HPE Community
HPE Aruba Networking & ProVision-based
1825659 Members
3465 Online
109686 Solutions
New Discussion

E5406zl VLAN configuration

 
adurotec
New Member

‎06-16-2011 02:25 PM

‎06-16-2011 02:25 PM

E5406zl VLAN configuration

Have some experience with the E5406zl chassis switch but its been a while and I am transitioning from Dell switches in a limited vlan configuration.  I have added a basic configuration to the 2 5406 switches I am configuring and have defined multiple vlans, assigning each switch an IP in the corresponding VLAN, all of which are private (within the 10.50.0.0/16 subnet).  I haven't enabled routing yet but wil be doing so, configuring VRRP between the 2 switches.  During the transitiion I need to maintain the current public subnet (vlan104) until we conver to NAT so I have added this existing VLAN to both 5406 switches.

 

If I enable ip routing on the switches, can I keep vlan104 "isolated" from the rest of the vlans that will be setup using VRRP for inter-vlan routing?  I want to keep vlan104 forwarding traffic to our FW which is the current GW for this vlan while all other vlans in the 10.50.0.0/16 network use the 10.50.5.0/29 network I have setup between the 5406 switches and the other interface on my FW.

 

Not knowing for sure, and not wanting to assume this is possible, I didn't want to start configuring it and realize that all vlans now have to participate in routing and vlan104 can't stay a simple layer2 vlan using a default GW to the FW.

 

Thanks!

David 

1 REPLY 1
paulgear
Esteemed Contributor

‎06-20-2011 03:16 AM

‎06-20-2011 03:16 AM

Re: E5406zl VLAN configuration

There are a couple of different options here - which one is best for your situation depends on your requirements and your existing setup:

  1. Do not configure an IP address on VLAN 104.  This is the simplest and most straightforward: if you don't have an IP on that VLAN, you can't route to/from it.  However, if you need access to the switch or to other VLANs behind the switch from VLAN 104, then this solution will not work.
  2. Configure an IP address on VLAN 104, but do not make it the default gateway for the subnet on VLAN 104.  This has the disadvantage that people can still manually configure a route through the switch on an end node, but might be OK depending on your security requirements.
  3. Configure an IP address on VLAN 104, and prevent it from routing using ACLs.  An appropriate access list on the VLAN interface will prevent routing from occurring.  This is the most complex solution, but is the only way to allow the switch to have an address on VLAN 104 and still maintain full security.

On my network i presently use a combination of methods 1 & 2, but am moving towards 3 for all VLANs.

 

P.S. Another simple solution that might work but i discounted because it's a bit of a hack is to make VLAN 104 the management VLAN for your switch.  It will only work in very limited circumstances, but might apply your situation.  Check out the documentation for more details.

Regards,
Paul
0 Kudos
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.