06-11-2012 08:56 AM - edited 06-11-2012 09:30 AM
A simple one really.. if the telnet/ssh/web gui's are available on any IP'd VLAN interface on a switch (Using 5406zl/5412zl here), then what exactly is a Management VLAN for?
I am trying to work out the best way of sorting my layer 2 network out, and am trying to work out this Management VLAN concept.. I thought this was for having a single IP range for all the network devices and using with the IP Authorized Managers option but I am bit confused with this and the below:
From what I can read of HP's best practices... I am going to remove all ports/IP addresses from VLAN 1, and then create a new VLAN for Managment and set this to untagged on any switch to switch links (uplinks). Also I should set this VLAN to be the Primary VLAN.
So... switch 1 -> switch 2 -> switch 3 will all share the Management VLAN on their uplinks from one to the other... The problem with this is that if for example the connection breaks between switch 2 and switch 3, then on switch 3, because the Management VLAN is only on the uplink which is down, surely this will take the VLAN interface down and thus the IP down, which means I will not be able to use it to connect to the device, thus making it unavailable for troubleshooting/diagnostics?
06-12-2012 03:46 PM
The primary VLAN is the VLAN on which the switch expects to get its IP address via DHCP. The management VLAN is the VLAN on which it expects to receive management traffic like SNMP. (I personally agree with you that telnet/ssh/web should be disabled on other VLANs also, but they're not.) Routing to and from the management VLAN is also disabled on switches which support routing (for the rest, this is irrelevant). The primary and management VLANs are usually the same.
I would still go with your idea of a single IP range for all switches (on the same site) and include an authorised managers directive in addition to setting the management VLAN, if desired. You don't have to make the primary/management VLAN the untagged VLAN on the uplink, but the advantage of doing so is that you can plug it into a provisioning network via the uplink and have it get its final DHCP address.
I don't understand the point about the uplink going down - no matter which port you put the VLAN on, if it goes down, the IP becomes unreachable. The uplink is as good a choice as any, and probably better than most. You can preserve your access to the switch by dedicating another untagged port on the VLAN that you can connect a diagnostic laptop into, or you can make sure a serial console is available.
06-13-2012 03:24 AM
What it is, why it is and how to use it, check out The Secure Management VLAN” in the “Static Virtual LANs (VLANs)” chapter of the Advanced Traffic Management Guide.
HP Networking Engineer