Wired Intelligent Edge

Hello everyone!

 

I am new to Aruba switches.  I have an exsisting network that I am migrating one node at a time from a single vlan to multiple vlans. The current network is connected to our Firewall (Sonicwall) and I am connecting to the firewall as well, just on other port.

 

The config should be quite simple I would think. I am using a 2930M as a core L3 switch. Currently I have created a series of Vlans and I can ping from one vlan to another (rounting).  Where I am having trouble is connecting the uplink port to the firewall.  I can ping my 2930's defualt gateway (192.168.2.1) from within the switch but not from a PC on a vlan.

 

 

Any help would be worth several gold stars for the day!

 

Here is my config....

 

PS:  I am mid config and have only started testing, mostly with vlan 50,51,52.  

 

 

Running configuration:

; JL324A Configuration Editor; Created on release #WC.16.08.0001
; Ver #14:07.6f.f8.1d.9b.3f.bf.bb.ef.7c.59.fc.6b.fb.9f.fc.ff.ff.37.ef:24

hostname "Core Switch Aruba-2930M"
module 1 type jl324a
trunk 1-2 trk1 lacp
trunk 3-4 trk2 lacp
trunk 5-6 trk3 lacp
trunk 7-8 trk4 lacp
trunk 9-10 trk5 lacp
trunk 11-12 trk6 lacp
trunk 13-14 trk7 lacp
ip default-gateway 192.168.2.1
ip routing
(removed port names)
snmp-server community "public" unrestricted
oobm
ip address dhcp-bootp
ipv6 enable
ipv6 address dhcp full
exit
vlan 1
name "Not Used"
no untagged 20-23,Trk1-Trk2
untagged 15-19,24,Trk3-Trk7
ip address 192.168.2.5 255.255.255.0
ipv6 enable
ipv6 address dhcp full
exit
vlan 5
name "Vlan 5 Network Management"
untagged 23
tagged Trk1-Trk2
ip address 192.168.5.5 255.255.255.0
exit
vlan 10
name "Vlan 10 Wireless Employee"
no ip address
exit
vlan 20
name "Vlan 20 Wireless Visitor"
no ip address
exit
vlan 25
name "Vlan 25 AP Control"
no ip address
exit
vlan 40
name "VLAN 40 Voice"
tagged Trk1
ip address 192.168.40.5 255.255.255.0
voice
exit
vlan 50
name "Vlan 50 Die Shop"
untagged 22
tagged Trk1
ip address 192.168.50.5 255.255.255.0
ip rip 192.168.50.5
exit
vlan 51
name "Vlan 51 Packaging"
untagged 21
tagged Trk2
ip address 192.168.51.5 255.255.255.0
exit
vlan 52
name "Vlan 52 Thermal Paint"
untagged 20
tagged Trk3
ip address 192.168.52.5 255.255.255.0
exit
vlan 53
name "Vlan 53 Shipping"
tagged Trk4
ip address 192.168.53.5 255.255.255.0
exit
vlan 54
name "Vlan 54 Maintenance"
tagged Trk5
ip address 192.168.54.5 255.255.255.0
exit
vlan 60
name "Vlan 60 Office"
tagged Trk6-Trk7
ip address 192.168.60.5 255.255.255.0
exit
spanning-tree Trk1 priority 4
spanning-tree Trk2 priority 4
spanning-tree Trk3 priority 4
spanning-tree Trk4 priority 4
spanning-tree Trk5 priority 4
spanning-tree Trk6 priority 4
spanning-tree Trk7 priority 4

 

Thank You!

 

Hi,

 

IP Default Gateway will ineffective once IP Routing is enabled (as per your case).

