Solved: Re: Consolidate all "Management" access to 1 Network [ISR,FP - Page 2

TheGoob · ‎03-02-2024

So this would seem like it should be pretty easy...

Across the 3 devices, I have created a "vlan 98"

ISR, vlan98/SVI 10.0.0.1

FPR,vlan98/SVI 10.0.0.2

SMB [SG350XG], vlan98 10.0.0.3.

Everything connects to SMB and so from my WiFi, 192.168.5.0, I can access SMB GUI 10.0.0.3 no problem. But I can not even get a ping from 10.0.0.1 [ISR] or 10.0.0.2 [FPR].

On ISR I have associated 0/1/7 to vlan98, verified Interface and SVI 'up'

On FPR I have associated 1/8 to vlan98, verified Interface and SVI 'up'.

On SMB I have associated 1/11 to vlan98, verified up ..

Maybe this is not how I am supposed to do it? I have IP ROUTING On the SMB.. Just not sure best way to implement a system where I can access all 3 Devices via my main network, 192.168.5.0

Also, for simplicity, each Interface on each device is all connecting to a simple L2 switch... Again not sure if this was correct. Really, I just want the 3 devices to be on the 10.0.0.x and accessible from 192.168.5.0

liviu.gheorghe · ‎03-10-2024

@TheGoob wrote:

Hello

Well, I will give this a look into in a bit. Other than having the static routes, which I will remove, and not using the Management 0/0 [FPR] I feel I had the same setup.

CURIOUS. ISR connects 1/11, FPR 1/12...What connects to 1/13?

Nothing because it's the SG350XG itself which already has a SVI in vlan 9 with the IP address 10.0.0.3

Regards, LG
*** Please Rate All Helpful Responses ***

TheGoob · ‎03-10-2024

Crazy. So if a “real” network has 50 switches/routers they gotta run 50 cables for management?

liviu.gheorghe · ‎03-10-2024

Crazy. So if a “real” network has 50 switches/routers they gotta run 50 cables for management?

And they do - imagine metallic cabinets for a datacenter, they usually have the first two top rack units occupied by "Top of rack" switches and next under them or somewhere in the middle of the cabinet 1-2 48 port GigabitEthernet switches for Out of Band management connecting 1-2 management ports for the rest of the equipment in that cabinet.

Regards, LG
*** Please Rate All Helpful Responses ***

TheGoob · ‎03-10-2024

Fair enough.
So am I reaching wondering if FPR and ISR run to a L2 (literally plug and play no program switch) and have 1/13 from SG350XG run there, it wouldn’t “extend” vlan 9 down there for routing? It has to all via direct to SG?

liviu.gheorghe · ‎03-10-2024

No, vlan 9 is only used to separate the management traffic from the rest of your network.

For example, the management interface on the FPR, Management 0/0, is a Layer 3 interface. On the ISR, you don't have any available Later 3 interfaces and that is the reason we configured a switched port in vlan 9 - it could be any vlan number as long as the corresponding interface Vlan x has the correct IP address - 10.0.0.1.

Regards, LG
*** Please Rate All Helpful Responses ***

TheGoob · ‎03-10-2024

I see what you are saying. Though on the ISR 0/0/1 is its Management L3 interface. I believe only 0/0/0 (WAN) and 0/0/1 (Management) are. Or is that a different approach to management.

liviu.gheorghe · ‎03-11-2024

The ISR C1111-8P you has 2 Layer 3 ports, Gi0/0/0 and Gi0/0/1, and 8 ports Layer 2. I was under the impression that you are using Gi0/0/1 and that's the reason I suggested a L2 switched port and a SVI.

If Gi0/0/1 is free, then just configure the IP 10.0.0.1 on it and that is all.

Regards, LG
*** Please Rate All Helpful Responses ***

TheGoob · ‎03-11-2024

Yeah, I do not know if I am having a bug, a glitch or something, it does not work. All I can ever ping is 10.0.0.3, the SG. I am clearly the red-headed stepchild who can't get it. Also, I am implementing the older way, not the one utilizing L3 on ISR, like we have been working on.

No worries my friend. We did good I have an awesome running system, til next project ;EIGRP FW on ISR etc

FPR

!
interface Management1/1
management-only
nameif management
security-level 0
ip address 10.0.0.2 255.255.255.0
!

