Wired Intelligent Edge

 View Only
last person joined: yesterday 

Bring performance and reliability to your network with the Aruba Core, Aggregation, and Access layer switches. Discuss the latest features and functionality of the ArubaOS-Switch and ArubaOS-CX devices, and find ways to improve security across your network to bring together a mobile first solution.
Expand all | Collapse all

Inter-VLAN-Routing 3810M JL075A

Jump to Best Answer
This thread has been viewed 33 times
  • 1.  Inter-VLAN-Routing 3810M JL075A

    Posted May 17, 2022 10:21 AM

    Hi,
    i have a question, i run a 3810M in Layer 3 mode with 10 VLANS and one ACL on a VLAN. Now i need a Guest VLAN. This VLAN needs Layer 2 funktion only.
    This Guest VLAN must be completely isolated from the routing.

    What is your opinion to set this?

    Regards
    NYX



    ------------------------------
    Markus Huether
    ------------------------------


  • 2.  RE: Inter-VLAN-Routing 3810M JL075A

    MVP GURU
    Posted May 17, 2022 06:34 PM
    Hello Markus, if "This Guest VLAN must be completely isolated from the routing." then you need a proper set of ACLs (with each ACL placed to manage - permit/deny - the (in)coming traffic it sees generated from VLAN's members to other destinations) that will apply to directly connected VLANs and to external ones (Rest of the World passing through a Firewall).


    ------------------------------
    Davide Poletto
    ------------------------------



  • 3.  RE: Inter-VLAN-Routing 3810M JL075A

    Posted May 18, 2022 05:22 AM
    Hi Davide, thanks for the answer.
    Is it really necessary to separate the guest VLAN via ACLs? Is it not sufficient to simply not give the guest VLAN in the 3810M an IP address (default gateway)?
    DHCP and Gateway is an external router that is in the guest VLAN.
    My consideration was to create a VLAN on all switches, tag the uplinks to other switches and not to assign an IP address to the VLAN on the 3810m. Thus the 3810m cannot route the packets. Is this feasible or are there any objetions? (security, function).

    Thanks
    NYX

    ------------------------------
    Markus Huether
    ------------------------------



  • 4.  RE: Inter-VLAN-Routing 3810M JL075A

    Posted May 18, 2022 06:21 AM

    Hi

    If the Guest VLAN is L2 only on the switches I don't see any security issues.
    L3 interfaces You have on switches can't communicate neither share any information with L3 on ISP router. Assuming You don't route corporate Internet traffic out using Guest Vlan L3 = only Guest Vlan ports are able to use ISP router for any routing  to Internet only.
    Corporate users have separated Internet access, right.

    If required hard isolation:
    Strict option is to use Private VLAN , this really isolates all but give access to Gw port of ISP router and further if needed  isolates traffic between switch ports in Guest Vlan so it provides isolation restricting even Guest Vlan users to see each other (p-2-p blocking). I don't think this is what You are seeking but if required:
    https://techhub.hpe.com/eginfolib/Aruba/16.09/5200-5909/index.html#v35726672.html

    And You can test Your solution with Your PC only before implementing it to production finally. To verify.
    Br
    Juha-Pekka



    ------------------------------
    Juha-Pekka Lepp�nen
    ------------------------------



  • 5.  RE: Inter-VLAN-Routing 3810M JL075A

    Posted May 18, 2022 07:34 AM
    Hi, there is no corporate Internet traffic out using Guest VLAN. The guest VLAN will have his own connection to the internet.
    The 3810M is set as Layer 3. All other switches are Layer 2.
    Is it enough on the 3810M to give the guest VLAN no ip to akt as a Layer 2 VLAN on the Layer 3 switch? or i have to set a command for the guest VLAN to akt as a Layer 2 VLAN?

    thanks
    NYX

    ------------------------------
    Markus Huether
    ------------------------------



  • 6.  RE: Inter-VLAN-Routing 3810M JL075A

    Posted May 18, 2022 07:45 AM
    On switches, any or selected create Guest VLAN in L2 only. Then connect IPS router to one of L2 ports.
    Uplinks You tag  Guest Vlan to allow traffic between switches. Its L2 traffic since L3 is in ISP router
    Thats all. Then You have L2 on switches and L3 only in ISP router
    Br
    Juha-PEkka

    ------------------------------
    Juha-Pekka Lepp�nen
    ------------------------------



  • 7.  RE: Inter-VLAN-Routing 3810M JL075A
    Best Answer

    MVP GURU
    Posted May 18, 2022 04:47 PM
    That's clear, you can have a Layer 2 VLAN on your Layer 3 Aruba 3810M (acting as Layer 3 = routing for its SVI), since the VLAN for Guests is not going to have a SVI interface on the Aruba 3810M (but that VLAN will have the SVI on the dedicated ISP Router) then that VLAN is not going to partecipate to the IP routing provided by the Switch to its other directly connected VLANs with IP addresses (SVI)...in other terms...that VLAN for Guest is just a Layer 2 extension from the ISP LAN port (and this explains why you need proper tagging on the Aruba 3810M dedicated uplink port to that ISP Router, that's driven by the ISP Router LAN port settings where you will place the IP Address acting as the Gateway for your Guests and other relevant information such as the VLAN tagging). The other VLANs with IP Addresses managed by the Aruba 3810M will be router by the switch and will not interfere with the VLAN for Guests.

    My reference about using ACLs is due to the fact that (sometime) the VLAN for Guests needs to be separated by other Corporate VLANs but some Corporate services are provided by communicating with protected Corporate VLANs, clearly that is not your case since for your Guests you have a fully autonomous infrastructure (apart the Aruba 3810M which is the bridge through with your Guests will reach their Internet Router <- so the VLAN for Guests is not "physically" separated to other Corporate VLANs despite the fact Guests will probably use a dedicated WiFi or Wired connectivity and, for sure, a dedicated Router for Internet access).

    ------------------------------
    Davide Poletto
    ------------------------------