Wired Intelligent Edge

 View Only
last person joined: 2 days ago 

Bring performance and reliability to your network with the HPE Aruba Networking Core, Aggregation, and Access layer switches. Discuss the latest features and functionality of your switching devices, and find ways to improve security across your network to bring together a mobile-first solution
Back to discussions
Expand all | Collapse all

Vlan reaching the interent without default gateway

This thread has been viewed 76 times

  • 1.  Vlan reaching the interent without default gateway

    Posted Sep 21, 2021 02:17 AM
    Hello Dears,

    I have 3 aruba 1930 switches, 2 used as edges and one as core. I have two vlans, vlan 10 and 20. I created a L3 interface for vlan 10 (192.168.10.1) , and no interface for vlan 20 on the core. Static route also created on core to the firewall for internet access. I am planning to use vlan 20 for connectivity between internal devices only , with no access to the internet and no access to other vlans. What is confusing for me is that when i plug a pc to vlan 20 , i am able to access the internet from this device although no default-gateway assigned (only ip and netmask in ip configuration), may someone explain on how this is possible ? 

    I attached a sketch for better understanding, PC1 is untagged with vlan 10 (able to access internet), PC2 and PC3 should only able to communication with each other on vlan 20 but they are reaching the internet !! besides, uplinks from edge to core are tagged all with vlan 10 and 20 

    Thanks for your support


    ------------------------------
    mohammad shamseddine
    ------------------------------


  • 2.  RE: Vlan reaching the interent without default gateway

    MVP GURU
    Posted Sep 21, 2021 03:35 AM
    Hello, you wrote: "What is confusing for me is that when i plug a pc to vlan 20 , i am able to access the internet from this device although no default-gateway assigned (only ip and netmask in ip configuration), may someone explain on how this is possible ? " told that way it is pretty strange...if an host - in this case one connected to an Access port untagged member of VLAN 20 - hasn't a default gateway defined (and no other static routes are present) how can that host to know where to forward packets to in order for them to reach other networks other than hosts in its very same network to which it belongs?

    Was the firewall configured to have a L3 interface on VLAN 20? and, if so, is the uplink between Core and Firewall admitting (tagged or untagged) VLAN 20 too? or did you configured a (non mentioned) Transit VLAN between the Core and the Firewall? or again is the Firewall just sitting with its LAN interface on the VLAN 10 segment only?  

    ------------------------------
    Davide Poletto
    ------------------------------

    Original Message


  • 3.  RE: Vlan reaching the interent without default gateway

    Posted Sep 21, 2021 03:54 AM
    Hello,

    Thanks for your response,

    There is no vlan configured on firewall, a vlan configured on core for firewall connection, lets say on core i have vlan 200 with L3 interface 192.168.200.1 , an access port untagged with this vlan is connected to the firewall , the connected port on the firewall is L3 interface of IP 192.168.200.2 , default route on core switch is 0.0.0.0 0.0.0.0 192.168.200.2 . This is the setup, besides you mentioned here : " in this case one connected to an Access port untagged member of VLAN 20 - hasn't a default gateway defined (and no other static routes are present) " , static route where you mean on the device itself ? i am pretty sure there is no route added on the device (route add on windows ....) , actually the more confusing thing is that there is no dns configured on the PC but still accessing the internet 

    ------------------------------
    mohammad shamseddine
    ------------------------------

    Original Message


  • 4.  RE: Vlan reaching the interent without default gateway

    MVP GURU
    Posted Sep 21, 2021 06:16 AM
    OK, so "lets say on core i have vlan 200 with L3 interface 192.168.200.1 , an access port untagged with this vlan is connected to the firewall , the connected port on the firewall is L3 interface of IP 192.168.200.2 , default route on core switch is 0.0.0.0 0.0.0.0 192.168.200.2" means you have a sort of Transit VLAN (say 192.168.200.1 and 192.168.200.2 are the only two usable IP Addresses on that dedicated subnet, say a 192.168.200.0/30 as example).

    The above also mean that, if VLAN 20 is not transported (tagged, permitted) on the uplink to the Firewall then that VLAN 20 ends into the Core...if VLAN 20 doesn't own a L3 Interface (SVI) then it doesn't partecipate to IP Routing service by the Core...so, technically speaking, is "isolated" and its should not capable of routing packets to other locally (directly) or externally (via static routes on the Core) connected networks. At least this is what I think examining your scenario.

