This topic has been marked solved and closed to new posts due to inactivity. We hope you'll join the conversation by posting to an open topic or starting a new one.
Cannot access web management interface from a routed VLAN
Model 4100 G12D Firmware 10.0.0.1.28
I am having issues managing the web gui interface from a routed vlan.
I have the switch configured with layer 3 vlans, and it is working fine. This is following configuration:
vlan 1 management 192.168.5.100/24
vlan 3 192.168.1.2/24
vlan 4 192.168.4.1/24
vlan 5 192.168.3.1/24
vlan 6 192.168.100.1/24
I have removed all ports from vlan1 (by default port0/1-2 were the factory defaults) and added these two ports to vlan 6. All ports in all vlans are untagged. I can access the switch from the ip address of any of the above vlans via the vlan ip address no problem. (Of course reducing security to the management of the switch). I will add restrictive acls at a later date restricting management to a few trusted source ip addresses in one or two vlans. This is a test setup right now, and I have video traffic in vlan 5 and the rest of the data traffic in vlan 4 and 5. The default gateway is 192.168.1.1
192.168.1.1 is the LAN interface of a cisco ASA firewall. The firewall is in routable mode,with static route statements for all the vlans. Vlan 3 is cabled directly to 192.168.1.1 in the firewall.
However, since I can access the switch via ssh from the vlan ip addresses, should I not be able to access the web gui via 192.168.3.1, 4.1, 100.1, etc?
From reading some of the forum articles, VLAN 1 is the default and is not routable. Do I need to make one of the routable vlans the new management vlan? If so, how would I do this? I am fine configuring everything via the CLI, but the webgui is helpful for other maintainance tasks. I read one article to actually delete VLAN1 as a possible solution and make another routable vlan a new management vlan. If this is a solution, can you please tell me the steps, or is there another solution?
Thank you,
(M4100-D12G) #show run
!Current Configuration: ! !System Description "M4100-D12G ProSafe 12-port Gigabit L2+ Intelligent Edge Desktop Managed Switch, 10.0.1.28, B1.0.1.0" !System Software Version "10.0.1.28" !System Up Time "1 days 20 hrs 12 mins 55 secs" !Additional Packages QOS,IPv6 Management,Routing !Current SNTP Synchronized Time: SNTP Last Attempt Status Is Not Successful ! telnetcon timeout 20 enable password 8c147405070ad74f21f519315f5cc3c8b8f7298a85981bd015030d83577e61e95ac840db20deda8ac9b3fe2bcad6953d4e91d8c27b93067a0cde711b9b0db285 encrypted network protocol none network parms 192.168.5.100 255.255.255.0 192.168.5.1 vlan database vlan 3-6 vlan name 3 "VLAN3" vlan name 4 "VLAN4" vlan name 5 "VLAN5" vlan name 6 "VLAN6" vlan routing 3 1 vlan routing 4 2 vlan routing 5 3 vlan routing 6 4 --More-- or (q)uit exit
ip http secure-server ip ssh server enable sshcon timeout 1 no ip telnet server enable configure time-range ip routing ip route 0.0.0.0 0.0.0.0 192.168.1.1 username password c4613c288e3e1d449bd2ce6882352f23271269c0651ae0d12ed3e1692504893b2fbaab4bc9de50f100380a22aaebe3bfa212ac7c09bdc6bc5f73788c850d3eb6 level 15 encrypted username password 8c147405070ad74f21f519315f5cc3c8b8f7298a85981bd015030d83577e61e95ac840db20deda8ac9b3fe2bcad6953d4e91d8c27b93067a0cde711b9b0db285 level 15 encrypted aaa authentication login "networkList" local enable line console serial timeout 20 password c4613c288e3e1d449bd2ce6882352f23271269c0651ae0d12ed3e1692504893b2fbaab4bc9de50f100380a22aaebe3bfa212ac7c09bdc6bc5f73788c850d3eb6 encrypted no transport input telnet exit
line telnet password c4613c288e3e1d449bd2ce6882352f23271269c0651ae0d12ed3e1692504893b2fbaab4bc9de50f100380a22aaebe3bfa212ac7c09bdc6bc5f73788c850d3eb6 encrypted exit
--More-- or (q)uit line ssh password c4613c288e3e1d449bd2ce6882352f23271269c0651ae0d12ed3e1692504893b2fbaab4bc9de50f100380a22aaebe3bfa212ac7c09bdc6bc5f73788c850d3eb6 encrypted exit
!
