Wired Intelligent Edge

I have an S2500 serving as a router in my main distribution closet. Several VLANs are configured with VLAN Interfaces. Each VLAN Interface is assigned the gateway IP of the VLAN it represents.

 

I have an S2500 as the uplink switch for each Intermediate distribution closet that I want to work at layer 2 alone. It should pass VLAN'S on trunk ports and data to access port but no routing.

 

I want to put an IP address on my layer 2 closets to access the GUI but it then creates routes that causes me problems. How do I put a management IP on the switch without routing?

 

Can I disable routing like on a Cisco (no ip route)?

 

Thanks for the help,

Any L3 interface that you have set on the stack can be used as a management address.

I understand. The problem is that I don't want a L3 interface. I don't want the intermidiate closets routing. However, I want to put an IP address on the switch so I can access the GUI. How do I do that?

Not sure I understand. If you want an independent mgmt interface, you can use the out of band management port on the back of the switch.

I may not fully understand how the out of band interface works. My understanding is that it would be on a completly different network making it "out of band".

 

Most of my layer 2 switches at my intermediate distribution frames allow me to assign a managment IP to the switch. The management IP is not "out of band" so I can access the switch via te IP from any vlan in my network due to the layer 3 switch at the Main Distribution Frame.

 

It seems that if I give an IP address to an S2500, it has to be on a layer 3 interface. That creates routes that conflict with my true router at the Main Distribution Frame.

 

How do I avoid this?

Mark,

Your understanding is correct, the out-of-band port is a seperate network and a different physical port (rear of the chassis).

 

Back to your initial question/issue, I can confirm we do not have a "no ip routing" command. Now what I'd like to better understand is if the issue you're concerned with is if you do put an IP on the switch, you want to make sure that clients don't use it as a default gateway? If that isn't the issue, then if you do put an IP address on the switch, only traffic destined to that IP is going to get routed to your defined default-gateway so it shouldn't create a conflict.

 

Another option would be that you could put an ACL on the RVI that only allowed ssh and web-ui access so even if a client tried to use the MAS as a default-gateway, traffic would not pass. Alternatively, you coud create an in-band management VLAN which is used to manage the switches but on a VLAN that clients can't get to.

 

Perhaps you could give us a topology diagram just to understand this better?

 

Best regards,

 

Madani

 

It seems like this creates a routing conflict as two devices have routes to the same network. As soon as I make the 192.2 management interface, the route comes up and breaks all routing to that vlan on this switch. The MDF continues to work fine. However, it can not reach this switch on vlan13.

 

Routes on what I would like to be the later 2 switch at the top of IDF1 with an IP address to manage it from other VLANs.

C 10.72.192.0/20 is directly connected: vlan13
C 10.72.192.2/32 is directly connected: vlan13

 

Routes on my router this is at the top of my network in the MDF

C 10.72.0.0/20 is directly connected: vlan1
C 10.72.0.1/32 is directly connected: vlan1
C 10.72.32.0/20 is directly connected: vlan3
C 10.72.32.1/32 is directly connected: vlan3
C 10.72.192.0/20 is directly connected: vlan13
C 10.72.192.1/32 is directly connected: vlan13
C 10.72.241.0/24 is directly connected: vlan31
C 10.72.241.1/32 is directly connected: vlan31
C 10.72.254.0/24 is directly connected: vlan44
C 10.72.254.1/32 is directly connected: vlan44
C 10.72.255.0/24 is directly connected: vlan45
C 10.72.255.1/32 is directly connected: vlan45

 

Here is the result of a ping to 192.2

 

PING 10.72.192.2 (10.72.192.2): 56 data bytes

36 bytes from 74.112.104.1: Communication prohibited by filter

Vr HL TOS  Len   ID Flg  off TTL Pro  cks      Src      Dst

 4  5  00 5400 53eb   0 0000  3d  01 29bf 192.168.2.100  10.72.192.2 

 

