Aruba 2930f how to configure VLAN&Routing and Internet through firewall DFL-860e and Proxy Traff Inspectr?

The scheme is not complete, in fact the HP 1920 9pcs and VLANов plan( now in all of broadcast domain), where the VLAN 10,20,30 -110 ( computers, about 250pcs, the rest of network equipment somewhere else 120 PCs)
1 D-Link (192.168.2.2) and PROXY(192.168.2.10) is not indicated nor Vlana nor the trunks because for me it is still not clear how best to do so, for example, the users in VLAN 70, 5PCS went to Internet through d-link, and the remaining 25 PC was going through a proxy??? It should be the same and of the other Ulanov.
2 - How to deal with printers, access points, wi-fi, barcode scanners, and so forth ( it has a static IP-192.168.1.* , 192.168.2.* )?? and they are connected to the L2 switch HP 1920.
Maybe for the pros it's not difficult, but for me to drive this zoo in VLANы turned out to be a nontrivial task, please help!!!

5a7450b47645a097807202.jpeg
June 8th 19 at 16:45
3 answers
June 8th 19 at 16:47
Solution
All glands are in the lab, except Glinka and proxy( in pradakshina, can not touch)
I think as a default gateway specify the IP address of the L3 interface of the switch to the appropriate VLAN. On the L3 switch then specify as the destination for the default route (0.0.0.0/0) address of the internal interface Dlink or Proxy?.
Can the internal interfaces Dlink and Proxies to make a separate VLANы ?
I'm not really very versed in routing, therefore, need help.
June 8th 19 at 16:49
Solution
In ulany is necessary to make machines that should be able to see each other on L2, but not to see others in the same physical network. Routing need to build in this case using policy based routing (concept Google, the option settings on each router of your own). Relatively speaking, outgoing packets from an internal IP flagged, then when you check the routing rules one of the rules sends the packet to the table with a default route, different from the General. Back packs come in a regular way, as a rule NAT translation will show the correct IP address. Should be a whole group direct - mark the same flag the packets from all the IP nodes in this group.

PS: on d-Linke and proxy vlani not needed, as they are only available via L3.
But all Vlani I have routed on a piece of iron L3 and operates all computers get addresses via DHCP ( only statics I have not yet set up) why would I marsrutai vlani through Dlink?
I need some computers went to Internet through Dlink( NAT is configured), and the other via Proxy Traff Inspectr - francis.Parker39 commented on June 8th 19 at 16:52
You need to get the computers going to the Internet, was in the same VLAN in the same subnet can see each other and went to the network through different nodes? If you don't need L2-visibility, easier to carry in different vlani in different L3 subnet, and routit Internet them differently. If desired, at L3-railroad routes need to write under each computer. - sadie_Hop commented on June 8th 19 at 16:55
, ((You need to get the computers going to the Internet, was in the same VLAN)), is just not necessary, according to the scheme of the computers I have in different vlnach and configured via L3 routing between wlanapi 20,60,70,80,90 and is getting address and gateway according to my VLAN from DHCP, but still no access to the Internet have as I wrote above ( 1 - D-Link (192.168.2.2) and PROXY(192.168.2.10) is not indicated nor Vlana nor the trunks and all except the addresses have not prescribed anything,because for me it is still not clear how best to do so, for example, the users in VLAN 70, 5PCS went to Internet through d-link, and the remaining 25 PC was going through a proxy??? ) - francis.Parker39 commented on June 8th 19 at 16:58
The question again: in the VLAN 70 those 5 PC, which should output to the Internet via dlink, need to see the other 25 L2? If not, move them to a separate VLAN. - sadie_Hop commented on June 8th 19 at 17:01
Maxim at this point), but have to see each other! - francis.Parker39 commented on June 8th 19 at 17:04
then hell: https://community.hpe.com/t5/ProCurve-ProVision-Ba... Aruba 2930F is NOT capable of PBR, and you to solve this problem, the need is a PBR. Suggest between Aruba and proxy to put a software firewall (iptables) and configure policy-based routing using ip rule, this would require to split the subnet of each VLAN into two parts, which need to be sent to Dlink, and which proxy, and, accordingly, to configure DHCP in Aruba so that specific PC, falls into the "privileged" subnet, and configure it so that a regular PC could not install the statics and to output externally through the router. - sadie_Hop commented on June 8th 19 at 17:07
but drink PBR knows, maybe through it, but I never did)) - francis.Parker39 commented on June 8th 19 at 17:10
If she can, then Aruba all sent to dlink, it rotate the default proxy, and elected (by IP, because no more) - to the gateway. - sadie_Hop commented on June 8th 19 at 17:13
thanks , will try.
Here are found if the Aruba update, it too can Creating a PBR policy
PBR enables you to manipulate a packet''s path based on attributes of the packet. Traffic with the same
destination can be routed over different paths, so that different types of traffic, such as VOIP or traffic with special
security requirements can be better managed.

