Awesome, thank you sir. I feel I have learned a lot from this thread by reading your replies. I have a better understanding of Aruba switch inter-vlan now!
Original Message:
Sent: May 09, 2023 01:39 PM
From: parnassus
Subject: 2540, 2930F, 3810M SVI Inter-vlan routing vs RoaS
"After disabling IP routing, the 2540 will become L2 device with an IP default gateway 10.0.130.1, which it is the Firewall's physical interface IP address."
OK, does the VLAN Id associated with the network segment where the 10.0.130.1 is addressed reach (read: is transported) the Firewall? the Switch will be reachable on its IP address on that VLAN Id. The Switch, with that regard, is acting as a host with an IP Address and a Default Gateway (which normally is the Firewall or the device able to route to any other network).
"The traffic from switch VLAN 64 (10.6.4.0) and VLAN 62 (10.6.2.0) are still be able to transmitted to the SVI sub-interface 10.6.4.1 and 10.6.2.1 on the Firewall?"
Yes, provided that - exactly as above (and since the Switch acts as a simple L2 device) - the VLAN Id 62 and VLAN Id 64 are transported (tagged) up to the Firewall's interface through the Switch-Firewall uplink where in the Firewall there are, respectively, configured both VLAN Id 62 and VLAN Id 64 SVIs addresses (say 10.6.2.1 and 10.6.4.1, just as example). Routing between those VLANs is now in charge to the Firewall, VLANs are just "allowed to flow" up to Firewall from port where there are Access peers (that's expected, excluded probably the VLAN Id used for management purposes which could easily end on the uplink interface Switch side). Clearly clients needs to be correctly addressed on those two network segment and use the Firewall's SVIs as their DG addresses. No static routes are necessary on the Switch (as per what I wrote on my previous reply).
Original Message:
Sent: May 09, 2023 12:57 PM
From: desong1011
Subject: 2540, 2930F, 3810M SVI Inter-vlan routing vs RoaS
Thanks for your time help me with my question.
Yes, if I am correct, both of my firewall and switch are responsible for routing as I previously set up, which I am trying to get better understanding.
My firewall has all the sub-interfaces that are associated with VLAN ID, and my switch is L3 device.
I will test it out in both cases.
For my last question, I just want to make sure I fully understand now by confimring the following going to work towards achieving RoAS solution or CASE A.
After disabling IP routing, the 2540 will become L2 device with an IP default gateway 10.0.130.1, which it is the Firewall's physical interface IP address. The traffic from switch VLAN 64(10.6.4.0) and VLAN 62(10.6.2.0) are still be able to transmitted to the SVI sub-interface 10.6.4.1 and 10.6.2.1 on the Firewall?
Original Message:
Sent: May 09, 2023 09:07 AM
From: parnassus
Subject: 2540, 2930F, 3810M SVI Inter-vlan routing vs RoaS
Hi!
"If I remove IP routing on my switch, I assume inter-vlan routing is still working."
Why do you believe that inter-VLAN routing will still work once you disable the IP routing feature on your routing Switch? who will be responsible of IP routing for your VLANs if your Switch is not? a Firewall?
My answer is: don't assume...it will not work the way you believe it would.
If we consider a starting scenario where your Switch is the only responsible for the inter-VLAN routing and for the routing to external destinations (via the specified Next Hop Gateway 10.0.130.1) - as per running configuration you posted - then, once you disable the IP routing feature on it, all the IP routing is going to immediately stop at Switch level since the Switch itself will become a L2 device and a L2 device doesn't route.
With the IP routing feature disabled you can (re)enable the Switch's Default Gateway option (Default Gateway option has no value when IP Routing is enabled but regain value when the IP Routing feature is disable, that's to say that your switch - for just itself and not for routing other traversing traffic - will know what is the NHG to use to communicate externally) but that's all, the configured Static Routes you posted will not - if I'm not mistaken - root anything to anywhere, anymore (and I doubt those Static Routes have ever worked in the past withe the IP Routing feature enabled or will work as a workaround against having the IP Routing feature disabled [*]).
With the IP routing feature disabled the only solution (for IP routing to work again) is to transport VLAN segments through a physical/logical uplink (your port 47 looks like an uplink since is tagged member of all your VLANs minus the default VLAN 1, isn't it?) to an external Routing Device, a Firewall for example...and that external Routing Device will have the VLAN IP interfaces (SVI) and will do the routing...but that is exactly the Case "A" (Switch operating in L2 and an external Router operating at L3 doing all the routing).
[*] Example: ip route 10.6.1.0 255.255.255.248 10.6.1.1 means - literally - to reach 10.6.1.0/29 (so from host 10.6.1.1 to host 10.6.1.6) use the 10.6.1.1 as the next hop <- does it make sense? IMHO no.
Original Message:
Sent: May 08, 2023 05:04 PM
From: desong1011
Subject: 2540, 2930F, 3810M SVI Inter-vlan routing vs RoaS
Hi Parnassus,
Thank you for stepping up to help me out. Your replies to other posts have helped me even before my first post here.
It seems like my current branch office network setting is Case C. After reading you post, I would like to adopt Case A for all branch office and Case B for the main office.
