With regards to Static Routes necessary for external networks to reach your internal ones...you wrote:
personally I can't tell without knowing how your ISP Router is actually configured (I generally do not like to believe...in my opinion it's way better trying to understand what's going on by looking at how devices are configured than believe what an ISP tells, way better to see how your ISP Router was configured and, in this way, ensure that what you "believe" is really going to happen without too many surprises).
Ask them to ping/traceroute any of your internal SVIs from the Router and provide you the evidence of the results (e.g. they could ping/traceroute the 10.10.10.1 or the 10.10.70.1 from the Router through its LAN interface). Ensure on your side you can ping/traceroute (reach) all your SVIs and your NHG IP Address from any VLAN (from a client with its IP Addressing belonging to any of your VLAN).
Regarding the NAT...again...it's up to you...personally I expect a Core Router to be connected to a sort of Gateway (with Firewall features) and thus I also expect to see a NAT between its LAN side (internal LANs) and its WAN side (one WAN or more WANs)...
Original Message:
Sent: Dec 28, 2020 10:44 AM
From: Mahmoud Refaat
Subject: Aruba 5406R internet access issue
Thanks for your support,
regarding your comments
1) this mask /24 (255.255.255.0), i got it from the the customer as he is the one who contacted the ISP to arrange this DIA line
2) VLAN 1 is tagged in all the switch ports by default and i didn't change , i believe also it will not make any effect in our case here .
is your NHG acknowledged about the fact all your directly connected VLANs can be found/reached through the x.x.x.105 IP Address?
i don't have this info. but i assumed from the beginning that everything is fine from their side and i believe the problem will be from their side ,
thanks again for your time and your inputs
------------------------------
Mahmoud Refaat
Original Message:
Sent: Dec 28, 2020 09:16 AM
From: Davide Poletto
Subject: Aruba 5406R internet access issue
Hi! it looks like you're using the VLAN 1100 as a "transport" VLAN.
The Last Resort Route (0/0 via x.x.x.104 <- the LAN IP Address of your Next Hop Gateway NHG to all other - non directly connected - networks) looks good. All your directly connected VLAN IDs with a SVI (100, 200, 300, 400, 500, 600, 700, 800, 900 and 1000) are in routing with the VLAN ID 1100 so any non directly connected network will be reached through the VLAN 1100 SVI (routed with the LRR to x.x.x.104).
The SVI address of VLAN 1100 (x.x.x.105) looks good to.
Two doubts remains about:
- why using a /24 (255.255.255.0) for a Transport VLAN where only two IP Addresses are necessary? ...if I were you I would have used a /29, /30 or a /31 (you need just a Point to Point)
- why having the VLAN 1 as "tagged" on the C24 uplink interface?
The interface C24 is untagged member of VLAN 1100 (Transport) so we should expect the same VLAN ID is defined on the NHG LAN interface (LAN side).
Now the questions:
First question is: is your NHG acknowledged about the fact all your directly connected VLANs can be found/reached through the x.x.x.105 IP Address? <- generally this should imply that your gateway must have static routes to all your directly connected VLAN IDs via the x.x.x.105 (example: destination 10.10.20.0/24 via x.x.x.105).
Second question: Probably then your NHG has a NAT between its internal side (x.x.x.104) and the Internet. Is this NAT OK too?
Third question: why to obfuscate VLAN 1100 SVI and NHG LAN Interface IP Address? don't tell me you are not doing NAT between LAN side and WAN side on your gateway...isn't it? strong suspect...otherwise that VLAN's SVI will be exactly as all the others, a private one.
