LAN Routing
cancel
Showing results for 
Search instead for 
Did you mean: 

Distinct and separate internet access for select vLANs on a routing enabled HPE Aruba 5412r zl2

 
Highlighted
Occasional Contributor

Distinct and separate internet access for select vLANs on a routing enabled HPE Aruba 5412r zl2

Have a set of 10 vLANs on this core switch.

Switch has base “ip routing” enabled, nothing else.

All devices on the vLANs utilize the IP address assigned to the given vLAN on the switch for their default gateway.

Software revision  : KB.16.06.0006

All modules are v3

 

 

vLAN 255 (172.16.255.254/24) – all systems on this vLAN need to use the next hop of 172.16.255.1, a firewall within the same subnet to access the internet.

 

vLAN 254 (172.16.254.254/24) all systems on this vLAN need to use the next hop of 172.16.254.1, a firewall within the same subnet to access the internet.

 

vLAN 2,3,4,5,6,7,8,253 (172.16.[2,3,4,5,6,7,8,253].254/24) all systems on these vLANs need to use the next hop of 172.16.253.1, a firewall allowing access to the internet.

 

What is the best approach to allow the switch to handle all inter vLAN routing and also allow the individual default routs to reach the internet for the given subnet scenarios above? 

 

Thank you!

2 REPLIES 2
Highlighted
Honored Contributor

Re: Distinct and separate internet access for select vLANs on a routing enabled HPE Aruba 5412r zl2

Since IP Routing is already enabled, inter-VLANs routing is already active too.

Your other request would be satisfied by creating the 11st VLAN to be used only as a transit VLAN between your core switch and your Firewall.

Highlighted
Honored Contributor

Re: Distinct and separate internet access for select vLANs on a routing enabled HPE Aruba 5412r zl2

1. In a standard user network, you should only have one router in a host subnet, not 2.
The purpose of routing is not to route between two addresses that are in the same subnet. Unless the firewall is the router for a subnet, it should not have an IP address in that subnet; your Core switch should route to it using a dedicated transit subnet that has no hosts in it.
If you have two routers in a subnet, it is the host that needs to choose the correct one, not one of those routers.

2. You could do the following for each host subnet that has 2 routers in it:
 - configure DHCP Option 3 to be the .1 address.
 - configure DHCP options 121 & 249 with the .254 address as a route for each internal subnet.

3. If you make the Core switch default route 172.16.253.1, that should catch all the remaining subnets, but this will create asymmetric routing, so it would be better to not use on the firewall any IP address that belongs to a host subnet.