1

Good day group,

I’m new to Arubas and network switching. At my workplace, we just bought an Aruba 2930F, and we want to switch all connections on our HP ProCurve switch, including PCs and connections to firewall and internet, to this Aruba. We are currently in the transitional phase - where we created 3 VLANs on the Aruba switch, VLAN1 to connect to the default VLAN of the HP switch, VLAN 2 - acts as a DHCP server- for testing, and VLAN 3 for management. The goal in this phase is devices in VLAN 2 can have internet connection.

Here’s the issue. Devices from VLAN 2 can ping VLAN 1, default VLAN of HP switch, but can’t ping the default gateway of DNS server, and don’t have internet. Devices in VLAN 1 can connect to the Internet, can ping HP switch, default gateway, DNS, but can’t ping back VLAN 2.

4 Spice ups
2

Just that you are aware, you have two Procurve level switches. The Aruba 2930F is based on the Procurve OS and is just rebranded Aruba, so the commands should pretty much all be the same minus some potential newer firmware features.

What is acting as your layer 3 device that routes between the VLANs? Is it the existing Procurve or your firewall? The connectivity between the two switches are just a layer 2 connection and VLANs defined on the Procurve just need to be tagged on the uplink port to the new Aruba switch. Those same VLANs defined on the new Aruba and tagged on the uplink port.

Lastly, the default gateway on the Aruba needs to be set to that of your layer 3 device to know what to hop to, to know how to get from one network to another. Reply back with a little more of your topology layout of your switches and firewall to see where the hiccup might be.

3

Good morning Roger, thanks for helping me out, I really appreciate it.
To answer your question: “What is acting as your layer 3 device that routes between the VLANs?”. I just plugged an ethernet cable from port 1 on Aruba to port 17 on HP. I haven’t checked that properly, but it seems to be the existing ProCurve is acting as the layer 3 right now. Please guide me how to check on that one.

Network security diagram example
Network security diagram example675×1014 25.8 KB

Here are the show running-config on Aruba:
dhcp-snooping
ip default-gateway 192.168.16.2
ip route 0.0.0.0 0.0.0.0 192.168.16.2
ip routing
interface 1
name “Uplink to HP”
exit
vlan 1
name “DEFAULT_VLAN”
no untagged 13-48
untagged 1-12, 49-52
ip address 192.168.16.5 255.255.255.0
vlan 2
name “VLAN2”
untagged 25-48
ip address 192.168.2.1 255.255.255.0
dhcp-server
exit
dhcp-server pool “vlan2devices-pool”
authoritative
default-router “192.168.2.1”
dns-server “8.8.4.4,8.8.8.8,192.168.16.20”
network 192.168.2.0 255.255.255.0
range 192.168.2.65 192.168.2.200
A bit more about the context, my manager said the goal of transitional phase is to get internet connection for testing devices when plugged into VLAN 2, and once that is done, we’ll start plugging real devices and firewall from HP to Aruba. Is this one a valid design? I’ve read documents on Aruba but it’s quite limited information on it. Thank you.
4

What model HP Procurve are you coming from? There are at least 3 different OS options there and it would help to know what you have. If for example you were coming from a 2920, you could almost copy/paste your config and swap them.

1 Spice up
5

If you are in an active directory environment, that line will possibly come back to bite you.

If your switch is going to be doing L3 routing, as it’s set up right now, then the switch needs to be the default gateway of the devices.

What is this IP 192.168.16.2? Is that the other switch or the router? It should be the router. The router in turn needs a route back in the other direction that has 192.168.16.5/24 → 192.168.2.1, otherwise 192.168.15 will not be able to access the internet.

1 Spice up
6

Hey Patrick, thanks for replying. I’m using 2910al-24G. 192.168.16.20 in dns-server “8.8.4.4,8.8.8.8,192.168.16.20” is currently our DNS server. Also, I believe that according to my manager, our network is relatively small, we don’t have and don’t need any router.
Also, you mentioned: “The router in turn needs a route back in the other direction that has 192.168.16.5/24 → 192.168.2.1, otherwise 192.168.15 will not be able to access the internet.” Does this mean that the Firewall needs a static route to VLAN 2 on Aruba (192.169.2.1)? Thank you Patrick.