 

The approach I suggest you is:

 

1. Create a new VLAN dedicated to Transit/Transport (somethink like VLAN id 255 with SVI IP Address 192.168.255.254...with a /29 - 255.255.255.248 - Subnet...so a SVI capable to address very few hosts...6 to be correct).
2. Assign to the Sonicwall Downlink interface used to connect to your Aruba 2930M the IP Address 192.168.255.249 (the first usable of the /29 Subnet added above).
3. Tag the uplink both ends (Sonicwall Interface and Aruba 2930M interface) with VLAN id 255 <-- the uplink will transport ONLY that VLAN id (you can remove the untagging in VLAN 1 if already present on above interfaces at both ends).
4. Now add a IP route of last resort 0/0 - net 0.0.0.0 mask 0.0.0.0 - via 192.168.255.249 (which is the IP of Sonicwall LAN interface you already configured above).
5. On Sonicwall create the IP static routes back to reach your various VLAN Ids as available on the Aruba 2930M (say 192.168.5.0/24 via 192.168.255.254)
6. That way a host on any routed VLAN id on the Aruba 2930M (pointing to Default Gateway IP address of its net = SVI of its VLAN id) will be capable of reaching any other routed VLAN id on the very same Aruba and also reaching external hosts via the Sonicwall (and vice-versa).
7. The VLAN id 255 acts as a Transit to any NON-Local network (any network behind the Sonicwall) for the Aruba 2930M nets...and is also a Transit to any Local network (any network behind the Aruba 2930M) for the Sonicwall's permitted other networks.
8. If the uplink to Sonicwall (downlink from Sonicwall) is a logical interface because you used aggregated physical interfaces (through, as example, LACP) what I wrote you above is still valid...just Tag the Trk on the Aruba 2930M side (and the corresponding bond/team interface on the Sonicwall side).

thank you very much!  I have made the changes as requested on  my end, using Vlan 2 as the transfer vlan.

 

I had the vendor for the firewall make the changes for the port, vlan and IP address, and from with in the switch I am able to ping the static route, 192.168.2.254.

 

So all looks good.  I tested for my vlan 50 and ofcource it fails but this is due to the lack or routes on their end, next step, correct?

 

 

 

 

Running configuration:

; JL324A Configuration Editor; Created on release #WC.16.08.0001
; Ver #14:07.6f.f8.1d.9b.3f.bf.bb.ef.7c.59.fc.6b.fb.9f.fc.ff.ff.37.ef:24

hostname "Core Switch Aruba-2930M"
module 1 type jl324a
trunk 1-2 trk1 lacp
trunk 3-4 trk2 lacp
trunk 5-6 trk3 lacp
trunk 7-8 trk4 lacp
trunk 9-10 trk5 lacp
trunk 11-12 trk6 lacp
trunk 13-14 trk7 lacp
ip route 0.0.0.0 0.0.0.0 192.168.2.254
ip routing
(  removed  )
snmp-server community "public" unrestricted
oobm
ip address dhcp-bootp
ipv6 enable
ipv6 address dhcp full
exit
vlan 1
name "Not Used"
no untagged 20-24,Trk1-Trk2
untagged 15-19,Trk3-Trk7
no ip address
ipv6 enable
ipv6 address dhcp full
exit
vlan 2
name "Vlan 2 Transfer"
tagged 24
ip address 192.168.2.249 255.255.255.248
exit
vlan 5
name "Vlan 5 Network Management"
untagged 23
tagged Trk1-Trk2
ip address 192.168.5.5 255.255.255.0
exit
vlan 10
name "Vlan 10 Wireless Employee"
no ip address
exit
vlan 20
name "Vlan 20 Wireless Visitor"
no ip address
exit
vlan 25
name "Vlan 25 AP Control"
no ip address
exit
vlan 40
name "VLAN 40 Voice"
tagged Trk1
ip address 192.168.40.5 255.255.255.0
voice
exit
vlan 50
name "Vlan 50 Die Shop"
untagged 22
tagged Trk1
ip address 192.168.50.5 255.255.255.0
ip rip 192.168.50.5
exit
vlan 51
name "Vlan 51 Packaging"
untagged 21
tagged Trk2
ip address 192.168.51.5 255.255.255.0
exit
vlan 52
name "Vlan 52 Thermal Paint"
untagged 20
tagged Trk3
ip address 192.168.52.5 255.255.255.0
exit
vlan 53
name "Vlan 53 Shipping"
tagged Trk4
ip address 192.168.53.5 255.255.255.0
exit
vlan 54
name "Vlan 54 Maintenance"
tagged Trk5
ip address 192.168.54.5 255.255.255.0
exit
vlan 60
name "Vlan 60 Office"
tagged Trk6-Trk7
ip address 192.168.60.5 255.255.255.0
exit
spanning-tree Trk1 priority 4
spanning-tree Trk2 priority 4
spanning-tree Trk3 priority 4
spanning-tree Trk4 priority 4
spanning-tree Trk5 priority 4
spanning-tree Trk6 priority 4
spanning-tree Trk7 priority 4

 

Core Switch Aruba-2930M(vlan-1)# ping 192.168.2.254
192.168.2.254 is alive, time = 1 ms

Correct.

