Users on the User vlan that I configured can not access the Mgmt vlan to administer the switch, how do configure them do be able to do so?

  • 0
  • 3
  • Question
  • Updated 4 years ago
  • Answered
Users on the User vlan that I configured can not access the Mgmt vlan to administer the switch, how do configure them do be able to do so? Do I just create a static route from the User vlan to the Mgmt Vlan? or do I configure an ACL or something? I need to know the best way to go about this.

All help and advice is appreciated. Let me know if any clarification is needed.


Thanks!

Nieko Adams
Photo of Nieko Adams

Nieko Adams

  • 122 Points 100 badge 2x thumb

Posted 4 years ago

  • 0
  • 3
Photo of Daniel Flouret

Daniel Flouret, Employee

  • 7,470 Points 5k badge 2x thumb
Official Response
Nieko,

The management vlan (mgmt) and the user vlans (default and any user-created vlans) reside in different virtual routers (VR-MGMT and VR-DEFAULT). There is no possible connection between these two VRs. So you can't get to the mgmt IP unless you are in the mgmt vlan.

As Robert told you, you can manage a switch through any vlan that has an IP address (unless you restrict it). You don't have to be in the same vlan, as long as you have a route to that IP address

Service Providers don ́t like this because they don't want customers to be able to manage the switch, so they usually configure it to allow management only through the mgmt vlan/port.

Having a separate and isolated management network also allows you to manage the switch if the user vlans have communications problems (broadcast storms, loops in the network, etc). For this to work, the management network must be completely separated from the user network.

Nothing prevents you from having both types of access. NetSight connects to the switches through the mgmt vlan, and administrators open CLI sessions through the user vlans. This way NetSight keeps in touch with the switches, even if you can't access them because of network problems.