Hello Nawir, I believe here there is a lot of confusion.
You first need to answer this question: WHO is in charge of performing Inter-VLAN routing for the VLANs your switch has defined?
I mean: if you let the Aruba 2930F (which is a Layer 3 capable Switch) to be the device that have the VLAN Ids defined AND that have their IP interfaces (SVI)...then is natural that you're assigning to it the role of router for those VLAN Ids. The Switch will the router for its (directly connected) VLANs AND all other network segments/IP addresses not directly connected (not part of those SVIs) will require to be necessarily managed by a proper gateway (the Next Hop gateway...generally another Router -> in your case that router will be your Firewall).
So to simplify: Aruba 2930F could be the router for its directly connected VLAN Ids ... and have a (default) route of last resort for all other non-directly connected SVIs (the Rest of the World) pointing to another gateway (Firewall).
Is the above your case or not?
if it is the case, then on the Aruba 2930F it is just required that (it's a best practice) you create a Transit VLAN id and assign it an IP (say a /31) so you have a dedicated SVI you can use to route to your Firewall. Assign a port (physical or logical <- in case of links aggregation) to that VLAN Id and then tag that port with the Transit VLAN id then set the Route of Last resort on the Aruba 2930F pointing 0.0.0.0 (any other non directly connected IP address) to your Firewall.
On your Firewall you need to do the same (so you should have the internal interface set with the other /31 IP), properly tagged and you need to have static routes that will instruct your Firewall where to route traffic with destinations on Aruba 2930F's VLAN Ids segments (basically how to route back). and so the routing between your Aruba 2930F and your Firewall is going to happen between the Transit VLAN (between your Aruba 2930F /31 IP Address and your Firewall /31 IP Address). Routing between Aruba 2930F directly connected VLANs happens and stays local to Aruba...and your Firewall just acts as a Next Hop Gateway for all traffic coming from the external world and for all traffic going to the external world.
IF INSTEAD you don't want to assign the role of inter-VLANs router to your Aruba 2930F THEN the Firewall needs to take that duty and its internal Interface needs to be configured with all required VLAN Ids (and related IP interfaces)...at that point your Firewall will become the default router for your VLAN Ids and the role of your Aruba 2930F is just the one of a Layer 2 switch, acting as a Layer 2 extension of the Firewall's Internal interface...this means that between your Aruba 2930F and the Firewall you need to transport (tag) the VLAN Ids defined on the Firewall and that's all.
------------------------------
Davide Poletto
------------------------------
Original Message:
Sent: May 14, 2022 09:03 PM
From: Nawir Bunai
Subject: 2930f intervlan routing
1. how come you set ip address in forti port4 when using vlan trunk. Usually being set as 0.0.0.0/0
2. I have similar goal but my friend want using nic ip address but not vlan ip address
I can set nic ip address in forti
I can't set port ip address in 2930f going to fw
What I can set is set ip in vlan i.e
vlan 999
Ip xxxx
3. https://www.arubanetworks.com/assets/ds/DS_2930FSwitchSeries.pdf
that link said L2 switch but not L3 switch
is that the case why I can't put ip address in nic?
pdf said can do L3 dynamic routing like ospf
What I know in Cisco doing L3 dynamic routing must use L3 switch like 3xxx series
But here in 2930 it said doing L3 dynamic routing in L3 switch
What benefit of that or any issue encountered in terms of compatibility between aruba to cisco?
tq
------------------------------
Nawir Bunai
Original Message:
Sent: Aug 22, 2017 03:39 AM
From: Gascon Bella
Subject: 2930f intervlan routing
with this setup can i have already the intervlan routing on this and get internet from the FW? i already created FW rules for all VLANs..