Do you have configured your switches with ip addresses in vlan 20?
if yes, then please add the "no ip proxy-arp" in their interface vlan 20 config everywhere.if no, then yes it is strange. Then you could use ACL on the interface vlans.
<<But perhaps it would be better, to put the the interface vlan 20 in another VRF (especially on the core), then your static route to the firewall will not be used for vlan 20.>>
EDIT: Maybe the 1930 does not support VRF. Please have a look at the switch features and configuration guide.
Please remind. If a switch does have more than one ip interface, then it acts as a router, so traffic between vlans will be possible.
Maybe you are right, i don't know the 1930. So VRF could be useful to make separation of networks more secure. But here it is not the answer.
After reading the topic again, he said there is no SVI for VLAN 20 on the core. This makes it less desirable that it is a routing/proxy-arp error.
Indeed, I would always configure no ip proxy-arp on every SVI, therefore I do have control over default gateway and routing. Because proxy-arp is responsible for such errors (no configured gateway, but switch/router acts as a default-gateway).
It would be helpful to see the mac-adress table entries for the used ports and the full ip configuration on the clients (like ipconfig -all) even as a traceroute from a client in vlan 10 and vlan 20.If the firewall does not know about the IP Network in VLAN 20 and does not have a route using the existing connection between core and firewall there can't be traffic (dont think about nat).
maybe florian is right that the clients to have a wifi connection integrated and use this, as the wired connection does not offer a default-gateway.
At Aruba, we believe that the most dynamic customer experiences happen at the Edge. Our mission is to deliver innovative solutions that harness data at the Edge to drive powerful business outcomes.
© Copyright 2021 Hewlett Packard Enterprise Development LPAll Rights Reserved.