Aruba & ProVision-based
cancel
Showing results for 
Search instead for 
Did you mean: 

Re: Aruba 2930f - how do you enable ip routing?

 
SOLVED
Go to solution
Highlighted
Occasional Advisor

Aruba 2930f - how do you enable ip routing?

I will start off by saying this is my first venture into Layer 3.

I've got an Aruba 2930f that I've got setup with 2 VLANs (VLAN 1 - 172.21.0.0/16, VLAN 2 - 192.168.153.0/24)

The gateway of the network will be 172.21.1.240 (Fortigate 80C in my test lab).

I've been trying to run the "ip route 192.168.153.0/24 172.21.1.240" command to allow VLAN 2 to get to the firewall.  When I run the command it acts like it worked (CLI doesn't return any errors) but when I do show config the route doesn't show up.

Here's a screenshot showing the config - https://imgur.com/albBEYK

11 REPLIES 11
Highlighted
Honored Contributor

Re: Aruba 2930f - how do you enable ip routing?

Hi! to let the Aruba 2930F to enable its IPv4 Routing features you just need to execute the ip routing CLI Command in config mode (then write memory).

Doing that your two defined VLANs will be routed each others (by means of the Aruba 2930F -> the static route you set will be then, and actually is, erroneous).

The point is: do you want the Aruba 2930F to do the router for your VLANs or do you want your FortiGate 80C Firewall to do the router?

In the first case go with ip routing and then you will just need to instruct the Aruba 2930F with a Route of Last Resort in order to route all packets to all other non local destinations via your FortiGate 80C Firewall which acts as next-hop (ip route 0.0.0.0 mask 0.0.0.0 via 172.21.1.240). Clearly your Firewall will need how to get back to VLAN 2 (192.168.153.0/24) and usually this can be achieved by configuring a static route on the Firewall (something like 192.168.153.0 255.255.255.0 via 172.21.1.241) otherwise VLAN 2 will be inaccessible by the Firewall being that VLAN behind the Aruba 2930F (remember: the FortiGate is on your VLAN 1 [*] so it already know how to reach hosts in that VLAN).

[*] An alternative approach (always with routing on the Switch) would be to use a Transit VLAN between the FortiGate 80C and the Switch on a dedicated VLAN...but that is another story...that's basically to avoid having the Firewall on VLANs dedicated to hosts and place it on a /30 or /31 subnet with the corresponding Switch IP on that Transist VLAN. That way the Firewall will need to know how to reach ALL VLANs behind the Aruba 2930F excluded the Transit one and, viceversa, the static RoLR will point to the Firewall IP on the Transit VLAN instead of its IP on VLAN 1 (as happens today in your setup).

In the second case your configuration will change a little bit more.

Highlighted

Re: Aruba 2930f - how do you enable ip routing?

Hello, 

I agree with everything parnassus wrote, just would like to add something. I see the config line "management-vlan 1" in the screenshot. The idea of this feature is to restrict management access only to ports members of this vlan. For this reason routing between management VLAN and other VLANs is not allowed. Routing between VLAN 1 and VLAN2 will not be possible so this line should be removed. Management access will still be possible via any IP address of the switch.

I am an HPE employee

Accept or Kudo


Occasional Advisor

Re: Aruba 2930f - how do you enable ip routing?

@Emil_GogushevThank you.  I disabled the management VLAN option.

@parnassusI've now gotten ip routing enabled, I'm not sure if it didn't work before because of the management VLAN deal or what, I had tried running that to no avail in the past.  My boss wants the switch to do all the routing to reduce the load on the firewall.  If the static route that I added is not needed, how does one go about removing it?

Also, if all VLANs route between each other by default, how would yo go about stopping that?  We only want VLANs we specify to communicate to each other.

Highlighted
Honored Contributor

Re: Aruba 2930f - how do you enable ip routing?

Hi JarlBalgruuf,


@JarlBalgruuf wrote:If the static route that I added is not needed, how does one go about removing it?

To remove/delete a static route try with the no ip route CLI command by fully specifying the involved remote network/host and the related subnet mask. Then verify with the show ip route. Do not forget to save with the usual write memory.


@JarlBalgruuf wrote: if all VLANs route between each other by default, how would yo go about stopping that?  We only want VLANs we specify to communicate to each other.

You need to deploy appropriate ACLs (Access Control Lists).

Highlighted
Occasional Advisor

Re: Aruba 2930f - how do you enable ip routing?

I was able to remove the static route with the no ip route command, however I cannot send traffic between the 2 VLANs, and only the 172 VLAN has Internet access.

Highlighted
Honored Contributor

Re: Aruba 2930f - how do you enable ip routing?

Hi JarlBalgruuf, are you able to post the sanitized [*] configuration guide of your Aruba 2930F?

[*] sanitized = MAC Addresses, Serial Numbers and all other potentially sensitive information should be carefully removed or, at least, partially obfuscated.

Highlighted
Occasional Advisor

Re: Aruba 2930f - how do you enable ip routing?

Highlighted
Regular Advisor

Re: Aruba 2930f - how do you enable ip routing?

If the switch is connected to Fortigate (even low end model like 80) then IMO it is much easier to do the routing on Fortigate (it is just easier)

Highlighted
Solution

Re: Aruba 2930f - how do you enable ip routing?

Hello

I would also suggest to remove the config line : ip default-gateway 172.21.1.240. Ip default-gateway is only used when routing is not enabled. After enabling routing you should configure a static default route to the firewall

ip route 0.0.0.0/0 172.21.1.240

I think it is also important to make sure that end devices in VLAN 2 are using the IP of the switch in VLAN 2 192.168.0.238 as their default gateway. 

The firewall should have a static route indicating that IP subnet 192.168.0.0/24 can be reached via 172.21.1.240. Something like ip route 192.168.0.0/24  172.21.1.240 but of course the syntax may be different. Otherwise there is no way for the firewall to know how it can route return traffic to this subnet.

Another option is to enable a routing protocol like rip between the switch and the firewall but this would make it unnecessey complex.

I am an HPE employee

Accept or Kudo