Solved: CBS250 Switch: Management IP on VLAN - can't access

JWSC · ‎06-26-2023

Hey all,

I'm the new owner of a CBS250 - things are going pretty well, but I cannot get the switch to respond to management requests on the IP on VLAN3. I disabled routing (maybe that's the problem) because the help file indicated that it would route between VLANs (It then supports traffic routing between these various interfaces and also to remote networks.).

It does respond to pings.

I have SmartPort disable. (found that trick in another post)

#show macro auto ports detailed
Administrative Globally Auto SmartPort is disabled
Operational Globally Auto SmartPort is disabled

Interface Auto SmartPort Persistent SmartPort Type
Admin State State
----------- ----------------- ----------- -------------------------------
gi1 disabled enabled default
gi2 disabled enabled default
gi3 disabled enabled default
gi4 disabled enabled default
gi5 disabled enabled default
gi6 disabled enabled default
gi7 disabled enabled default
gi8 disabled enabled default
gi9 disabled enabled default
gi10 disabled enabled default
gi11 disabled enabled default
gi12 disabled enabled default
gi13 disabled enabled default
gi14 disabled enabled default
gi15 disabled enabled default
gi16 disabled enabled default

#show ip interface

IP Address I/F I/F Status Type Directed Prec Redirect Status
admin/oper Broadcast
------------------ --------- ---------- ------- --------- ---- -------- ------
10.255.255.63/24 vlan 3 UP/UP Static disable No enable Valid
192.168.0.168/23 vlan 1 UP/UP DHCP disable No enable Valid

#show ip route
Maximum Parallel Paths: 1 (1 after reset)
IP Forwarding: disabled
Codes: > - best, C - connected, S - static

S 0.0.0.0/0 [1/4] via 10.255.255.254, 00:47:30, vlan 3
C 10.255.255.0/24 is directly connected, vlan 3
C 192.168.0.0/23 is directly connected, vlan 1

show services tcp-udp
Type Local IP address Remote IP address Service name State
---- --------------------- --------------------- ------------ -----------

TCP All:22 All:0 SSH listen
TCP All:80 All:0 HTTP listen
TCP All:443 All:0 HTTPS listen
TCP 192.168.0.168:22 192.168.0.79:61187 SSH established
TCP 192.168.0.168:443 192.168.0.79:63397 HTTPS established
TCP6 All-22 All-0 SSH listen
TCP6 All-80 All-0 HTTP listen
TCP6 All-443 All-0 HTTPS listen
UDP All:123
UDP6 All-546
UDP6 All-5353 Bonjour

JWSC · ‎06-26-2023

I think I might get it - because the switch currently has 2 IP addresses, on each network - when the CBS250 goes to reply, it sends the response packet out VLAN1 to my 192.168.0.79 instead of where the packet came from (by way of routing, 10.255.255.254). That's an asymetric route... I bet if I remove the DHCP IP, it'll work... testing.

Ding ding ding. Once I removed the IP from VLAN1, it works fine. I just didn't like doing that since it was a 1-way trip (except for the reboot because it wasn't saved to start-up config).

View solution in original post

Flavio Miranda · ‎06-26-2023

Hi

Yes, you need to enable routing. And one more thing:

10.255.255.63/24 vlan 3 UP/UP Static disable No enable Valid
192.168.0.168/23 vlan 1 UP/UP DHCP disable No enable Valid

If seems you have one Vlan with static IP address and one Vlan with DHCP, right? For Vlan with DHCP, who is providing the DHCP?

Because the default gateway for the devices connected to vlan 1 must be 192.168.0.168 and not a different IP address. You can check that by connecting a device on vlan 1 and issue the command ipconfig.

If you manage the DHCP, it would be easier to just assign the default gateway 192.168.0.168 for your hosts on vlan1 but if you are using a Service Privider DHCP server, you probably can not change it.

JWSC · ‎06-26-2023

Yes,

for VLAN1 we have DHCP from our server. VLAN3 has DHCP (from my firewall) as well (scope is .75-200) - but my switches, I want static IP and I want to manage them on VLAN3 (with my 30 other switches).

I do not want my switch to have an IP on VLAN1 - I was hoping for a management VLAN - but I'll take a manually addressed static IP on a VLAN3 as long as it responds for management services.

I'm using this device as a switch, not a router. I have a router for that.

Flavio Miranda · ‎06-26-2023

You can also use one interfaces for management

JWSC · ‎06-26-2023

I'm not using an SG200. That option is not available to me. The GUI (for me) only shows exactly what I provided earlier.

Flavio Miranda · ‎06-26-2023

Check under Administration

The model should be the same

JWSC · ‎06-26-2023

It is not the same. It's not even close.

