05-16-2018 02:44 AM
Hi folks, I'm very new to Aruba switches so would appreciate some pointers on how to configure my network.
I have a 2930f and a 2540. I've configured my 2930f as L3, with intervlan routing and point-to-point connection to the firewall, and reverse route from firewall back to the 2930f for all the corresponding subnets. Everything is working fine.
I am now scratching my head on how to configure the 2540 as L2 only.
My understanding (based on what I've read) is to NOT use the default VLAN (i'll remove ports associated with VID 1 on the 2930f as i continue the config).
Further, since all routing should be done by the 2930f, is it correct to configure all the VLANs on the 2540 with no ip address and no ip routes?
And now i'm trying to figure out how to configure the 2540's management to be on VLAN 100, and still can be access throughout the network, when no ip routes and ip address are associated with the VLANs on the 2540.
Any guidances will be much appreciated. Below is the config for my 2930f. Thanks.
Startup configuration: 48 ; JL254A Configuration Editor; Created on release #WC.16.05.0007 ; Ver #12:08.1d.9b.3f.bf.bb.ef.7c.59.fc.6b.fb.9f.fc.ff.ff.37.ef:ba hostname "2930-1" module 1 type jl254a timesync ntp no sntp ntp unicast ntp server 22.214.171.124 iburst ntp enable time timezone 480 ip default-gateway 10.81.6.1 ip route 0.0.0.0 0.0.0.0 10.81.6.1 ip route 10.81.10.0 255.255.255.0 vlan 100 ip routing snmp-server community "public" unrestricted vlan 1 name "DEFAULT_VLAN" no untagged 25-29,36,39-40,48 untagged 1-24,30-35,37-38,41-47,49-52 ip address 10.81.0.1 255.255.255.0 exit vlan 60 name "Firewall_VLAN" untagged 48 ip address 10.81.6.2 255.255.255.0 exit vlan 100 name "Mgmt_VLAN" untagged 25-29,36 tagged 45 ip address 10.81.10.1 255.255.255.0 exit vlan 160 name "Printers_VLAN" tagged 45 ip address 10.81.16.1 255.255.255.0 exit vlan 200 name "Wired_Data_VLAN" untagged 40 tagged 45 ip address 10.81.20.1 255.255.255.0 dhcp-server exit vlan 440 name "DVR_VLAN" tagged 45 ip address 10.81.44.1 255.255.255.0 exit vlan 600 name "Voice_VLAN" tagged 45 ip address 10.81.60.1 255.255.255.0 voice exit vlan 999 name "FortiGate_VLAN" untagged 39 ip address 192.168.0.222 255.255.255.0 exit no tftp server no autorun no dhcp config-file-update no dhcp image-file-update dhcp-server pool "wired-data-static" authoritative default-router "10.81.20.1" dns-server "126.96.36.199" lease infinite static-bind ip 10.81.20.68 255.255.255.0 mac 00051b-a28ee4 exit dhcp-server enable password manager password operator
Solved! Go to Solution.
05-16-2018 11:13 AM
If you want your 2540 to be L2-only — with the exception of the management VLAN — you would configure your VLANs as you suggested, with no IP addresses or associated routes, and have them be tagged on the uplink to the 2930F.
The management VLAN itself would have an IP address (and a gateway, if your management stations are on a different subnets); it can even use the same uplink port as the rest of the VLANs without causing issues. Note that you do not need to enable IP routing on the 2540 itself, as it would not be performing any inter-VLAN routing (this occurs on the 2930F, as intended).
You would also want to apply appropriate security configuration to limit access to authorized users, using the ArubaOS-Switch Hardening Guide as a reference.
Matthew Fern | Technical Marketing Engineer, Wired Intelligent Edge
Aruba, a Hewlett Packard Enterprise Company