From the Sonicwall firewall you should be able at least to perform a successful icmp ping test to 192.168.2.249 (the IP Address you assigned to your VLAN 2 on the Aruba 2930M dedicated to transit/transport) via its LAN assigned (sub)interface member of the same VLAN id 2.

Once Sonicwall is configured with static routes to your other VLAN ids (example 50) via 192.168.2.249 you should be OK (Sonicwall ACL permitting).

So here is where I am at currently, 

 

From within the switch CLI i can ping across my transfer Vlan to other internal network on a differnet port on the firewall.  But,  when I am on client PC using a vlan (testing with 50) I can not ping anything past the local switch, not even the other end of my transfer vlan. I can ping from a client on vlan 50 to a client on vlan 52.

 

Now if I am on a client that is in the transfer vlan I can ping my side, the firewall side and the other internal network. all is good!  But I cant ping my test pc on my vlan 52.

 

Sounds like a static route issue on the 2930, yes?

 

Here is my current config.....

 

 

Running configuration:

; JL324A Configuration Editor; Created on release #WC.16.08.0001
; Ver #14:07.6f.f8.1d.9b.3f.bf.bb.ef.7c.59.fc.6b.fb.9f.fc.ff.ff.37.ef:24

hostname "Core Switch Aruba-2930M"
module 1 type jl324a
trunk 1-2 trk1 lacp
trunk 3-4 trk2 lacp
trunk 5-6 trk3 lacp
trunk 7-8 trk4 lacp
trunk 9-10 trk5 lacp
trunk 11-12 trk6 lacp
trunk 13-14 trk7 lacp
ip route 0.0.0.0 0.0.0.0 192.168.2.254
ip routing
(removed)
snmp-server community "public" unrestricted
oobm
ip address dhcp-bootp
ipv6 enable
ipv6 address dhcp full
exit
vlan 1
name "Not Used"
no untagged 18,20-24,Trk1-Trk2
untagged 15-17,19,Trk3-Trk7
no ip address
ipv6 enable
ipv6 address dhcp full
exit
vlan 2
name "Vlan 2 Transfer"
untagged 18
tagged 24
ip address 192.168.2.249 255.255.255.248
exit
vlan 5
name "Vlan 5 Network Management"
untagged 23
tagged Trk1-Trk2
ip address 192.168.5.5 255.255.255.0
exit
vlan 10
name "Vlan 10 Wireless Employee"
no ip address
exit
vlan 12
name "Vlan 12 Wireless Supervisor"
no ip address
exit
vlan 20
name "Vlan 20 Wireless Visitor"
no ip address
exit
vlan 25
name "Vlan 25 AP Control"
no ip address
exit
vlan 40
name "VLAN 40 Voice"
tagged Trk1
ip address 192.168.40.5 255.255.255.0
voice
exit
vlan 50
name "Vlan 50 Die Shop"
untagged 22
tagged Trk1
ip address 192.168.50.5 255.255.255.0
ip rip 192.168.50.5
exit
vlan 51
name "Vlan 51 Packaging"
untagged 21
tagged Trk2
ip address 192.168.51.5 255.255.255.0
exit
vlan 52
name "Vlan 52 Thermal Paint"
untagged 20
tagged Trk3
ip address 192.168.52.5 255.255.255.0
exit
vlan 53
name "Vlan 53 Shipping"
tagged Trk4
ip address 192.168.53.5 255.255.255.0
exit
vlan 54
name "Vlan 54 Maintenance"
tagged Trk5
ip address 192.168.54.5 255.255.255.0
exit
vlan 60
name "Vlan 60 Office"
tagged Trk6-Trk7
ip address 192.168.60.5 255.255.255.0
exit
spanning-tree Trk1 priority 4
spanning-tree Trk2 priority 4
spanning-tree Trk3 priority 4
spanning-tree Trk4 priority 4
spanning-tree Trk5 priority 4
spanning-tree Trk6 priority 4
spanning-tree Trk7 priority 4