Wired Intelligent Edge

Hi folks, I'm very new to Aruba switches so would appreciate some pointers on how to configure my network.

I have a 2930f and a 2540.  I've configured my 2930f as L3, with intervlan routing and point-to-point connection to the firewall, and reverse route from firewall back to the 2930f for all the corresponding subnets.  Everything is working fine.

I am now scratching my head on how to configure the 2540 as L2 only.

My understanding (based on what I've read) is to NOT use the default VLAN (i'll remove ports associated with VID 1 on the 2930f as i continue the config).

Further, since all routing should be done by the 2930f, is it correct to configure all the VLANs on the 2540 with no ip address and no ip routes?

And now i'm trying to figure out how to configure the 2540's management to be on VLAN 100, and still can be access throughout the network, when no ip routes and ip address are associated with the VLANs on the 2540. 

Any guidances will be much appreciated.  Below is the config for my 2930f.  Thanks.

Startup configuration: 48

; JL254A Configuration Editor; Created on release #WC.16.05.0007
; Ver #12:08.1d.9b.3f.bf.bb.ef.7c.59.fc.6b.fb.9f.fc.ff.ff.37.ef:ba
hostname "2930-1"
module 1 type jl254a
timesync ntp
no sntp
ntp unicast
ntp server 216.239.35.12 iburst
ntp enable
time timezone 480
ip default-gateway 10.81.6.1
ip route 0.0.0.0 0.0.0.0 10.81.6.1
ip route 10.81.10.0 255.255.255.0 vlan 100
ip routing
snmp-server community "public" unrestricted
vlan 1
   name "DEFAULT_VLAN"
   no untagged 25-29,36,39-40,48
   untagged 1-24,30-35,37-38,41-47,49-52
   ip address 10.81.0.1 255.255.255.0
   exit
vlan 60
   name "Firewall_VLAN"
   untagged 48
   ip address 10.81.6.2 255.255.255.0
   exit
vlan 100
   name "Mgmt_VLAN"
   untagged 25-29,36
   tagged 45
   ip address 10.81.10.1 255.255.255.0
   exit
vlan 160
   name "Printers_VLAN"
   tagged 45
   ip address 10.81.16.1 255.255.255.0
   exit
vlan 200
   name "Wired_Data_VLAN"
   untagged 40
   tagged 45
   ip address 10.81.20.1 255.255.255.0
   dhcp-server
   exit
vlan 440
   name "DVR_VLAN"
   tagged 45
   ip address 10.81.44.1 255.255.255.0
   exit
vlan 600
   name "Voice_VLAN"
   tagged 45
   ip address 10.81.60.1 255.255.255.0
   voice
   exit
vlan 999
   name "FortiGate_VLAN"
   untagged 39
   ip address 192.168.0.222 255.255.255.0
   exit
no tftp server
no autorun
no dhcp config-file-update
no dhcp image-file-update
dhcp-server pool "wired-data-static"
   authoritative
   default-router "10.81.20.1"
   dns-server "8.8.8.8"
   lease infinite
   static-bind ip 10.81.20.68 255.255.255.0 mac 00051b-a28ee4
   exit
dhcp-server enable
password manager
password operator

Greetings!

If you want your 2540 to be L2-only — with the exception of the management VLAN — you would configure your VLANs as you suggested, with no IP addresses or associated routes, and have them be tagged on the uplink to the 2930F.

The management VLAN itself would have an IP address (and a gateway, if your management stations are on a different subnets); it can even use the same uplink port as the rest of the VLANs without causing issues.  Note that you do not need to enable IP routing on the 2540 itself, as it would not be performing any inter-VLAN routing (this occurs on the 2930F, as intended).

You would also want to apply appropriate security configuration to limit access to authorized users, using the ArubaOS-Switch Hardening Guide as a reference.

Thanks Matthew, much appreciated!