accessing mgmt-ip of a switch via router/fw/ipsec corp-desktop-vlan -----> datacenter fw/router --> switch, which has many vlans.

you can create a tunnel between and (default vlan 1 of the switch). You can further configure ip for the latter vlan, say ( ), while the trunk between the switch and fw/router int is (, ips don't matter).

When you configure vlan ip as, the switch (netgear fsm 7352ps, in this case), adds the following route by default. via

all machines in that default vlan are configured to use fw int as default gateway, that is,

Folks in can ping/talk to all machines but the mgmt-ip of; When your laptop is in, it can talk to the mgmt-ip.

Switch itself is like any other L3 device (all applications are >= L3). When you try to establish a connection with, the traffic has to go via, which is not a trunk to a router.

One way to fix this mess: delete that route via, add via; that way, you can talk to the switch.

You can replace with some others, it doesn't mattter.