Request timeout for icmp_seq 0

36 bytes from 74.112.104.1: Communication prohibited by filter

Vr HL TOS  Len   ID Flg  off TTL Pro  cks      Src      Dst

 4  5  00 5400 01a0   0 0000  3d  01 7c0a 192.168.2.100  10.72.192.2 

 

Request timeout for icmp_seq 1

36 bytes from 74.112.104.1: Communication prohibited by filter

Vr HL TOS  Len   ID Flg  off TTL Pro  cks      Src      Dst

 4  5  00 5400 05be   0 0000  3d  01 77ec 192.168.2.100  10.72.192.2 

 

Request timeout for icmp_seq 2

36 bytes from 74.112.104.1: Communication prohibited by filter

Vr HL TOS  Len   ID Flg  off TTL Pro  cks      Src      Dst

 4  5  00 5400 91cd   0 0000  3d  01 ebdc 192.168.2.100  10.72.192.2 

 

Request timeout for icmp_seq 3

36 bytes from 74.112.104.1: Communication prohibited by filter

Vr HL TOS  Len   ID Flg  off TTL Pro  cks      Src      Dst

 4  5  00 5400 f59e   0 0000  3d  01 880b 192.168.2.100  10.72.192.2

Mark,

So this is the topology?

 

S2500-IDF --------- VLAN13 ---------- MDF

10.72.192.2                                     10.72.192.1

 

And the DG on the S2500-IDF is 10.72.192.1 right?

 

Looking at the pings, they are sourcing from 192.168.2.100, where is that network?

 

Can you private message me your configs? It might be easier to troubleshoot.

 

M.

I attached a basic LAN topology we use in our building. I was hoping this would be fairly simple problem to understand. As far as I know, most LANs still just have 1 router. And if you had turned on multiple router in your LAN, and those routers all claimed to have the a route to the same LAN directly connected to it.

 

So, if all three closets in my diagram have a total of 6 data and PoE switches (2 switches per closet), I know have 6 routers in my LAN that claims to have VLAN 13 directly connected supported by routes.

 

If I leave the IP unconfigured on all switches eccept the desired router, everything works fine. The problem is that I can't use the GUI to  or connect to the switch remotely to manage.

 

As soon as I configure an IP on VLAN 13, a route is created and the VLAN breaks on that switch.

 

There must be a way to avoid this, I just don't know how.

Ok. I got another detail. After more testing I have found that the routing only breaks on one IP. The management IP on VLAN 13 on the non-router closets. If my computer is on VLAN 13, I can reach it. routing for all other devices on VLAN 13 works fine.

 

So, why would just the interface IP not route? Does it have something to do with the /32 route that is created? Why are there 2 routes for each configured interface?

 

Very different behavior from Cisco...

Mark,

Can you private message me the configurations?

 

I'm still not following how routing is breaking when you an add IP. Unless you are pointing clients to the management IP and there aren't complete routes, the new interface should not interfer with anything else in your environment.

 

The reason you see two route entries is one represents the subnet simply to say we are connected to it and the second is to show what IP address we have on that subnet.

 

Best regards,

 

Madani

Sorry for the slow response. This problem has been resolved. It was the unset gateway IP address you mentioned earlier was the source of the problem.

 

The cause is my lack of understanding Aruba routing. It seems quit different that Cisco routing. I'm not accustomed to having multiple devices providing routing under the same LAN. Also, i'm still condused by the need of the /32 routes in the routing table.

 

I now understand that we're really only talking about multiple routers in the same LAN able to route between the VLANs within that LAN. I can see how this would spreadlow the internal VLAN routing keeping traffic closer to tha machines communicating.

 

The thing I would like to understand better is how routing decisions are made in the Aruba. On a Cisco, information in the routing table is there for the sole purpose of making routing decisions. If this is also true for Aruba, id like to know what role the /32 routes play in the routing decision.

 

Are there any resources that explain the Aruba routing process???

 

Thanks,