HPE Community
LAN Routing
1833059 Members
2691 Online
110049 Solutions
New Discussion

Re: Distinct and separate internet access for select vLANs on a routing enabled HPE Aruba 5412r zl2

 
pcpotential
Occasional Contributor

‎08-30-2018 08:12 PM

‎08-30-2018 08:12 PM

Distinct and separate internet access for select vLANs on a routing enabled HPE Aruba 5412r zl2

Have a set of 10 vLANs on this core switch.

Switch has base “ip routing” enabled, nothing else.

All devices on the vLANs utilize the IP address assigned to the given vLAN on the switch for their default gateway.

Software revision  : KB.16.06.0006

All modules are v3

 

 

vLAN 255 (172.16.255.254/24) – all systems on this vLAN need to use the next hop of 172.16.255.1, a firewall within the same subnet to access the internet.

 

vLAN 254 (172.16.254.254/24) all systems on this vLAN need to use the next hop of 172.16.254.1, a firewall within the same subnet to access the internet.

 

vLAN 2,3,4,5,6,7,8,253 (172.16.[2,3,4,5,6,7,8,253].254/24) all systems on these vLANs need to use the next hop of 172.16.253.1, a firewall allowing access to the internet.

 

What is the best approach to allow the switch to handle all inter vLAN routing and also allow the individual default routs to reach the internet for the given subnet scenarios above? 

 

Thank you!

0 Kudos
2 REPLIES 2
parnassus
Honored Contributor

‎08-31-2018 06:20 AM

‎08-31-2018 06:20 AM

Re: Distinct and separate internet access for select vLANs on a routing enabled HPE Aruba 5412r zl2

Since IP Routing is already enabled, inter-VLANs routing is already active too.

Your other request would be satisfied by creating the 11st VLAN to be used only as a transit VLAN between your core switch and your Firewall.


I'm not an HPE Employee
Kudos and Accepted Solution banner
0 Kudos
Vince-Whirlwind
Honored Contributor

‎09-09-2018 05:19 PM

‎09-09-2018 05:19 PM

Re: Distinct and separate internet access for select vLANs on a routing enabled HPE Aruba 5412r zl2

1. In a standard user network, you should only have one router in a host subnet, not 2.
The purpose of routing is not to route between two addresses that are in the same subnet. Unless the firewall is the router for a subnet, it should not have an IP address in that subnet; your Core switch should route to it using a dedicated transit subnet that has no hosts in it.
If you have two routers in a subnet, it is the host that needs to choose the correct one, not one of those routers.

2. You could do the following for each host subnet that has 2 routers in it:
 - configure DHCP Option 3 to be the .1 address.
 - configure DHCP options 121 & 249 with the .254 address as a route for each internal subnet.

3. If you make the Core switch default route 172.16.253.1, that should catch all the remaining subnets, but this will create asymmetric routing, so it would be better to not use on the firewall any IP address that belongs to a host subnet.

0 Kudos
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.