Monday, March 22, 2010

accessing mgmt-ip of a switch via router/fw/ipsec

10.7.0.0/23 corp-desktop-vlan -----> datacenter fw/router --> switch, which has many vlans.


you can create a tunnel between 10.7.0.0/23 and 192.168.31.0/24 (default vlan 1 of the switch). You can further configure ip for the latter vlan, say 192.168.31.254 ( 192.168.31.1 ), while the trunk between the switch and fw/router int is 192.168.31.1 (192.168.31.254, ips don't matter).

When you configure vlan ip as 192.168.31.254, the switch (netgear fsm 7352ps, in this case), adds the following route by default.

0.0.0.0/0.0.0.0 via 192.168.31.254

all machines in that default vlan are configured to use fw int as default gateway, that is, 192.168.31.1

Folks in 10.7.0.0/23 can ping/talk to all machines but the mgmt-ip of 192.168.31.0/24; When your laptop is in 192.168.31.0/24, it can talk to the mgmt-ip.

Switch itself is like any other L3 device (all applications are >= L3). When you try to establish a connection with 192.168.31.254, the traffic has to go via 192.168.31.254, which is not a trunk to a router.

One way to fix this mess: delete that route 0.0.0.0/0.0.0.0 via 192.168.31.254, add 0.0.0.0/0.0.0.0 via 192.168.31.1; that way, you can talk to the switch.

You can replace 0.0.0.0/0 with some others, it doesn't mattter.

No comments: