I very recently had an interesting consulting engagement. The customer was using a SonicWALL firewall to do the routing for all their internal VLANs and wasn’t getting the throughput or performance that they were expecting from their HP 1Gbps network. I explained to the customer that they were routing internal traffic through the SonicWALL and if they didn’t have a need to isolate the VLANs using a firewall they should move the routing to their core HP 5400zl switch, thereby providing wire speed routing and switching within the internal network. In this configuration traffic would only hit the SonicWALL firewall when the packets were destined to the Internet or to a remote VPN location.
I made the various configuration changes on the HP 5400zl and oddly enough I couldn’t get routing to work. I had two laptops on opposite VLANs which couldn’t communicate with one and other. I could ping both laptops from the HP 5400zl switch but the switch didn’t appear to be routing the packets even though IP routing had been enabled.
I took to Google and quickly found a thread on the HPE Community website titled, Inter Vlan Layer 3 Routing on 5400. I quickly learned that the command “management-vlan 1” disables routing on that specific VLAN. I issued a “no management-vlan 1” and I could immediately ping between the two laptops without issue. After I little more research I found the following explanation.
Secure Management VLAN
Secure Management VLANs are designed to restrict management access to the switch to only those nodes connected to the Management VLAN. That is, only clients who are connected to ports who are members of the Secure Management VLAN can be allowed to gain management access to the ProCurve device. This sharply limits the universe of devices that can attempt unauthorized access.
Configuring a Management VLAN takes only one command:ProCurve Switch(config)# management-vlan VLANID
Any VLAN can be assigned as the management VLAN. Take care to ensure that the same VLAN is configured as Management VLAN on all ProCurve switches that are to be members of the management VLAN.
There are a few restrictions on Secure Management VLANs worth noting:
- Only one VLAN per switch can be identified as the Secure Management VLAN.
- IP addresses must be assigned manually to the Secure Management VLAN. The switch will not allow the Management VLAN to acquire its address through DHCP/Bootp.
- To maintain the secure nature of the management VLAN, only ProCurve switch ports that are connecting authorized management stations, or those extending the management VLAN to other ProCurve switches, should be members of the Management VLAN.
- Internet Group Management Protocol (IGMP) is not supported on the Management VLAN.
- Routing to or from the Secure Management VLAN is not permitted. Routing can be enabled on the switch and all other VLANs will be routable, but the Secure Management VLAN will remain isolated.
The customer did tell me that they had tried to add IP routing to the HP 5400zl in the past but could never get it to work properly. You can imagine my initial surprise when I too was temporarily stumped after configuring the IP addresses on the VLAN interfaces and enabling IP routing. Thankfully some quick research provided the solution.