where trying to reach are local to the device in question.

This to me suggests that routing is not done on SG350XG along with all the glans but still goes back to the ISR/FPR for routing. Hmmm, makes me wonder if my 10GB interfaces aren’t being utilized as it has to go back to the 1Gb interface to route.

Routing is done by every device the packet goes through. When a network device receives a packet, it examines the IP header for a number of things one being the IP destination address. Then the device examines his routing table to see if it can forward the packet to the destination. If it doesn't know the destination network, the packet is discarded.

Regards, LG
*** Please Rate All Helpful Responses ***

TheGoob · ‎03-06-2024

Well this is what sort of threw me off, as this is what I did;

ISR, GE 1/0/5 I made 10.0.0.1 IP

FPR GE 1/7 I made 10.0.0.2 IP

SG GE 1/11 I made 10.0.0.3 IP

I connected them all to a L2 Switch, but only SG routed. I had assumed this was "connecting them to the link" but maybe you meant directly onto SG for routing? Like, assign 3 Ports on SG to vlan99?

Also, I did the routing as mentioned verbatim.. I must be missing something because it did not work It is ok, I am fine with it not. I am good with just plugging into each one one at a time to program stuff. Maybe the FPR needs an ACL, who knows.

liviu.gheorghe · ‎03-07-2024

@TheGoob wrote:

Well this is what sort of threw me off, as this is what I did;

ISR, GE 1/0/5 I made 10.0.0.1 IP

FPR GE 1/7 I made 10.0.0.2 IP

SG GE 1/11 I made 10.0.0.3 IP

I connected them all to a L2 Switch, but only SG routed. I had assumed this was "connecting them to the link" but maybe you meant directly onto SG for routing? Like, assign 3 Ports on SG to vlan99?

Yes, I said physically connected and configured in vlan99.

Also, I did the routing as mentioned verbatim.. I must be missing something because it did not work It is ok, I am fine with it not. I am good with just plugging into each one one at a time to program stuff. Maybe the FPR needs an ACL, who knows.

Most probably you forgot a static route on one of the devices.

Regards, LG
*** Please Rate All Helpful Responses ***

TheGoob · ‎03-07-2024

Well I suppose I could have forgotten a step, but pretty sure I did as instructed. I’ll go back and look.

If FTD and ISR need to physically connect to SG and not all route to a L2 Switch (it’s only a 10 port switch) I’ll have to figure something else out as I do not have enough interfaces. But still I want to try to at least see it work.

TheGoob · ‎03-07-2024

I really hate to use 3 of the 10 Ports but I am so intrigued on making this work. On FPR I will vlan99 10.0.0.2, ISR vlan99 10.0.0.1, SG350XG assign 3 Interfaces to vlan99 and 1 of them 10.0.0.3. I will do the static routes on each device as you mentioned. Let me see

TheGoob · ‎03-09-2024

Alright, I apologize for the redundency but man alive I can not figure this out.

ISR;
vlan 9, 10.0.0.1/32
Interface GE 0/1/7 vlan access 9
ip route 10.0.0.0/24 172.16.1.2

FPR
vlan 9, 10.0.0.2/32
Interface GE 1/8 vlan access 9
ip route 10.0.0.1/32 172.16.1.1
ip route 10.0.0.3/32 172.16.2.2

SG350XG
vlan 9, 10.0.0.3/32
Interface 1/11 vlan access 9
ip route 10.0.0.0/24 172.16.2.1

Am I supposed to be able to connect to them all through my default Network, 192.168.5.0 being that
each vlan 9 on each device has an IP and is associated with an Interface and each device, including
SG, where my 192.168.5.0 resides, can access each devicewithout having to connect an ethernet cable
to each of the vlan 9 interfaces, or am I still needing to run cables? I assume not, or else why the
ip routes for them to find each other itnernally, logically.

I am plugging ISR and FPR into a designated vlan 9 interface on SG, nothing. I connected all 3 to a L2
"plug n play" switch, nothing. ALl I can ever do is connect to the SG.
I mean does the FPR and ISR need ACL's to allow access from 172.16.2.2 to FPR and ISR?
AM I this freaking stupid?

liviu.gheorghe · ‎03-10-2024

Your configuration for the 3 devices should be as follows:

ISR:

interface GigabitEthernet0/1/7

switchport access vlan 9

!

interface Vlan9

ip address 10.0.0.1 255.255.255.0

FPR:

interface Management0/0

ip address 10.0.0.2 255.255.255.0

no shutdown

SG350XG:

interface GigabitEthernet1/11

switchport access vlan 9

!

interface GigabitEthernet1/12

switchport access vlan 9

!

interface GigabitEthernet1/13

switchport access vlan 9

!

interface Vlan9

ip address 10.0.0.3 255.255.255.0

The important part is to physically connect the devices as follows:

ISR interface Gi0/1/7 to SG350XG interface Gi1/11

FPR interface Management0/0 to SG350XG interface Gi1/12 (the FPR has a dedicated management interface for OOB)

You don't have to configure static routing for 10.0.0.0/24 because all your host connected to the management network (vlan 9) are on the same network and host rely on ARP to determine the MAC address associated with the IP they want to reach.

Regards, LG
*** Please Rate All Helpful Responses ***

TheGoob · ‎03-10-2024

Hello

Well, I will give this a look into in a bit. Other than having the static routes, which I will remove, and not using the Management 0/0 [FPR] I feel I had the same setup.

CURIOUS. ISR connects 1/11, FPR 1/12...What connects to 1/13?

Consolidate all "Management" access to 1 Network [ISR,FPR,SMB]