7

Someone is mistaken then because you have at least 2 if not 3 routers.

Your aruba switch is configured as a router. Your firewall is by nature a router. The question is, is the 2910al also setup as a router. Any chance you can post that config?

1 Spice up
8

Thank you Patrick, I’ll double check with the manager and get the config of the HP switch. Based on your experience, what do you reckon is the problem? Looking forward to learning from you. Thank you.

9

The main problem right now is we don’t have a clear understanding of the current setup.

If you have different subnets/VLANs then something has to be a router between them. That can be the firewall or the switch. If it’s the switch, then the firewall needs some additional routes to point back to that switch. If the firewall was doing the routing, then there is little reason to configure the switch as a router.

My comment regarding Active Directory earlier is that if you have a domain controller, you never want to hand out DNS to an external IP such as google, it should point only at the domain controller.

If however the switch is being used to hand out DHCP for say WiFi guests, then external DNS is fine. I don’t know what 192.168.16.20 is. Usually when someone points to an internal IP for DNS it’s a domain controller. You would not point guests at a domain controller, so having both internal and external entries doesn’t make sense here.

10

Thank you Patrick, for such a comprehensive response, and obviously new knowledge for me. Unfortunately today is Saturday, and I don’t get access to the system, so I’ll come back on Monday with a response regarding the setup. When mentioning about posting that config, did you mean I go into the HP switch CLI and run “show running-config”? If not, what would it be?
Thank you again, enjoy your weekend.

11

You can just type show run, but just make sure to remove any sensitive information before posting. Where do your clients currently point to for their default gateway? The firewall or the other switch?

12

Good day Patrick,
My apologies for the late reply, we were having a public holiday yesterday.
I just got the config for the HP switch
hostname “ProCurve 2910al - 24G Switch”
type J9145A
ip defaulte-gateway 192.168.16.2
vlan 1
“DEFAULT_VLAN”
untagged 1-24
ip address 192.168.16.48 255.255.255.0
vlan 2
name “VLAN 2”
tagged 17
no ip address
exit
ip route 192.168.2.0 255.255.255.0 192.168.16.5
Key:
Port 17 is currently holding connection between Aruba VLAN 1 and the HP switch.
192.168.16.5 is the IP address of Aruba VLAN 1
I can’t check the 192.168.2.0, but if it’s important, I’m sure this is the gateway to the Internet.

13

Morning Roger, about your question, I’m pretty sure that the L3 device between Firewall and HP is the HP.
Regarding this one “The connectivity between the two switches are just a layer 2 connection and VLANs defined on the Procurve just need to be tagged on the uplink port to the new Aruba switch. Those same VLANs defined on the new Aruba and tagged on the uplink port.” Did you mean that I should tag 2 VLANs on HP to port 17? ChatGPT said that port 1 on Aruba should be tagged with VLAN 2 and untagged with VLAN 1 of Aruba. Please correct me if I’m wrong. Thank you Roger.

14

Is there an “ip routing” command on that 2910al as well?

If you look at any of your client devices, what is the default gatway of the device pointing at? It’s going to point to either your firewall or one of the switch IPs. That will tell you which device is doing the routing.

15

On the ProCurve 2910al, I ran show ip, and I get this:
IP Routing: Disabled
Default Gateway: 192.168.16.2
DNS server: empty
VLAN 2: disabled
This is what I get when I run show running-config
ip route 192.168.2.0 255.255.255.0 192.168.16.5
When I connect my Linux to HP switch and ran ip route, it returns: default 192.168.16.254
The same thing when I plugged in VLAN 1 Aruba
When I plugged in VLAN 2 Aruba, it returns default 192.168.2.1, this is the ip address of VLAN 2.
I’m quite confused about the result of show run and show ip.
Any advice? Thanks Patrick.

16

Okay, so the 2910al is not routing. The 2930 is configured for routing but it’s only doing that if clients use it for their default gateway.

The Aruba is handing out DHCP and that is the default gateway it is handing out. What was doign DHCP before you added the Aruba?

