SOLVED
Where is placed you Router to access the Internet?
Say you have:
- VLAN X (Subnet 192.168.0.0/24 IP Address of VLAN X Logical Interface set to 192.168.0.1)
- VLAN Y (Subnet 10.0.0.0/24 IP Address of VLAN Y Logical Interface set to 10.0.0.1)
- Some untagged ports members of VLAN X (thus VLAN unaware edge devices/hosts become members of VLAN X)
- Some other untagged ports members of VLAN Y (thus VLAN unaware edge devices/hosts become members of VLAN Y)
Where is placed the Router to non local (all remote) networks? Is it on VLAN X or Y? or is it on a VLAN Z used as transit VLAN? Do VLAN X and Y partecipate to IP Routing? in other terms...an host on VLAN X is able to ping an host on VLAN Y and vice-versa provided that the IP Routing is already set and work correctly at switch level? Does your Router know how to get back to all VLANs (obviously it knows how to get back to VLAN it is already member of since it is already directly connected to)?
I'm not an HPE Employee
Hi, the point is that if you enable the IPv4 Routing at Switch level then, once defined VLAN ids are configured with their non overlapping IP Addresses (say VLAN X has the 192.168.0.1/24 and VLAN Y has the 10.0.0.1/24), all VLANs become subject to IP Routing by means of the switch Layer 3 feature. So any host will be routed to any other host provided that IP configurations (assignments) at switch and hosts levels are corrects. So to segregate you need to act at switch level with ACL (Access Control List).
Another way is to work with a Switch in Layer 2 mode (so no IP Addresses on VLAN X and Y), only access ports untagged on VLAN X and untagged on VLAN Y and an uplink port tagged with VLAN X and VLAN Y to your Router/Firewall...the Router/Firewall will be responsible to (and act as the default gateway for) your hosts on VLAN X and VLAN Y. Basically it should have sub-interfaces of the LAN Ethernet (Downlinked to the Switch): one on VLAN X and other one on VLAN Y...with matching VLAN Id.
At that point the Router will have (Say it works with eth0 for LAN): eth0.VLAN_X_id (Say eth0.100) and eth0.VLAN_Y_id (Say eth0.200) if we suppose you're working with VLAN 100 and VLAN 200 on the Switch. So eth0.100 will have the 192.168.0.1/24 and it will be the D.G. for all hosts on VLAN 100 on the Switch, the same for eth0.200 but, in that case, the IP address will be 10.0.0.1/24.
At that point the Rotuer/Firewall will have the full responsability to say who-can-go-where (VLAN X to VLAN Y and vice-versa, VLAN X to Internet, VLAN Y to Internet)...and its downlink to the switch is just a leg (well, two logical legs over a single physical link) for reaching the VLAN X hosts and the VLAN Y hosts...those hosts will be segmented and segregated if the Router will be configured to do so. And that is without IP Routing and ACL at the Switch level.
Clearly the Switch will have an IP so you can continue to manage it.
I'm not an HPE Employee