That's clear, you can have a Layer 2 VLAN on your Layer 3 Aruba 3810M (acting as Layer 3 = routing for its SVI), since the VLAN for Guests is not going to have a SVI interface on the Aruba 3810M (but that VLAN will have the SVI on the dedicated ISP Router) then that VLAN is not going to partecipate to the IP routing provided by the Switch to its other directly connected VLANs with IP addresses (SVI)...in other terms...that VLAN for Guest is just a Layer 2 extension from the ISP LAN port (and this explains why you need proper tagging on the Aruba 3810M dedicated uplink port to that ISP Router, that's driven by the ISP Router LAN port settings where you will place the IP Address acting as the Gateway for your Guests and other relevant information such as the VLAN tagging). The other VLANs with IP Addresses managed by the Aruba 3810M will be router by the switch and will not interfere with the VLAN for Guests.
My reference about using ACLs is due to the fact that (sometime) the VLAN for Guests needs to be separated by other Corporate VLANs but some Corporate services are provided by communicating with protected Corporate VLANs, clearly that is not your case since for your Guests you have a fully autonomous infrastructure (apart the Aruba 3810M which is the bridge through with your Guests will reach their Internet Router <- so the VLAN for Guests is not "physically" separated to other Corporate VLANs despite the fact Guests will probably use a dedicated WiFi or Wired connectivity and, for sure, a dedicated Router for Internet access).
------------------------------
Davide Poletto
------------------------------
Original Message:
Sent: May 18, 2022 07:33 AM
From: Markus Huether
Subject: Inter-VLAN-Routing 3810M JL075A
Hi, there is no corporate Internet traffic out using Guest VLAN. The guest VLAN will have his own connection to the internet.
The 3810M is set as Layer 3. All other switches are Layer 2.
Is it enough on the 3810M to give the guest VLAN no ip to akt as a Layer 2 VLAN on the Layer 3 switch? or i have to set a command for the guest VLAN to akt as a Layer 2 VLAN?
thanks
NYX
------------------------------
Markus Huether
Original Message:
Sent: May 18, 2022 06:20 AM
From: Juha-Pekka Lepp�nen
Subject: Inter-VLAN-Routing 3810M JL075A
Hi
If the Guest VLAN is L2 only on the switches I don't see any security issues.
L3 interfaces You have on switches can't communicate neither share any information with L3 on ISP router. Assuming You don't route corporate Internet traffic out using Guest Vlan L3 = only Guest Vlan ports are able to use ISP router for any routing to Internet only.
Corporate users have separated Internet access, right.
If required hard isolation:
Strict option is to use Private VLAN , this really isolates all but give access to Gw port of ISP router and further if needed isolates traffic between switch ports in Guest Vlan so it provides isolation restricting even Guest Vlan users to see each other (p-2-p blocking). I don't think this is what You are seeking but if required:
https://techhub.hpe.com/eginfolib/Aruba/16.09/5200-5909/index.html#v35726672.html
And You can test Your solution with Your PC only before implementing it to production finally. To verify.
Br
Juha-Pekka
------------------------------
Juha-Pekka Lepp�nen
Original Message:
Sent: May 17, 2022 10:20 AM
From: Markus Huether
Subject: Inter-VLAN-Routing 3810M JL075A
Hi,
i have a question, i run a 3810M in Layer 3 mode with 10 VLANS and one ACL on a VLAN. Now i need a Guest VLAN. This VLAN needs Layer 2 funktion only.
This Guest VLAN must be completely isolated from the routing.
What is your opinion to set this?
Regards
NYX
------------------------------
Markus Huether
------------------------------