I'm setting up a 1930 24G as a core switch for a small network. I set the management VLAN to 999 and the IP to 172.16.1.2, with a tagged port connecting that to my firewall at 172.16.1.1.
Despite this, I am able to login to the switch's local management UI from any subnet/VLAN combination. For example, on a host connected to VLAN10 in 10.10.10.0/24 with an IP address of 10.10.10.10, I'm able to enter "https://10.10.10.1" in a browser and login.
I've looked through the manual and through the web UI trying to find some way to disable this, and I can't find anything. Either I'm missing something super obvious or this is intended behavior, which would make no sense to me.
Config file:
config-file-header
<hostname>
vInstantOn_1930_2.8.0.0 (17) / RHPE2.8_932_244_010
SKU Description "Aruba Instant On 1930 24G 4SFP/SFP+ Switch JL682A"
@
!
unit-type-control-start
unit-type unit 1 network gi uplink te
unit-type-control-end
!
vlan database
vlan 10,666,999-1000
exit
voice vlan oui-table add 0001e3 Siemens_AG_phone
voice vlan oui-table add 00036b Cisco_phone
voice vlan oui-table add 00096e Avaya
voice vlan oui-table add 000fe2 3Com
voice vlan oui-table add 0060b9 H3C
voice vlan oui-table add 64167f Polycom
voice vlan oui-table add 805e0c Yealink
ip routing
priority-queue out num-of-queues 0
hostname <hostname>
username <redacted>
snmp-server engineid local default
no ip http server
clock timezone J 0 minutes 0
clock source sntp
sntp unicast client enable
sntp unicast client poll
sntp server 10.100.100.1 poll
sntp port 123
management vlan 999
!
interface vlan 10
name "VLAN10"
ip address 10.10.10.1 255.255.255.0
!
interface vlan 666
name blackhole
!
interface vlan 999
name management
ip address 172.16.1.2 255.255.255.0
no ip address dhcp
no ipv6 address autoconfig
no ipv6 enable
!
interface vlan 1000
name transit
ip address 10.100.100.2 255.255.255.252
!
interface 1
switchport general allowed vlan add 1000 tagged
switchport general pvid 1000
!
interface 2
switchport general allowed vlan add 1000 tagged
switchport general pvid 1000
!
interface 3
switchport general allowed vlan add 999 untagged
switchport general pvid 999
!
interface 4
switchport general allowed vlan add 999 tagged
switchport general pvid 999
!
interface 5
switchport general allowed vlan add 666 untagged
switchport general pvid 666
!
interface 6
switchport general allowed vlan add 666 untagged
switchport general pvid 666
!
interface 7
switchport general allowed vlan add 666 untagged
switchport general pvid 666
!
interface 8
switchport general allowed vlan add 666 untagged
switchport general pvid 666
!
interface 9
switchport general allowed vlan add 666 untagged
switchport general pvid 666
!
interface 10
switchport general allowed vlan add 666 untagged
switchport general pvid 666
!
interface 11
switchport general allowed vlan add 10 untagged
switchport general pvid 10
!
interface 12
switchport general allowed vlan add 666 untagged
switchport general pvid 666
!
interface 13
switchport general allowed vlan add 666 untagged
switchport general pvid 666
!
interface 14
switchport general allowed vlan add 666 untagged
switchport general pvid 666
!
interface 15
switchport general allowed vlan add 666 untagged
switchport general pvid 666
!
interface 16
switchport general allowed vlan add 666 untagged
switchport general pvid 666
!
interface 17
switchport general allowed vlan add 666 untagged
switchport general pvid 666
!
interface 18
switchport general allowed vlan add 666 untagged
switchport general pvid 666
!
interface 19
switchport general allowed vlan add 666 untagged
switchport general pvid 666
!
interface 20
switchport general allowed vlan add 666 untagged
switchport general pvid 666
!
interface 21
switchport general allowed vlan add 666 untagged
switchport general pvid 666
!
interface 22
switchport general allowed vlan add 666 untagged
switchport general pvid 666
!
interface 23
switchport general allowed vlan add 666 untagged
switchport general pvid 666
!
interface 24
switchport general allowed vlan add 666 untagged
switchport general pvid 666
!
interface 25
switchport general allowed vlan add 666 untagged
switchport general pvid 666
!
interface 26
switchport general allowed vlan add 666 untagged
switchport general pvid 666
!
interface 27
switchport general allowed vlan add 666 untagged
switchport general pvid 666
!
interface 28
switchport general allowed vlan add 666 untagged
switchport general pvid 666
!
interface TRK1
switchport general allowed vlan add 666 untagged
switchport general pvid 666
!
interface TRK2
switchport general allowed vlan add 666 untagged
switchport general pvid 666
!
interface TRK3
switchport general allowed vlan add 666 untagged
switchport general pvid 666
!
interface TRK4
switchport general allowed vlan add 666 untagged
switchport general pvid 666
!
interface TRK5
switchport general allowed vlan add 666 untagged
switchport general pvid 666
!
interface TRK6
switchport general allowed vlan add 666 untagged
switchport general pvid 666
!
interface TRK7
switchport general allowed vlan add 666 untagged
switchport general pvid 666
!
interface TRK8
switchport general allowed vlan add 666 untagged
switchport general pvid 666
!
exit
ip default-gateway 10.100.100.1
------------------------------
Samuel Davis
------------------------------