interface 0/1 vlan pvid 4 vlan participation auto 1 exit
interface 0/2 vlan pvid 3 vlan participation auto 1 vlan participation include 3 exit
interface 0/3 vlan pvid 3 --More-- or (q)uit vlan participation auto 1 vlan participation include 3 exit
interface 0/4 vlan pvid 6 vlan participation auto 1 vlan participation include 6 exit
interface 0/5 vlan pvid 4 vlan participation auto 1 vlan participation include 4 exit
interface 0/6 --More-- or (q)uit vlan pvid 4 vlan participation auto 1 vlan participation include 4 exit
interface 0/7 vlan pvid 4 vlan participation auto 1 vlan participation include 4 exit
interface 0/8 vlan pvid 4 vlan participation auto 1 vlan participation include 4 exit
--More-- or (q)uit interface 0/9 vlan pvid 5 vlan participation auto 1 vlan participation include 4-5 exit
interface 0/10 vlan pvid 5 vlan participation auto 1 vlan participation include 5 exit
interface 0/11 vlan pvid 5 vlan participation auto 1 vlan participation include 5 exit
--More-- or (q)uit
interface 0/12 vlan pvid 5 vlan participation auto 1 vlan participation include 5 exit
interface vlan 3 routing ip address 192.168.1.2 255.255.255.0 exit
interface vlan 4 routing ip address 192.168.4.1 255.255.255.0 exit
--More-- or (q)uit interface vlan 5 routing ip address 192.168.3.1 255.255.255.0 exit
interface vlan 6 routing ip address 192.168.100.1 255.255.255.0 exit
Re: Cannot access web management interface from a routed VLAN
Still cannot get the management vlan to change to a Layer 3 vlan, regardless of what RFC1918 address I use. However, I can now access the webgui from any of the ip addresses of the routed vlans, so there is no need to configure the management vlan to be accessible from any of the routed vlans. The issue was local to some of the pc's, these addresses had to be exempt from the proxy configuration for local LAN access.
Thanks for your time and patience resolving this issue.
Re: Cannot access web management interface from a routed VLAN
You should only be able to access the switch web interface through the static IP you set to it.
If you want to access the web interface through a specific VLAN, you can change the management VLAN option throug the System, Management and then System Information.
Before changing the management VLAN to specific VLAN ID, configure a port first that will be a member of the VLAN where you want the web interface of the switch to be access, the port should be set to untag and also change the PVID to that certain VLAN. The computer connected to that port should be able to access the web interface of the switch.
Re: Cannot access web management interface from a routed VLAN
Thanks for your prompt reply. I took ports 0/1-2 out of VLAN 1 (default) and assigned them to VLAN 4, which is a 192.168.4.0/24 subnet. I plugged a laptop in port 0/1 and I can now access the web interface at 192.168.4.1(I had tried this before I posted)However, another pc plugged into another port in the same vlan cannot access the webgui, but can connect via ssh to 192.168.4.1
However, when I change the Management VLAN ID to a current VLAN, I get the error message "IP Address/Netmask entered cannot be used on a routed vlan" I also tried creating another Layer 2 vlan first, without any ip addresses. I then changed the management vlan Id to this new vlan. I had already added the pvid's and ports as you suggested before I changed the management vlan id. I then added an ip address to the vlan and got the same error message as before, "your ip address/subnet conflicts with an existing subnet range on an existing vlan"
Maybe I am doing something wrong here to change the management vlan id--
I suggest you to set the management VLAN on a different LAN IP segment that is different from the usual LAN IP network since this works to others. For example: if the VLANs you have such as 192.168.0.x or 192.168.4.x, then set the management VLAN to 10.0.0.x and check if same error message will appear.
Re: Cannot access web management interface from a routed VLAN
Should I create another routed vlan in the 10.X.X.X. subnet range first and then change the vlan PVID to this routed vlan, or just change the web management interface ip first to a 10.X.X,.X subnet , then create a routed vlan in that subnet, then change the management vlan id of 1 to the new routed vlan pvid?
You may create another VLAN, let say for example: VLAN10 which is going to be within the 1010.0.0.x subnet range. Then assign port(s) to VLAN10 then change the port PVID to 10 then change the management VLAN to VLAN10. Lastly, make sure to set the IP Address to the 10.0.0.x subnet range.
Test it by connecting a PC to the port(s) assigned on VLAN10 and check that the PC is within the 10.0.0.x subnet range and you should be able to get a reply when you ping the IP Address you have assigned on the switch.
Re: Cannot access web management interface from a routed VLAN
Still cannot get the management vlan to change to a Layer 3 vlan, regardless of what RFC1918 address I use. However, I can now access the webgui from any of the ip addresses of the routed vlans, so there is no need to configure the management vlan to be accessible from any of the routed vlans. The issue was local to some of the pc's, these addresses had to be exempt from the proxy configuration for local LAN access.
Thanks for your time and patience resolving this issue.
