• August 04, 2020, 04:56:44 AM
  • Welcome, Guest
Please login or register.

Login with username, password and session length
Advanced search  

News:

This Forum Beta is ONLY for registered owners of D-Link products in the USA for which we have created boards at this time.

Author Topic: 802.1Q Management VLAN  (Read 7839 times)

titusc

  • Level 1 Member
  • *
  • Posts: 13
802.1Q Management VLAN
« on: December 03, 2017, 01:47:14 AM »

Hi I'm trying to put my Management VLAN on VLAN 100 which is not the default which is VLAN 1.  Unfortunately I'm not sure if it's a bug or something I've done wrong it's locking me out as soon as I have changed the VLAN from 1 to 100 under 802.1Q Management VLAN.

My configuration is simple.  I started with a factory reset switch and am connected to Port 6.

Here are the steps I did.
1)  VLAN -> 802.1Q VLAN
     a) Click on VID 1, change port 6 from Untagged to Not Member.
          This takes Port 6 out of VLAN 1.
     b) Click Add, enter VID = 100, VLAN Name = Mgmt, change port 6 from Not Member to Untagged.
          This puts Port 6 into VLAN 100.
          At this point I'm still not locked out because I think 3a below is Disabled so the switch doesn't care which VLAN you are on yet.
2)  802.1Q VLAN PVID
     Nothing needs to be done here but Port 6 is now assigned with PVID 100.
3)  802.1Q Management VLAN
     a) Change Management VLAN from Disabled to Enabled.
     b) Change VID from 1 to 100, the VLAN Name is changed from default to Mgmt automatically.
     c) Hit Apply.

After 3c above I'm locked out of the switch which doesn't make sense because I'm asking the switch to define the Management VLAN as VLAN 100 and I have put Port 6 to VLAN 100.

This appears to be in line with what PacketTracer is describing with Choice 2 on the thread below.  The only bit I'm not following is why the need to first connect on a port different than Port 24 before putting Port 24 to the Management VLAN, and then connect the laptop back to Port 24 after getting locked out.
http://forums.dlink.com/index.php?topic=66286.0

Any advise or suggestions?  Thanks.
« Last Edit: December 03, 2017, 05:12:43 PM by titusc »
Logged

PacketTracer

  • Level 4 Member
  • ****
  • Posts: 435
Re: 802.1Q Management VLAN
« Reply #1 on: December 03, 2017, 08:06:31 AM »

Hi,

Quote
The only bit I'm not following is why the need to first connect on a port different than Port 24 before putting Port 24 to the Management VLAN, and then connect the laptop back to Port 24 after getting locked out.

This is because I think it's not a good idea to manage the port your admin PC is connected to. And I'm really astonished that you could still do any configuration beyond step 1a, because my understanding so far was, that per default the switch's management interface is only reachable via VLAN 1! But maybe this is due to a time gap between the point in time when you change a configuration and the point in time, when this change comes effective.

To be honest, my recipe you quoted resulted from just thinking about a logical sequence of actions, that looks reasonable from my point of view. I never did this in practice because I don't have this type of switch at hand.

PT
Logged

titusc

  • Level 1 Member
  • *
  • Posts: 13
Re: 802.1Q Management VLAN
« Reply #2 on: December 03, 2017, 09:16:44 AM »

Quote
And I'm really astonished that you could still do any configuration beyond step 1a, because my understanding so far was, that per default the switch's management interface is only reachable via VLAN 1!
But under VLAN -> 802.1Q Management VLAN I see Management VLAN is set to Disabled, and VID 1 is greyed out.  I'd have imagined unless we set this to Enabled this means any VLAN will have management access?

Also this is definitely not a time gap issue because I have this setup now for what must be a good hour already.
Like I mentioned on the other post I have already put the port my PC is connected to into a different VLAN (Not a Member of VLAN1, Untag VLAN 200), and I'm still clicking around on the Web UI.
Logged

titusc

  • Level 1 Member
  • *
  • Posts: 13
Re: 802.1Q Management VLAN
« Reply #3 on: December 03, 2017, 09:19:57 AM »

Okay I just went to VLAN -> 802.1Q Management VLAN and set the Management VLAN option from Disabled to Enabled, leaving the VID drop down to 1 and VLAN Name as default.  I though this would have forced the switch to only accept management access from devices in VLAN 1, but guess what I'm still clicking around on the Web UI fine without being locked out.  Again the port I'm connected to is set to VLAN 200 Untag.

I hate to say this but I definitely will say there is something wrong with the VLAN implementation in DLink's switches.
Logged

PacketTracer

  • Level 4 Member
  • ****
  • Posts: 435
Re: 802.1Q Management VLAN
« Reply #4 on: December 03, 2017, 12:12:03 PM »

Hi again,

Quote
But under VLAN -> 802.1Q Management VLAN I see Management VLAN is set to Disabled, and VID 1 is greyed out.  I'd have imagined unless we set this to Enabled this means any VLAN will have management access?

