SOLVED
Hi! to let the Aruba 2930F to enable its IPv4 Routing features you just need to execute the ip routing CLI Command in config mode (then write memory).
Doing that your two defined VLANs will be routed each others (by means of the Aruba 2930F -> the static route you set will be then, and actually is, erroneous).
The point is: do you want the Aruba 2930F to do the router for your VLANs or do you want your FortiGate 80C Firewall to do the router?
In the first case go with ip routing and then you will just need to instruct the Aruba 2930F with a Route of Last Resort in order to route all packets to all other non local destinations via your FortiGate 80C Firewall which acts as next-hop (ip route 0.0.0.0 mask 0.0.0.0 via 172.21.1.240). Clearly your Firewall will need how to get back to VLAN 2 (192.168.153.0/24) and usually this can be achieved by configuring a static route on the Firewall (something like 192.168.153.0 255.255.255.0 via 172.21.1.241) otherwise VLAN 2 will be inaccessible by the Firewall being that VLAN behind the Aruba 2930F (remember: the FortiGate is on your VLAN 1 [*] so it already know how to reach hosts in that VLAN).
[*] An alternative approach (always with routing on the Switch) would be to use a Transit VLAN between the FortiGate 80C and the Switch on a dedicated VLAN...but that is another story...that's basically to avoid having the Firewall on VLANs dedicated to hosts and place it on a /30 or /31 subnet with the corresponding Switch IP on that Transist VLAN. That way the Firewall will need to know how to reach ALL VLANs behind the Aruba 2930F excluded the Transit one and, viceversa, the static RoLR will point to the Firewall IP on the Transit VLAN instead of its IP on VLAN 1 (as happens today in your setup).
In the second case your configuration will change a little bit more.
I'm not an HPE Employee
Hello,
I agree with everything parnassus wrote, just would like to add something. I see the config line "management-vlan 1" in the screenshot. The idea of this feature is to restrict management access only to ports members of this vlan. For this reason routing between management VLAN and other VLANs is not allowed. Routing between VLAN 1 and VLAN2 will not be possible so this line should be removed. Management access will still be possible via any IP address of the switch.
Hi JarlBalgruuf,
@JarlBalgruuf wrote:If the static route that I added is not needed, how does one go about removing it?
To remove/delete a static route try with the no ip route CLI command by fully specifying the involved remote network/host and the related subnet mask. Then verify with the show ip route. Do not forget to save with the usual write memory.
@JarlBalgruuf wrote: if all VLANs route between each other by default, how would yo go about stopping that? We only want VLANs we specify to communicate to each other.
You need to deploy appropriate ACLs (Access Control Lists).
I'm not an HPE Employee
Hi JarlBalgruuf, are you able to post the sanitized [*] configuration guide of your Aruba 2930F?
[*] sanitized = MAC Addresses, Serial Numbers and all other potentially sensitive information should be carefully removed or, at least, partially obfuscated.
I'm not an HPE Employee
Hello
I would also suggest to remove the config line : ip default-gateway 172.21.1.240. Ip default-gateway is only used when routing is not enabled. After enabling routing you should configure a static default route to the firewall
ip route 0.0.0.0/0 172.21.1.240
I think it is also important to make sure that end devices in VLAN 2 are using the IP of the switch in VLAN 2 192.168.0.238 as their default gateway.
The firewall should have a static route indicating that IP subnet 192.168.0.0/24 can be reached via 172.21.1.240. Something like ip route 192.168.0.0/24 172.21.1.240 but of course the syntax may be different. Otherwise there is no way for the firewall to know how it can route return traffic to this subnet.
Another option is to enable a routing protocol like rip between the switch and the firewall but this would make it unnecessey complex.
It's quite clear the OP already had all the relevant information [*] to perform a proper switch configuration (Route of Last Resort included, as initially told), the default gateway configuration line is practically not relevant once the routing is enabled...so now it's a matter for him/her to understand how the routing between end-devices on VLAN 1 and 2 and the Firewall (and vice-versa) is going to be tested...check edge devices (their IP Settings), disable their OS firewalls (if any), check the Fortigate logs to see if there are incoming packets from VLANs and evaluate its responses (traffic back).
[*] "In the first case go with ip routing and then you will just need to instruct the Aruba 2930F with a Route of Last Resort in order to route all packets to all other non local destinations via your FortiGate 80C Firewall which acts as next-hop (ip route 0.0.0.0 mask 0.0.0.0 via 172.21.1.240). Clearly your Firewall will need how to get back to VLAN 2 (192.168.153.0/24) and usually this can be achieved by configuring a static route on the Firewall (something like 192.168.153.0 255.255.255.0 via 172.21.1.241) otherwise VLAN 2 will be inaccessible by the Firewall being that VLAN behind the Aruba 2930F (remember: the FortiGate is on your VLAN 1 [*] so it already know how to reach hosts in that VLAN)."
I'm not an HPE Employee