    But...what's about verifying with a traceroute test to discover who is the first hop for such hosts? with regard to names resolution...without a DNS properly configured a Host has no way to resolve a FQDN into an IP (other than having that binding declared on its hosts file)...is there maybe a Web Proxy in between?

    Was the host manually and statically configured with just an IP Address (belonging to VLAN 20), a proper Netmask and NO Default Gateway, neither DNS Primary nor DNS Secondary?

    ------------------------------
    Davide Poletto
    ------------------------------

    Original Message


  • 5.  RE: Vlan reaching the interent without default gateway

    EMPLOYEE
    Posted Sep 21, 2021 11:55 PM
    Hi,

    Just for curiosity, the PC is not connected to some WLAN in parallel, and is using that for the internet?

    ------------------------------
    -------------------------------------------------------------------------------
    Florian Baaske
    -------------------------------------------------------------------------------
    Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.
    -------------------------------------------------------------------------------
    Also visit the AirHeads Youtube Channel:
    https://www.youtube.com/channel/UCFJCnuXFGfEbwEzfcgU_ERQ
    -------------------------------------------------------------------------------
    Feel free to visit my personal Blog
    https://www.flomain.de
    ------------------------------

    Original Message


  • 6.  RE: Vlan reaching the interent without default gateway

    Posted Sep 22, 2021 02:30 AM

    Do you have configured your switches with ip addresses in vlan 20?

    if yes, then please add the "no ip proxy-arp" in their interface vlan 20 config everywhere.
    if no, then yes it is strange. Then you could use ACL on the interface vlans.

    <<But perhaps it would be better, to put the the interface vlan 20 in another VRF (especially on the core), then your static route to the firewall will not be used for vlan 20.>>

    EDIT: Maybe the 1930 does not support VRF. Please have a look at the switch features and configuration guide.

    Please remind. If a switch does have more than one ip interface, then it acts as a router, so traffic between vlans will be possible.



    ------------------------------
    Robert Großmann
    ------------------------------

    Original Message


  • 7.  RE: Vlan reaching the interent without default gateway

    MVP GURU
    Posted Sep 22, 2021 09:11 AM
    Just to add that "If a switch does have more than one ip interface, then it acts as a router, so traffic between vlans will be possible." excluding those switches requiring to explicitly enable the IP Routing feature in addition to assigning an IP Address to a VLAN interface (that's to say that simply assigning an IP Addresses to VLANs is not enough to enable routing between those VLANs).

    I don't believe the Aruba Instant On 1930 Switch series is VRF capable...that's a feature typically found on DC Switch series.

    ------------------------------
    Davide Poletto
    ------------------------------

    Original Message


  • 8.  RE: Vlan reaching the interent without default gateway

    Posted Sep 22, 2021 01:35 PM

    @Davide

    Maybe you are right, i don't know the 1930. So VRF could be useful to make separation of networks more secure. But here it is not the answer.

    After reading the topic again, he said there is no SVI for VLAN 20 on the core. This makes it less desirable that it is a routing/proxy-arp error.

    Indeed, I would always configure no ip proxy-arp on every SVI, therefore I do have control over default gateway and routing. Because proxy-arp is responsible for such errors (no configured gateway, but switch/router acts as a default-gateway).

    It would be helpful to see the mac-adress table entries for the used ports and the full ip configuration on the clients (like ipconfig -all) even as a traceroute from a client in vlan 10 and vlan 20.

    If the firewall does not know about the IP Network in VLAN 20 and does not have a route using the existing connection between core and firewall there can't be traffic (dont think about nat).

    maybe florian is right that the clients to have a wifi connection integrated and use this, as the wired connection does not offer a default-gateway. 



    ------------------------------
    Robert Großmann
    ------------------------------

    Original Message


  • 9.  RE: Vlan reaching the interent without default gateway

    MVP GURU
    Posted Sep 22, 2021 02:17 PM
    Hi Robert,

    "maybe florian is right that the clients to have a wifi connection integrated and use this, as the wired connection does not offer a default-gateway."

    I hope it's not because, if that would be true, we wasted a lot of time...one should check that first (AKA rule 0: how my clients are connected to my networks? and be sure to understand how exactly they are...in terms of connectivity - from lower layers up to higher layers - IP Addressing and routing...up to Web Proxy setting if necessary).

    ------------------------------
    Davide Poletto
    ------------------------------

    Original Message