Getting back to my earlier point, if your firewall/internet gateway is 192.168.16.2 (and I don’t believe we have confirmed it is), then VLAN 1 will be able to get out to the internet and back because the firewall would be in the same local subnet, therefore the firewall knows how to get traffic back to the client. The firewall however does not know about the network 192.168.2.0/24 if you have not somehow told it by the use of routing protocols, or by explicitly adding a route into that device in the form of 192.168.2.0/24 with a destination of 192.168.16.5. This tells the firewall hey if you need to deliver traffic back to 192.168.2.xx, send it to 192.168.16.5, it’s doing the routing for that network and it will know where to send the traffic.

17

Thank you Patrick. I just discussed with my manager, and we did mistakenly configured the default gateway to be 192.168.16.2, it should be 192.168.16.254. We have managed to put it back.
Getting back to your earlier point, I understand that, and even chatGPT, grok and some old HP documents also suggest the same pathway, which is adding a static route to let firewall know how to pass traffic to Aruba VLAN 2 via Aruba VLAN 1. Just asked my manager, and he replied that It would be quite hectic to work with it. Is there any alternative for it, or that’s the most effective way?
Thanks so much Patrick, really appreciate your help so far.

18

What’s hectic about it? Should take like 5 minutes including the time to walk over to your computer, boot it, log in, and load up the firewall config? :slight_smile: They may have other reasons they don’t want to do it, or they may not know how. That’s fine. You do not need to do IP routing on the switch, it’s just an option to do so and very popular if you have a lower end firewall that isn’t really capable of routing all that traffic at full wire speed.

If the firewall is doing the routing between VLANs, then you do not need a route back to the switch. If that is the case, you should issue a “no ip routing” on the switch and turn that off. That would remove some ambiguity. This would mean the firewall has internal IP addresses on both VLANs and the clients would have their default gateway pointed to those IP addresses. That means updating your DHCP scope to give out the correct gateway.

Again as I don’t know what your internal firewall IPs are I can only assume that’s what it should be set to. I don’t know what device 192.168.16.254 belongs to.

19

Your issue, as Patrick has pointed out, is that your Fortigate is not aware of that new VLAN, so traffic that needs to route to it gets routed by the Fortigate out the default route. That would be simple to fix. Fortigates are very straightforward for routing.

Honestly, with your small network, you are making things FAR more complicated on yourself by having your 2930F handle DHCP and routing for this new VLAN. It would be MUCH easier to let the Fortigate handle all that, as it could then be the one and only router for your network, and your 2910al and 2930 could simply operate on layer 2.

I have several offices with Fortigates and HP/Aruba switches. I define all the VLANs on the Fortigates, set one port on the switch to be untagged on the default VLAN, and tagged on all the other VLANs, then I just set the ports as needed on the switch. No need for DHCP settings on the switch, and no need to set any IP addresses on any VLAN other than whichever VLAN you want to manage the switch from (I usually just give the switch an IP on the default VLAN, and set the others to “no IP address”).

Speaking of the Fortigate, if it’s really a 30D, then replacing it should be of higher priority than replacing that 2910al, as the 30D is exposed to the internet and is End of Life. Hopefully, you are on the newest firmware for it, as there are several vulnerabilities on all but the latest firmware for that Fortigate. Fortigate recently released a 30G, which is the same level, but three generations newer. That, or a 40F (one level higher and two generations newer) would be a great upgrade, and very easy to implement…for very little extra money, Fortinet will take your old 30D config, and convert it to work on the new unit, so all you’d need to do it fire up the new unit, restore the converted config, and then swap the cables from the old to the new. FortiConverter service is a one time fee.

I currently have an HP 2910al, an Aruba 2930F, and four old Fortigate 60Ds sitting in my office. LOL I learned VLANs with the Fortigate 60D and a HP 2910al years ago.

20

Good day Charles.
Thanks for sharing your experience. I just started out working with networking and switching like, 1 week ago, and the plan was made by manager, as I didn’t know anything about network and switching, beside some old text book learned from uni.
Will definitely report this one back to my manager. Thanks so much.