Also, I am concerned about your recommended configuration - I believe there was an assumption this is acting as a router, which would completely change how things should be setup.

I appreciate your effort at helping, but I believe we're talking about different things here.

KJK99 · ‎06-26-2023

@JWSC

As far as I know, there is no management VLAN per se on the CBS series switches. However, you should be able to use any VLAN to manage your switch, not necessary the default one. You most likely have an issue with your port-VLAN configuration on the switch. For example, if the traffic in VLAN 3 is untagged, you need to set VLAN 3 as NATIVE in the trunk port configuration. Alternatively, you could use the General mode, instead of the Trunk mode, and have the “trunk” port UNTAGGED in VLAN 3 and its PVID set to 3.

Kris K

JWSC · ‎06-26-2023

Traffic flowing into the switch (CBS250, GE16, Trunk 1U, TAG:ALL), comes from my Aruba 1U, TAG:ALL. All other VLANs are working (VLAN5 for my phones - they're working)

It has an IP (10.255.255.63) - and I can ping it (across different network, through my router)... so if I can ping it, why can't it be managed with it?

JWSC · ‎06-26-2023

Update: I have a 2nd CBS250 switch - since I put the first one in production and can't do things that take it offline.

I have configured this second switch nearly identically. However, I left IP Routing enabled - and I still cannot manage the device on the VLAN3 IP address.

It DOES respond to pings (both do). This means the route works. (or a duplicate IP on network, which I confirmed is not the case)

My network management tool, on the same subnet as VLAN3 - and it can contact the switch (via SSH) on its VLAN3 IP. This seems to tell me that the route doesn't work. I did not setup the static route on the 2nd switch.

KJK99 · ‎06-26-2023

@JWSC

If the port-VLAN configuration really is as it appears to be, it must be a different issue. All I can say is that you should be able to manage that switch using any VLAN, even if the IPv4 routing is not enable on the switch itself. I do not own any CBS250 switch, but I’ve just tested that scenario on a very similar switch (CBS350) and it worked for me.

Kris K

JWSC · ‎06-26-2023

I agree. I'm very confident in the VLAN configuration given all the other evidence. The CBS350 is nearly identical, but has some extra bells and whistles I didn't need for my purpose.

So, things I'm thinking it could be, and my thoughts:

Multiple admin sessions limitation - but I just saw in my production one, that it had multiple https sessions open. It also shows the SSH session to my Network Manager - and still shows SSH listening.
IP Route - but ping works.
- Switch (.63) - does not have IP routing enabled. I can ping it (from 192.168.0.79), and NetMgr can access the 10.255.255.63 via SSH
- Switch (.64) - does have IP routing enabled. I can ping it, and NetMgr can access the 10.255.255.64 via SSH.
- Firewall (handles my routing) - First attempt at connection passes (allow), then I get invalid traffic (ie, not part of a conversation). I can SSH/HTTPS to any (supported) IP on my Management Network (not everyone can, but I can). Packet capture shows pings and SSH received by the firewall then forwarded to the destination (10.255.255.63 or 10.255.255.64). My packet capture on my firewall, when ssh from computer to one of my Aruba switches shows In Interface Port 1 (source IP 192.168.079) - destination IP 10.255.255.20, status forwarded. Then a response packet from In Interface Port 4 (souce 10.255.255.20) - destination 192.168.0.79. My firewall rule for this traffic is all ports, from my IP/MAC to the network management - so I know the firewall rule works. I also have a few other devices of various brands on this mgmt network, no issues with me reaching it.

Switch .63

#show ip route
Maximum Parallel Paths: 1 (1 after reset)
IP Forwarding: disabled
Codes: > - best, C - connected, S - static

S 0.0.0.0/0 [1/4] via 10.255.255.254, 05:07:20, vlan 3
C 10.255.255.0/24 is directly connected, vlan 3
C 192.168.0.0/23 is directly connected, vlan 1

Switch .64

show ip route
Maximum Parallel Paths: 1 (1 after reset)
IP Forwarding: enabled
Codes: > - best, C - connected, S - static

D 0.0.0.0/0 [1/8] via 192.168.0.2, 02:09:11, vlan 1
C 10.255.255.0/24 is directly connected, vlan 3
C 192.168.0.0/23 is directly connected, vlan 1

JWSC · ‎06-26-2023

I think I might get it - because the switch currently has 2 IP addresses, on each network - when the CBS250 goes to reply, it sends the response packet out VLAN1 to my 192.168.0.79 instead of where the packet came from (by way of routing, 10.255.255.254). That's an asymetric route... I bet if I remove the DHCP IP, it'll work... testing.

Ding ding ding. Once I removed the IP from VLAN1, it works fine. I just didn't like doing that since it was a 1-way trip (except for the reboot because it wasn't saved to start-up config).