ISR

!

interface GigabitEthernet0/1/7
description management
switchport access vlan 9
switchport mode access

interface Vlan9
description management
ip address 10.0.0.1 255.255.255.0

!

SG350XG

interface vlan 9
name management
ip address 10.0.0.3 255.255.255.0

interface TenGigabitEthernet1/0/9
switchport access vlan 9
!
interface TenGigabitEthernet1/0/10
switchport access vlan 9
!
interface TenGigabitEthernet1/0/11
switchport access vlan 9

liviu.gheorghe · ‎03-11-2024

Can you share a show ip route and a show arp from the SG350?

Regards, LG
*** Please Rate All Helpful Responses ***

liviu.gheorghe · ‎03-11-2024

No, you are not experiencing a bug or a glitch - the way we configured it works as expected, or more accurately doesn't work as expected.

The issue you are facing is described in @shahseo post - you have the three devices connected in a separate vlan that you plan to use for management. The problem begins because you are not accessing the devices using a "management station" which would be part of the management vlan. You want to access it from one of the other vlans in your network - vlan 5. The reason it works when you access your SG350 on it's management IP 10.0.0.3 is that the SG350 knows firsthand about both vlans - management and vlan 5.

You cannot say the same thing about the ISR which has a connected interface in the management vlan with IP 10.0.0.1 and also has a static route to network 192.168.5.0/24, your vlan 5, which points to your FPR. The traffic from your vlan 5 host comes to your SG350 - it's default gateway, it knows about network 10.0.0.0/24, performs an ARP for the ISR IP address 10.0.0.1 and sends the packet to the ISR.

Now the ISR when he send the reply packet back to your vlan 5 host, looks at his routing table and finds a route pointing to 172.16.1.2 the FPR. The FPR will drop the packet because the original packet didn't go through it, so he doesn't have a translation for this traffic in order to match the return traffic. Conclusion is that accessing the ISR on 10.0.0.1 from your vlan 5 hosts doesn't work.

The first solution to solve this issue is to configure Policy Based Routing on the ISR in order to forward the traffic from 10.0.0.1 to the correct address 10.0.0.3:

ip access-list extended MGMT_TO_VLAN5

permit ip host 10.0.0.1 192.168.5.0 0.0.0.255

route-map SPLIT_ACCESS permit 10

match ip address extended MGMT_TO_VLAN5

set ip next-hop 10.0.0.3

interface Vlan9

ip address 10.0.0.1 255.255.255.0

ip policy route-map MGMT_ACCESS

The second solution is to configure Virtual Routing and Forwarding on the ISR:

ip vrf mgmt

interface Vlan9
ip vrf forwarding mgmt
ip address 10.0.0.1 255.255.255.0

ip route vrf mgmt 192.168.5.0 255.255.255.0 10.0.0.3

This way you will keep your management traffic separate from your Internet traffic that is routed based on the Global Routing Table.

On your FPR you should configure the management interface with IP 10.0.0.2/24 and the default gateway 10.0.0.3.

Regards, LG
*** Please Rate All Helpful Responses ***

TheGoob · ‎03-12-2024

BUMP

liviu.gheorghe · ‎03-13-2024

Yes, you are keeping those as well. The FPR needs them to know how to reach the ISR/Internet and the SG350/internal vlans.

Regards, LG
*** Please Rate All Helpful Responses ***

shahseo · ‎03-11-2024

It seems your network setup is almost there, but there's one missing piece: a traffic cop! (that's the router in networking terms).

Right now, your devices in VLAN 98 (10.0.0.x) are like islands - they can't talk to your main network (192.168.5.0).

Here's the fix:

Turn on IP routing on your ISR (the router). This lets it forward messages between networks.
Set up a simple rule on the ISR telling it to send traffic for 10.0.0.x (VLAN 98) to your SMB switch (where the VLANs connect). This way, the ISR knows where to send messages for your VLAN devices.
Double-check any firewall rules - make sure they're not blocking the conversation between your networks.

Bonus Tip: If you only need to access the ISR and FPR management interfaces, you can set them up with separate IPs in your main network (192.168.5.0). This avoids routing but won't let the VLAN devices talk to each other.

