HPE Community
HPE Aruba Networking & ProVision-based
1828581 Members
2122 Online
109982 Solutions
New Discussion

Re: MGMT VLAN /Assymetry Routing questions

 
boombasstic
New Member

‎03-26-2021 04:13 AM

‎03-26-2021 04:13 AM

MGMT VLAN /Assymetry Routing questions

Hi,

it's my first post here, english is not my native language and my knowledge in network is average so please bear with me.

To best resume my issue, i ll paste a link of a post i found about similar issue wich was fixed by using VRF which is not possible with the aruba switch i am using.

https://ltlnetworker.files.wordpress.com/2015/08/m13-asymm-external.png?w=660&h=643 

I have managment network 10.14.0.x, with my servers on, and layer3 core switch (2930F)  with routing on.

There is a transit VLAN between my firewall and my core switch. and management interface of my firewall is connected to an untagged management VLAN port of the core switch.

i would like to be able when i connect from VPN to my firewall, to access to managment vlan and other vlans.

the problem is that it creates and assymetry, the core switch default route being the firewall transit interface.

What would be the best practice to do such thing?

I gues i could just remove the management link btween firewall and core, and route everything through the transit VLAN, but isnt it bettr to have dedicated management interface?

 

Thanks in advance.

 

 

0 Kudos
2 REPLIES 2
akg7
HPE Pro

‎04-23-2021 09:47 AM

‎04-23-2021 09:47 AM

Re: MGMT VLAN /Assymetry Routing questions

Hello,

Is it possible for you to share the detailed network diagram?

Thanks!

Note: While I am an HPE Employee, all of my comments (whether noted or not), are my own and are not any official representation of the companyAccept or Kudo
0 Kudos
parnassus
Honored Contributor

‎04-27-2021 01:16 PM

‎04-27-2021 01:16 PM

Re: MGMT VLAN /Assymetry Routing questions

Hi @boombasstic I don't see any routing asymmetry: I mean...I don't see it necessarily...the OoBM interface of your Firewall is indeed truly OoB (isn't it?) and it should admit an IP, a Subnet Mask and a Default Gateway...so, de-facto, it's like having an host connected (as it is exactly in your scenario) to your internal infrastructure: Firewall's OoBM interface should be then treated as any other host LAN interface...it should use the SVI on your Aruba 2930F Core Switch (IP Routing enabled) as its default gateway and thus to reach any other (permitted) outside network as any other host of your internal network (considering the same network segment) it will use your routing Aruba 2930F which then will use its Transit VLAN to route traffic for any other non locally connected network (0/0 via Transit IP on Firewall LAN interface).

I don't see any asymmetry...neither for outgoing traffic route (Core Switch directly connected Internal network(s) -> Core Switch Transit VLAN -> Firewall LAN -> NAT -> Firewall WAN -> VPN Tunnel thorugh Internet -> VPN Client) nor for incoming one (Internet VPN Client -> VPN Tunnel through Internet -> Firewall WAN -> NAT -> Firewall LAN -> Core Switch Transit VLAN -> Core Switch directly connected Internal network(s)).

Am I wrong and there are potentially lacking details in your description to invalidate my thoughts?


I'm not an HPE Employee
Kudos and Accepted Solution banner
0 Kudos
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.