Wired Intelligent Edge

"Bad english incoming ;)"

 

switch:

2930F-48G

VLANs:

48 (IP on switch 192.168.48.1)

52 (IP on switch 192.168.52.1)

55 (IP on switch 192.168.55.1)

 

Gateways:

192.168.55.1 (standard gateway and default route on switch)

192.168.98.1 (not sure, see below)

 

We made a transfer network with the IP 192.168.98.1 on the router, 192.168.98.4 on switch side (port 40).

 

How can i configure, that everything from VLAN 48 (which is the guest vlan with aruba controller 7005 and AP303) is going through the transfer network and can´t access all other VLANs and the other VLANs can´t access the gateway 98.1 and VLAN 48?

 

I read some things with ACLs and routes, but now I´m confused.

#2930F

Sounds like you want to do policy based routing (PBR)?

 

See the ATMG guide:

https://support.hpe.com/hpsc/doc/public/display?docId=a00076274en_us

Chapter 14.

thanks for that, I think I understand it, but it won´t work.

 

Herre are my settings:

Running configuration:
...
module 1 type jl254a
class ipv4 "guests"
     20 match ip 192.168.48.1 0.0.0.255 0.0.0.0 255.255.255.255
   exit
policy pbr "SecondGateway"
     10 class ipv4 "guests"
      action ip next-hop 192.168.98.1
      exit
   exit
ip default-gateway 192.168.55.1
ip route 0.0.0.0 0.0.0.0 192.168.55.1
...
snmp-server community "public" unrestricted
vlan 1
   name "DEFAULT_VLAN"
   no untagged 10-12,21-23
   untagged 1-9,13-20,24-52
   ip address 192.168.55.47 255.255.255.0
   exit
...
vlan 48
   name "Gast 1"
   tagged 13,21-23,49-52
   ip address 192.168.48.1 255.255.255.0
   exit
...
vlan 52
   name "Client 1"
   tagged 49-52
   ip address 192.168.52.22 255.255.255.0
   ip helper-address 192.168.55.39
   exit
...
vlan 63
   name "Management"
   untagged 13
   tagged 10-12,49-52
   ip address 192.168.63.22 255.255.255.0
   exit
...

second gateway is connected to port 13 and 40 (router cluster).

These are the settings on the router:

Master:
 ...
Physical interface: eth6, Source Address 192.168.98.2
  Interface state: up, Group 106, State: master
  Priority: 200, Advertisement interval: 1, Authentication type: none
  Preempt: true, VIP count: 1, VIP: 192.168.98.1/24
  Master router: 192.168.98.2
  Last transition: 9m58s
 
Physical interface: eth7, Source Address 192.168.55.2
  Interface state: up, Group 107, State: master
  Priority: 200, Advertisement interval: 1, Authentication type: none
  Preempt: true, VIP count: 1, VIP: 192.168.55.1/24
  Master router: 192.168.55.2
  Last transition: 10m0s
 
 
Backup
...
Physical interface: eth6, Source Address 192.168.98.3
  Interface state: up, Group 106, State: backup
  Priority: 1, Advertisement interval: 1, Authentication type: none
  Preempt: true, VIP count: 1, VIP: 192.168.98.1/24
  Master router: unknown, Master Priority: unknown
  Last transition: 4m41s
 
Physical interface: eth7, Source Address 192.168.55.3
  Interface state: up, Group 107, State: backup
  Priority: 1, Advertisement interval: 1, Authentication type: none
  Preempt: true, VIP count: 1, VIP: 192.168.55.1/24
  Master router: unknown, Master Priority: unknown
  Last transition: 9m44s
 
192.168.48.0/24 via 192.168.98.4 dev eth6
...
192.168.63.0/24 via 192.168.98.4 dev eth6
192.168.98.0/24 dev eth6  proto kernel  scope link
...

And the WLAN settings (screenshots from the controller):

 

 

I have deleted some settings from the config, which I think are not important for the problem.

You need VRF... but no vrf on 2930F...

Shouldn't be:

20 match ip 192.168.48.0 0.0.0.255 0.0.0.0 255.255.255.255

instead of:

20 match ip 192.168.48.1 0.0.0.255 0.0.0.0 255.255.255.255

if you plan to apply the match to an entire subnet?

A nice example here: https://www.networktasks.co.uk/environments/hp/provision/policy-based-routing-pbr