Guidelines for use of the SecureStack & G-Series Host IP Address

  • 0
  • 1
  • Article
  • Updated 5 years ago
  • (Edited)
Article ID: 5573 

Products
SecureStack C3, C2, B3
G-Series 

Symptoms
'set ip address mask gateway'
"IP Address/Netmask entered conflicts with the configured IP Address/Netmask of a a router interface."
'ip address'
'set host vlan'
"Subnet conflict between specified ip address and current configuration
All routing interfaces, service port and network port must be configured on different subnets" 

Cause
With the device configured to switch only, any inband management must be via the host IP address ('set ip address'), and the host may be assigned to any desired VLAN ('set host vlan'). 

With the device configured to route, it is not possible to (within the local router entity) route to the host IP address. It is thus necessary to access the device using the host's assigned VLAN in order to directly contact the host IP address - just like with switching mode. To augment this design, any inband management directed to a routed interface IP address is internally redirected to the host, making it possible to inband manage the device via multiple IP addresses. Once in a management session, functionality is identical regardless of means of access. 

There are several combinations of cli commands which could attempt to place the host's IP Address or Gateway within the same subnet as a routed interface on the same switch/stack, which would violate the stated guidelines. The resulting specific error message differs based upon the configuration sequence. 

The following configuration examples assume that the VLAN has already been created. 

If the interface is configured before the host:

C2(rw)->router
C2(rw)->router>enable
C2(rw)->router#configure
Enter configuration commands:
C2(rw)->router(Config)#interface vlan 10
C2(rw)->router(Config-if(Vlan 10))#ip address 10.10.10.1 255.255.255.0
C2(rw)->router(Config-if(Vlan 10))#exit
C2(rw)->router(Config)#exit
C2(rw)->router>exit
C2(rw)->set ip address 10.10.10.10 mask 255.255.255.0 gateway 10.10.10.1
IP Address/Netmask entered conflicts with the configured IP Address/Netmask of
a router interface.
C2(rw)->set ip address 10.10.10.10 mask 255.255.255.0 gateway 10.10.10.254
IP Address/Netmask entered conflicts with the configured IP Address/Netmask of
a router interface.
C2(rw)->

If the host is configured before the interface:

C2(rw)->set ip address 10.10.10.10 mask 255.255.255.0 gateway 10.10.10.1
C2(rw)->router
C2(rw)->router>enable
C2(rw)->router#configure
Enter configuration commands:
C2(rw)->router(Config)#interface vlan 10
C2(rw)->router(Config-if(Vlan 10))#ip address 10.10.10.1 255.255.255.0
Subnet conflict between specified ip address and current configuration
All routing interfaces, service port and network port must be configured
on different subnets
C2(rw)->router(Config-if(Vlan 10))#ip address 10.10.10.254 255.255.255.0
Subnet conflict between specified ip address and current configuration
All routing interfaces, service port and network port must be configured
on different subnets
C2(rw)->router(Config-if(Vlan 10))#

This same error message occurs if the 'set host vlan' command is used to try to assign an IP-configured host to an interface-bearing VLAN. 

This host/interface restriction is touched upon in some release notes. For example; C2 firmware 3.01.52 release notes state, in the "Known Issues" section:
The C2 does not support the ability for a user to configure the host's gateway to be a local routed interface IP. The host's gateway must exist on a different device in the network if one is configured.

Solution
FAD (Functions as Designed) 

For most consistent results, either...
  • place the IP-cleared host (5692) into a VLAN ('set host vlan <VLAN_ID>') configured on the local router entity, and manage using that VLAN's interface IP from within that VLAN only;
        -or-
    • place the IP-configured host ('set ip address...') into a unique subnet/VLAN ('set host vlan <VLAN_ID>') not configured on the local router entity, and manage using the host IP from within the host VLAN only.

    See also: 7709 and 11562

    As of C3/B3/G-Series firmware 6.03.00.0022, the above-stated behavior remains - but is rendered generally inconsequential by the ability to selectively override the "management interface". 

    Release notes state, in the 'What's New in 6.03' section:
    "Selectable management interfaces provide administrators with more flexible configuration options. In addition to supporting a dedicated VLAN management interface, the switches now offer the flexibility to configure the source interface to be used for RADIUS, TACACS+, syslog, SNTP, sFlow or SNMP applications. The ability to select a Host VLAN, routing interface, or loopback address per management application ensures the highest level of availability to network services."

    With this new feature the default management interface is the host VLAN, but this may be selectively overridden using any combination of these new 'set...' commands (each also has a 'clear...' and 'show...' equivalent): 
    • set radius interface {loopback <loop-ID> | vlan <vlan-ID>}
    • set tacacs interface {loopback <loop-ID> | vlan <vlan-ID>}
    • set logging interface {loopback <loop-ID> | vlan <vlan-ID>}
    • set sntp interface {loopback <loop-ID> | vlan <vlan-ID>}
    • set sflow interface {loopback <loop-ID> | vlan <vlan-ID>}
    • set snmp interface {loopback <loop-ID> | vlan <vlan-ID>}
    Photo of FAQ User

    FAQ User, Official Rep

    • 13,620 Points 10k badge 2x thumb

    Posted 5 years ago

    • 0
    • 1

    There are no replies.

    This conversation is no longer open for comments or replies.