I would disagree: In my opinion switch internal interfaces (like the management interface or a SVI at an VRF within a L3 switch) can only be bound to specific VLANs. It is like a D-Link switch in fabric default: Looks like is isn't VLAN aware, but in real it is: It internally uses VLAN 1 with all ports configured as VLAN 1 access ports and the management interface assigned to VLAN 1, too. Activating management VLAN just means, you are able to change the management VLAN just like enabling 802.1Q only means that you can create additional VLANs and change the default VLAN configuration of any port to whatever you want.

PT
Logged

titusc

  • Level 1 Member
  • *
  • Posts: 13
Re: 802.1Q Management VLAN
« Reply #5 on: December 03, 2017, 05:11:28 PM »

Hi PT I know what you mean but I can access the Web UI when the port I'm connected to is set to be on VLAN 200.  As you guessed this should have locked me out from thev Web UI immediately.  So a bug?
Logged

titusc

  • Level 1 Member
  • *
  • Posts: 13
Re: 802.1Q Management VLAN
« Reply #6 on: December 04, 2017, 09:34:45 AM »

Okay again as explained in the following thread this is caused by my PC flipping between connecting to different point of the network.
http://forums.dlink.com/index.php?topic=72778.0

For the benefit of the others who may have been confused with what I described, the reason I lost access to the Web UI only after 3c was because after 1a my PC was disconnected from one end of the network and reconnected from another point of the network back to the switch, which still have Management VLAN on VLAN 1 so the Web UI was still accessible.  It was only after I have changed the Management VLAN to VLAN 100 did I lose access to the Web UI also via this other path.
1)  VLAN -> 802.1Q VLAN
     a) Click on VID 1, change port 6 from Untagged to Not Member.
          This takes Port 6 out of VLAN 1.
     b) Click Add, enter VID = 100, VLAN Name = Mgmt, change port 6 from Not Member to Untagged.
          This puts Port 6 into VLAN 100.
          At this point I'm still not locked out because I think 3a below is Disabled so the switch doesn't care which VLAN you are on yet.
2)  802.1Q VLAN PVID
     Nothing needs to be done here but Port 6 is now assigned with PVID 100.
3)  802.1Q Management VLAN
     a) Change Management VLAN from Disabled to Enabled.
     b) Change VID from 1 to 100, the VLAN Name is changed from default to Mgmt automatically.
     c) Hit Apply.


As for below this is absolutely a good advise.  Coming form a CLI background such as Cisco, it is easy to be able to set the native VLAN of the port you are connected to the switch with just one command.  On the Dlink switches via the Web UI, it's a two step process.  First you go to the VLAN 1 page and check the port to be Not a Member of VLAN 1.  Then you go to the new Management VLAN page and check the port to be Untagged.  After the first step before you get the chance to do the second, you are already locked out.  A good lesson learned here with switches like the Dlinks that need to be configured this way.
Quote
Quote
The only bit I'm not following is why the need to first connect on a port different than Port 24 before putting Port 24 to the Management VLAN, and then connect the laptop back to Port 24 after getting locked out.

This is because I think it's not a good idea to manage the port your admin PC is connected to. And I'm really astonished that you could still do any configuration beyond step 1a, because my understanding so far was, that per default the switch's management interface is only reachable via VLAN 1! But maybe this is due to a time gap between the point in time when you change a configuration and the point in time, when this change comes effective.

Logged

titusc

  • Level 1 Member
  • *
  • Posts: 13
Re: 802.1Q Management VLAN
« Reply #7 on: December 04, 2017, 09:41:07 AM »

Again sorry this specific observation was due to my PC reconnecting back to the network from a different point arriving back to the switch on a different port.  This happened even before I got to the stage of setting the port I thought I was still connected to have VLAN 200 Untag.  Obviously by setting the Management VLAN to Enabled and keeping the Management VLAN on VLAN 1, I'm still able to access the Web UI via the alternate path.

Okay I just went to VLAN -> 802.1Q Management VLAN and set the Management VLAN option from Disabled to Enabled, leaving the VID drop down to 1 and VLAN Name as default.  I though this would have forced the switch to only accept management access from devices in VLAN 1, but guess what I'm still clicking around on the Web UI fine without being locked out.  Again the port I'm connected to is set to VLAN 200 Untag.

I hate to say this but I definitely will say there is something wrong with the VLAN implementation in DLink's switches.
Logged

PacketTracer

  • Level 4 Member
  • ****
  • Posts: 435
Re: 802.1Q Management VLAN
« Reply #8 on: December 04, 2017, 02:34:12 PM »

Glad to hear that. Was already in doubt about my view of the (network) world ...
Logged