I have a couple of follow up questions, but want to know this one first:
1. If I remove IP routing on my switch, I assume inter-vlan routing is still working.
ip dns server-address priority 1 8.8.8.8
ip dns server-address priority 2 75.75.75.75
ip route 0.0.0.0 0.0.0.0 10.0.130.1
ip route 10.6.1.0 255.255.255.248 10.6.1.1
ip route 10.6.2.0 255.255.255.248 10.6.2.1
ip route 10.6.3.0 255.255.255.248 10.6.3.1
ip route 10.6.4.0 255.255.255.248 10.6.4.1
ip route 10.6.5.0 255.255.255.240 10.6.5.1
ip route 10.6.6.0 255.255.255.248 10.6.6.1
ip routing
vlan 1
name "Data"
no untagged 1,9,11-12,15-16,18-19,25-26
untagged 2-8,10,13-14,17,20-24,27-52
no ip address
exit
vlan 61
name "Staff"
untagged 9,15-16,18
tagged 47
ip address 10.6.1.2 255.255.255.248
ip helper-address 10.6.1.1
exit
vlan 62
name "Video"
untagged 25-26
tagged 47
ip address 10.6.2.2 255.255.255.248
ip helper-address 10.6.2.1
exit
vlan 63
name "AP"
untagged 19
tagged 47
ip address 10.6.3.2 255.255.255.248
ip helper-address 10.6.3.1
exit
vlan 64
name "Printer"
untagged 11-12
tagged 47
ip address 10.6.4.2 255.255.255.248
ip helper-address 10.6.4.1
exit
vlan 65
name "Voice"
tagged 1-52
ip address 10.6.5.2 255.255.255.240
ip helper-address 10.6.5.1
voice
exit
Original Message:
Sent: May 08, 2023 02:03 PM
From: parnassus
Subject: 2540, 2930F, 3810M SVI Inter-vlan routing vs RoaS
Hi, IMHO you have basically two main (best practice) scenarios to follow in architecting Core<->Firewall relationships (and thus internal - inter-VLAN - routing responsabilities), just to simplify:
Case A - The Firewall acts, in addition of normally being the NHG to all other external networks (as per its configured access policies and LAN/WAN routing), as the router for all your internal VLAN Id segments -> any downlinked switch (at any level: Core, Distribution and Access) will then act as simply L2 switch (no ip routing) and any required VLAN needs to be transported (read tagged) on every uplinks up to the Firewall's LAN ports, traversing your topology as required. SVIs are on the Firewall. The Firewall is the only Router. Switches (any) don't partecipate to any routing. Clients point to Firewall's SVIs as their DGs.
Case B - The Firewall acts only as the NHG to all other external networks for your routing Core (as per Firewall configured access policies and LAN/WAN routing) and traffic is routed using a dedicated Transit VLAN between it and the first peer (the Core switch). The Core Switch, in turn, acts as the router for all your internal VLAN Id segments (ip routing enabled) and has just a static Last Resort Route to the Firewall for any non directly connected networks (directly connected networks are routed via Core's SVIs and its routing feature at backplane speed). Firewall should be configured to reach internal VLAN segments via the Transit VLAN (static routing).
Sadly, there is a very common variant - let me call Case C - of the two cases above: Firewall LAN interface could have just an IP address on a standard VLAN (network segment) routed by the Core...it's very common...not a best paractice approach.
Switch does inter-VLAN routing as per case B or C -> segregation of segments -> (Stateless) ACL
Firewall does inter-VLAN routing as per case A -> segregation of segments -> Firewall (Stateful) Access policies.
The latter requires an evaluation of routing throughput over uplink(s) since every inter-VLAN traffic is going to traverse (routed) the Firewall LAN interface (so not only the obvious traffic from/to external networks/Internet).
Original Message:
Sent: 5/6/2023 10:58:00 AM
From: desong1011
Subject: 2540, 2930F, 3810M SVI Inter-vlan routing vs RoaS
Hi all,
Although I was able to enable SVI inter-vlan routing for one of branch offices with a 2540 switch and Sonic wall, I want to get a better understanding and best practice for Aruba SVI inter-vlan routing as I moving forward to a bigger project.
Here is what I did for the branch office
On the SonicWall, I created sub-interface on the SonicWall, and set up DHCP server for each vlan if needed.
On 2540, I enabled IP routing, assigned IP address to each interface vlan, added ip-helper address to each Vlan, added static route to the sub-interface IP address on the SonicWall.
Is this setting SVI or RoaS?
Since 2540, 2930F and 3810M are all layer 3 switch, I definitely prefer to use SVI than RoaS. However, creating sub-interface on the Firewall makes me think it is RoaS not SVI. Please hep me understand if I did something unnecessary or missed something else.
As I moving forward to set up vlan at the main office which network has three-layer architecture design, I want to enable inter-vlan routing at distribution layer. Do I have to create sub-interface on the Firewall too? And repeat the same steps I did at the branch office?
The topology is:
Router/Firewall- SonicWall
CoreSwitch - 6300
Distribution - 3810M
Access - 2930F stacking
Thank in advance!