We will try and Dlink - francis.Parker39 commented on June 8th 19 at 17:16
At the moment, so:

Aruba-2930F-48G-4SFPP# sh run
Running configuration:

ip route 0.0.0.0 0.0.0.0 192.168.2.10
ip routing
All written Vlani go to Internet through a proxy( it adminisa ), computers in Vlnach get IP from DHCP
vlan 80
name "buh"
tagged 8
ip address 192.168.80.1 255.255.255.0
ip helper-address 192.168.2.99 (the server in VLAN 20)
exit

And the task of separation to the user from for example VLAN 70, 5PCS went to Internet through d-link, and the remaining 25 PC was going through the proxy, will decide with the aid of PBR in Aruba( after the OS update, she knows how to do it)
Thank you all!! But if you have suggestions, always willing to listen to advice. - francis.Parker39 commented on June 8th 19 at 17:19
Managed to solve the issue of the separation of the Internet using a PBR Policy on Aruba
The solution looks like this:

Create classes
class ipv4 localtraff
match ip 192.168.30.0/24 192.168.0.0/16
exit
class ipv4 inettraff
match ip 192.168.30.0/24 "any"
exit
Create PBR policy
policy pbr traffic
class ipv4 localtraff
action ip next-hop 192.168.30.1
exit
class ipv4 inettraff
action ip next-hop 192.168.2.1
exit
exit
(vlan-30)# service-policy in traffic

The issue has been resolved!!! Thank you all - francis.Parker39 commented on June 8th 19 at 17:22
June 8th 19 at 16:51
For example, the switch can not tell, but I would do this:
1. On the L3 switches would raise the need vlani with the relevant L3 interfaces.
2. Would raise the routing between the L3 switches and Glinka (your Dlink like able OSPF) and gave to 0.0.0.0/0 with Dlink the L3 switches.
3. If Aruba can't OSPF, you will have to settle for static routes or to look in the direction of RIP, like all the glands have it.
4. If the proxy is not transparent would leave everything as it is, who should be by default through lengths to go to the Internet, and who the proxy will be set through him to walk.
5. If the proxy is transparent then diclocil both its port on Dlink in different vlani (1 internal, the second external).
6. Your lengths can like PBR. Through him would have sent traffic to vnedrenii a proxy interface to devices that need access to the Internet through a proxy.
There will be time, I will try,thanks. And what advice would you give to the second question about static? - francis.Parker39 commented on June 8th 19 at 16:54
(((2. Would raise the routing between the L3 switches and Glinka (your Dlink like able OSPF) and gave to 0.0.0.0/0 with Dlink the L3 switches.))
The principle is clear, that it would be good based on my schema, how to do it! - sadie_Hop commented on June 8th 19 at 16:57
(((3. If Aruba can't OSPF, you will have to settle for static routes )))
ARUBA 2930F able to:
ospf Configure OSPF, or enter OSPF configuration context.
Configure OSPFv3 ospf3, or enter OSPFv3 configuration context.
pim Configure PIM, or enter PIM configuration context.
rip Configure a RIP setting or enter the RIP context.
Configure a ripng RIPng RIPng enter setting or context.
vrrp Configure VRRP, or VRRP enter the configuration context.
For example, I can show you how to use in my circuit OSPF ? - francis.Parker39 commented on June 8th 19 at 17:00
Routing in your scheme need to Dlink knew about the networks that move on the L3 switches. You need to give all the ranting from Aruba Dlink and Dlink to accept 0.0.0.0/0. Scheme you can all in the area 0 to throw, here is an example config OSPF in Aruba, but here is an example Glinka.
Printers, bar code scanners, access points etc. it would be better to separate into segments and assigned already to the different venam. It all depends on the equipment and the nature. For example, if you have wifi only for guests, they are different VLAN and let it sit alone. For example if you have 5 printers and each printer uses a specific segment you already planted in the VLAN, the printer there. Try your entire network divided into segments (wlana). I would also Aruba would prohibit access from one VLAN to another if it is not needed. - sadie_Hop commented on June 8th 19 at 17:03
and what team in Aruba is restricting access from one VLAN to another? - francis.Parker39 commented on June 8th 19 at 17:06
Look here, you need ACL configuration - sadie_Hop commented on June 8th 19 at 17:09

Find more questions by tags HPSystem administrationComputer networks