LAN Routing

Exclude a vlan from the routing

Go to solution
Occasional Contributor

Exclude a vlan from the routing


I've two 5406R zl2 working as core-switch with routing enabled. VRRP is configured for some VLANs. Now I tried to route the Management VLAN over the firewall to restirct access that it.

I disabled VRRP for that VLAN and moved the virtual router IP to the firewall (the default gateway for the switches). But that didn't work. Since the switches have also IPs in the Management VLAN, they still route between the VLANs. I found no way to remove or "overwrite" the routing entry of type "connected".

Is there a way to exclude a VLAN from routing but keeping the IP in it?

Kind regards,

Honored Contributor

Re: Exclude a vlan from the routing

Good question.

I believe when a VLAN Interface is configured with an IP Address it automatically partecipates to IP routing by the Switch because it is directly connected (clearly if IP routing is globally enabled on the Switch), maybe I'm wrong, the only way to achieve what you want is to (a) remove the IP Address on that VLAN id and (b) transport tagged or untagged that particular VLAN id as a Layer 2 up to the Firewall's port dedicated for that type of connection, the Firewall will need to provide an IP Address to that VLAN id and it will become the router for that very VLAN (that way you have a VLAN routed by the Firewall and all the other VLANs directly connected on the Switch routed by the Switch itself...and, if you just think at it, this will create an asymmetry in routing).

By the way...are you using the Management VLAN (non routable) or just a VLAN with management purposes? I believe the latter.

Can't manage restrictions to that particular VLAN via ACLs keeping it routed?

I'm not an HPE Employee
Kudos and Accepted Solution banner
Occasional Contributor

Re: Exclude a vlan from the routing

Hello parnassus,

at first, you are right: I mean a "normal" VLAN with management purposes. Sorry that I didn't make that clear.

I agree with you. Currently I see only the way of removing the IP address or using ACL because the asymmetric routing is exactly my problem. But I hoped that I can disable routing for particular VLANs so that the switch would send these packets to the firewall.

ACL can help, but are my second choice.