------------------------------
Davide Poletto
Original Message:
Sent: Dec 28, 2020 08:23 AM
From: Mahmoud Refaat
Subject: Aruba 5406R internet access issue
Hello folks,
I have a very strange issue with internet access from the different VLANs on the Core 5406R switch. I have the routing enabled and a static route to one of the interface VLAN (internet VLAN) (KB.16.10.0011 (Booted))
when I tried to access the internet from any device from any VLAN I could only ping the internet VLAN Interface x.x.x.105 and I couldn't ping the internet device IP x.x.x.104
from the Core CLI i can ping both x.x.x.104, x.x.x.105 plus 8.8.8.8, i suspect that the problem is from the ISP device side!
diagram:
internet IP: x.x.x.104--------- IP: x.x.x.105 (internet VLAN) Core switch (VLANs interfaces) ----------------- (Data VLAN) PC
DHCP IP address: from data VLAN
DG: data VLAN inetrafce
hostname "CORE-SW"
module A type j9988a
module B type j9990a
module C type j9987a
console idle-timeout 300
console idle-timeout serial-usb 300
ip route 0.0.0.0 0.0.0.0 x.x.x.104
ip routing
snmp-server community "public" unrestricted
oobm
ip address dhcp-bootp
exit
vlan 1
name "DEFAULT_VLAN"
tagged A1-A24,B1-B24,C1-C24
ip address dhcp-bootp
ipv6 enable
ipv6 address dhcp full
exit
vlan 100
name "MGMT"
untagged A1-A24,B21-B24
ip address 10.10.10.1 255.255.255.0
exit
vlan 200
name "e"
untagged C5-C22
tagged A1-A24,B21-B24
ip address 10.10.20.1 255.255.255.0
dhcp-server
exit
vlan 300
name "f"
tagged A1-A24,B21-B24
ip address 10.10.28.1 255.255.252.0
dhcp-server
exit
vlan 400
name "c"
tagged A1-A24,B21-B24
ip address 10.10.40.1 255.255.255.0
dhcp-server
exit
vlan 500
name "a"
untagged B1-B4
tagged A1-A24,B21-B24
ip address 10.10.50.1 255.255.255.0
dhcp-server
exit
vlan 600
name "IPTV-VLAN"
untagged B17-B20
tagged A1-A24,B21-B24
ip address 172.168.0.5 255.255.252.0
ip igmp
dhcp-server
exit
vlan 700
name "d"
untagged C1-C4
tagged A1-A24,B21-B24
ip address 10.10.70.1 255.255.255.0
voice
dhcp-server
exit
vlan 800
name "T"
untagged B9-B12
tagged A1-A24,B21-B24
ip address 172.16.30.254 255.255.255.0
ip igmp
exit
vlan 900
name "P"
untagged B13-B16
tagged A1-A24,B21-B24
ip address 172.16.40.254 255.255.255.0
ip igmp
exit
vlan 1000
name "I"
untagged B5-B8
tagged A1-A24,B21-B24
ip address 172.16.10.254 255.255.255.0
exit
vlan 1100
name "Internet"
untagged C24
ip address x.x.x.105 255.255.255.0
exit
spanning-tree
spanning-tree root primary priority 1
no tftp server
no autorun
no dhcp config-file-update
no dhcp image-file-update
dhcp-server pool "a"
default-router "10.10.50.1"
dns-server "8.8.8.8"
network 10.10.50.0 255.255.255.0
range 10.10.50.6 10.10.50.250
exit
dhcp-server pool "b"
default-router "172.168.0.5"
dns-server "8.8.8.8"
network 172.168.0.0 255.255.252.0
range 172.168.0.6 172.168.3.250
exit
dhcp-server pool "c"
default-router "10.10.40.1"
dns-server "8.8.8.8"
network 10.10.40.0 255.255.255.0
option 43 ip "10.10.40.2"
range 10.10.40.6 10.10.40.250
exit
dhcp-server pool "d"
default-router "10.10.70.1"
dns-server "8.8.8.8"
network 10.10.70.0 255.255.255.0
range 10.10.70.6 10.10.70.250
exit
dhcp-server pool "e"
default-router "10.10.20.1"
dns-server "8.8.8.8"
network 10.10.20.0 255.255.255.0
range 10.10.20.6 10.10.20.250
exit
dhcp-server pool "f"
default-router "10.10.28.1"
dns-server "8.8.8.8"
network 10.10.28.0 255.255.252.0
range 10.10.28.6 10.10.31.250
exit
dhcp-server enable
password manager
password operator
------------------------------
Mahmoud R
------------------------------