Management VLAN Setup question

higherho · April 2011

I have two mutli layer switches and two PC's.

On multi layer switch one I have two vlans. Vlan 3 is the user vlan and vlan 99 is the management vlan.

the management vlan is active on Gig 0/2 user vlan is active on everything else

(btw I am doing this on packet tracer)

PC 1 configuration (this PC is the user pc) - 10.0.0.4 , 255.255.255.0. Default gateway is 10.0.0.3 (this interface is connected to FA0/1 on the first multi layer switch.

Laptop 1 - Management laptop;

Gateway - 10.1.0.3
IP - 10.1.0.4 - 255.255.255.0

this laptop is connected to Gig 0/2.

Multi layer switch 1 configuration

Interface GigabitEthernet 0/2
switchport access vlan 99 (management vlan)
switch port mode access

Interface vlan99
description MANAGEMENT
ip address 10.1.0.3 255.255.255.0
ip access group 99 in

Interface vlan3
Ip address 10.0.0.3 255.255.255.0
ip access group 3 in
ip access group 3 out

access-list 99 permit 10.1.0.0 0.0.0.255
access-list 99 deny any
access-list 3 deny 10.1.0.0 0.0.0.255
access-list 3 permit any

the Laptop cannot ping the PC but it can ping the interface even though it should not. am I misunderstanding something? The interface the PC is on is a user vlan. The interesting thing is on my second multi layer switch , I have the same setup (ACLS blocking user vlan and only allowing management vlan on that switch) but the user vlan can still ping the interfaces of the second switch.

higherho · April 2011

I guess I am looking to far into this. I don't want User traffic to go on the second switch (able to ping ,etc) so I guess just putting switch port access vlan 99 on the link between the two switches it would solve my problem.

However, what if I wanted user traffic to go over that line but not particular interfaces but I do not want to make one whole interface a management interface. This is why I made the access groups to distinguish Management vlan traffic and User vlan traffic.

Forsaken_GA · April 2011

When you say you're able to ping the interfaces, do you mean the SVI or do you mean the host connected to an access interface? There's no reason to dedicate a single link between two switches, you should be able to trunk them to pass both management and user traffic without issue.

higherho · April 2011

Forsaken_GA wrote: »

When you say you're able to ping the interfaces, do you mean the SVI or do you mean the host connected to an access interface? There's no reason to dedicate a single link between two switches, you should be able to trunk them to pass both management and user traffic without issue.

No SVI Access interface which is why the Vlans themselves have access lists on them.

I wish I had the full config with me but it was on my co workers development laptop so I might be missing some information but I do know that we were talking about is that the management laptop should only be able to access the second switch were the user laptop should only be able to access the first switch but not ping the management laptop (that part works).

Forsaken_GA · April 2011

higherho wrote: »

No SVI Access interface which is why the Vlans themselves have access lists on them.

I wish I had the full config with me but it was on my co workers development laptop so I might be missing some information but I do know that we were talking about is that the management laptop should only be able to access the second switch were the user laptop should only be able to access the first switch but not ping the management laptop (that part works).

Ok, you may not realize it, but you're actually not making a whole lot of sense

Let's try this question another way -

What IP are you pinging, from what source IP, and what's failing where it shouldn't, or what's not failing when it should?

If I'm understanding what you're trying to do, it should work as configured, but it may just be a limitatilon of packet tracer (I assure you it DOES work on real hardware, I've locked myself out by editing an access list without removing the access-group statement from the interface a few times

)

higherho · April 2011

Forsaken_GA wrote: »

Ok, you may not realize it, but you're actually not making a whole lot of sense

yea I took notice when I re read some of my statements lol

Let's try this question another way -

What IP are you pinging, from what source IP, and what's failing where it shouldn't, or what's not failing when it should?

I was not able to ping the Management laptop with the PC (that part works). Ummm now I forget what he was trying to ping on the second switch =/ I will have to check out his development laptop tomorrow to see the config of the second switch.

He was pinging something on the second switch that was part of a management vlan (I think) and the user traffic was getting to it. I will have to check it out more tomorrow.

If I'm understanding what you're trying to do, it should work as configured, but it may just be a limitatilon of packet tracer (I assure you it DOES work on real hardware, I've locked myself out by editing an access list without removing the access-group statement from the interface a few times )

Yea both of us came to and said "Maybe its packet tracer?" because the access lists on the vlans make sense. Permit this ip space only and then deny anything else.

Yea I sometimes add the wrong ip space in ACL's and I lock myself out too haha.

Sorry for the lack of information on the second switch this would most likely solve my issue if I wrote it down. What happened was when I got his development laptop I was working on the config until I noticed his battery was shot (went from 70 to 0 in a few minutes).

higherho · April 2011

So I talked to my co worker, he seemed he was pinging the IP's that were on the VLAN's and the user vlan was leaking onto the Management vlan on the second switch.

I should test this on our test lab equipment.

Management VLAN Setup question

Comments