Get that routing enabled on the ISR, and you should be able to chat with all your devices from your main network in no time! If you get stuck anywhere, feel free to share those router commands for a closer look.

TheGoob · ‎03-11-2024

show ip route
Maximum Parallel Paths: 1 (1 after reset)
IP Forwarding: enabled
Codes: > - best, C - connected, S - static


S   0.0.0.0/0 [1/4] via 172.16.2.1, 01:09:27, te1/0/12
C   10.0.0.0/24 is directly connected, vlan 9
C   172.16.2.0/24 is directly connected, te1/0/12
C   192.168.1.0/24 is directly connected, vlan 2
C   192.168.2.0/24 is directly connected, vlan 3
C   192.168.4.0/24 is directly connected, vlan 5
C   192.168.5.0/24 is directly connected, vlan 7
C   192.168.6.0/24 is directly connected, vlan 6

show arp

Total number of entries: 30


  VLAN    Interface     IP address        HW address          status
--------------------- --------------- ------------------- ---------------
           te1/0/12   172.16.2.1      d0:e0:42:d9:6e:49   dynamic
vlan 2     te1/0/2    192.168.1.180   0e:d7:ff:94:34:4c   dynamic
vlan 3     te1/0/3    192.168.2.181   72:d3:c3:f6:0e:82   dynamic
vlan 5                192.168.4.3     bc:24:11:d1:17:a8   dynamic
vlan 5     te1/0/5    192.168.4.115   bc:24:11:f9:e2:4b   dynamic
vlan 5     te1/0/5    192.168.4.178   f4:03:43:54:d8:d4   dynamic
vlan 5     te1/0/5    192.168.4.179   bc:24:11:6d:7c:1b   dynamic
vlan 6     te1/0/6    192.168.6.177   9c:53:22:03:63:18   dynamic
vlan 7     te1/0/7    192.168.5.2     9c:53:22:95:e6:9c   dynamic
vlan 7     te1/0/7    192.168.5.3     5c:47:5e:51:bd:d4   dynamic
vlan 7     te1/0/7    192.168.5.4     44:29:1e:b8:5d:87   dynamic
vlan 7     te1/0/7    192.168.5.5     9c:53:22:96:20:e8   dynamic
vlan 7     te1/0/7    192.168.5.6     84:7a:b6:a8:39:26   dynamic
vlan 7     te1/0/7    192.168.5.7     0c:43:f9:48:a5:de   dynamic
vlan 7     te1/0/7    192.168.5.8     9c:53:22:95:e4:e0   dynamic
vlan 7     te1/0/7    192.168.5.9     44:00:49:96:f9:97   dynamic
vlan 7     te1/0/7    192.168.5.11    44:00:49:5b:8b:b8   dynamic
vlan 7     te1/0/7    192.168.5.12    d0:73:d5:36:dc:1a   dynamic
vlan 7     te1/0/7    192.168.5.14    44:61:32:e2:1a:50   dynamic
vlan 7     te1/0/7    192.168.5.15    70:85:c2:c2:61:58   dynamic
vlan 7     te1/0/7    192.168.5.16    2c:76:8a:bc:f9:94   dynamic
vlan 7     te1/0/7    192.168.5.17    68:4e:05:90:04:5b   dynamic
vlan 7     te1/0/7    192.168.5.18    96:0f:1e:fa:90:24   dynamic
vlan 7     te1/0/7    192.168.5.20    e6:e2:98:cd:a1:d9   dynamic
vlan 7     te1/0/7    192.168.5.25    90:38:0c:87:9c:80   dynamic
vlan 7     te1/0/7    192.168.5.102   44:00:49:96:f9:97   dynamic
vlan 7     te1/0/7    192.168.5.105   84:7a:b6:88:3e:59   dynamic
vlan 7     te1/0/7    192.168.5.110   dc:a2:66:2b:4e:83   dynamic
vlan 9                10.0.0.1        00:ea:bd:ed:c4:f4   dynamic
vlan 9                10.0.0.2        d0:e0:42:d9:6e:01   dynamic

liviu.gheorghe · ‎03-11-2024

And a show ip route from the ISR please.

Regards, LG
*** Please Rate All Helpful Responses ***

Consolidate all "Management" access to 1 Network [ISR,FPR,SMB]