Aruba & ProVision-based
1748169 Members
4148 Online
108758 Solutions
New Discussion юеВ

Help adding DIA to existing switch preconfigured with VLAN

 
SOLVED
Go to solution
hch-ntaylor
Visitor

Help adding DIA to existing switch preconfigured with VLAN

I've ben playing with computers a long time, but I've never had the chance to play with some switches until today. I've been with my current company for 2 months and am learning their network configuration by being thrown into the deep end. Let me explain what I have then what I need to do and we go from there.

There are 2 office locations (down the street from each other).  They have different operations and were set up with different IP address tables (DHCP handled by a server).  We'll call location 1 "Home" and location 2 "Remote". Home has a dedicated internet access (DIA).  That comes into a SonicWall Firewall (managed by ISP).  It then goes into a HP 2920 that passes it along to the everyone in the building and the servers.  There is a pipeline (EPL) that also is connected here that leads to Remote.  Remote has an HP 2920 but no DIA.  All internet traffic at Remote has been routing through the EPL to Home.  Home uses 192.168.1.x.  Remote uses 192.168.9.x.  The EPL VLAN uses 172.x.x.x.  As it is currently built (configured by an expensive 3rd party).  Now, management has decided that Remote needs it's own DIA so we don't rely on the pipe for the internet access but only for the VLAN (access the DNS and other servers at Home).  They've also decided that we need to use a SonicWall for security at Remote.  Our ISP has turned up a new port on their box and we've been given a range of IP addresses.  I've connected a computer to the sonicwall and connected the sonicwall to the ISP and everything works dandy.

However, I cannot figure out how to get the HP 2920 to allow internet traffic through the sonicwall and traffic to Home through the VLAN.  I'm very new to networking, so any help would be greatly appreciated.  I'm assuming that the default gateway would need to be updated to represent the sonic wall's IP address, but whenever I try to change it via the web portal, it reverts back.  I've found my way into a console connection, but the menu under console doesn't give an option for the default gateway.

I'm very new to networking and any assistance would be GREATLY appreciated.  We're a Non-Profit organization, so we'd rather not have to pay big bucks for the expensive 3rd party to come in to do this.

6 REPLIES 6
Vince-Whirlwind
Honored Contributor

Re: Help adding DIA to existing switch preconfigured with VLAN

It sounds like you are trying to set an IP default gateway target that's in a subnet that the switch isn't in.

Set up a new VLAN to create a point to point link to the new firewall and give your switch a relevant IP address in that subnet. Whoever manages your new firewall will need to make sure they have a route in it for your Remote subnet pointing at your 2920.

Also, I don't know how the GUI works, but on the CLI if you just add a new default route, you will end up with two. Remember to remove the old one.

Depending on what your time is worth, it might not be a terrible waste of money getting the expensive experts to quickly set this up for you. On the other hand, there are plenty of expensive inexperts who wouldn't do a great job of it anyway....

hch-ntaylor
Visitor

Re: Help adding DIA to existing switch preconfigured with VLAN

Thanks for the response.  The 2920 is currently configured with a 192.168.9.x IP Address and has been since I started looking at it.  I've attached some pics of the GUI screen that shows settings (not in the same building as it currently so can't get CLI).  Like I said earlier, I wasn't here when it was set up, but could it be possible that it was set up with the VLAN 101 first (which has a 172. IP Address) before it was set up with VLAN 1 and that's why it's holding onto the 172 Gateway?

I did try creating a VLAN to the Firewall, but that didn't seem to do anything either.

I've also attached a crude diagram of what we hope to do (although I'm pretty sure you've got the idea anyway).  Currently, all internet traffic from remote uses the pipeline as it doesn't see the internet.

hch-ntaylor
Visitor

Re: Help adding DIA to existing switch preconfigured with VLAN

I was able to get the configuration information from the switch.  I'm also set up with a terminal connection over the pipeline now as well.

 

Running configuration:

; J9728A Configuration Editor; Created on release #WB.16.02.0012
; Ver #0e:01.b0.ee.34.5f.3c.29.eb.9f.fc.f3.ff.37.ef:73

hostname "Remote"
module 1 type j9728a
timesync sntp
sntp unicast
sntp server priority 1 129.6.15.30
time timezone -300
ip default-gateway 192.168.9.252
ip dns server-address priority 1 192.168.1.7
ip dns server-address priority 2 192.168.1.10
ip route 0.0.0.0 0.0.0.0 172.16.0.1
ip routing
snmp-server community "public" unrestricted
snmp-server contact "IT Support" location "wiring closet"
oobm
ip address dhcp-bootp
exit
vlan 1
name "DEFAULT_VLAN"
no untagged 48
untagged 1-47
ip address 192.168.9.1 255.255.255.0
forbid 48
exit
vlan 101
name "Pipeline"
untagged 48
ip address 172.16.0.254 255.255.255.0
exit
spanning-tree
no tftp server
no autorun
no dhcp config-file-update
no dhcp image-file-update
device-profile name "default-ap-profile"
cos 0
exit
activate provision disable

Vince-Whirlwind
Honored Contributor
Solution

Re: Help adding DIA to existing switch preconfigured with VLAN

Which switchport is the firewall patched to? Is it up? Can the switch ping 192.168.9.252?

These two lines mean the same thing:
ip default-gateway ...
ip route 0.0.0.0 0.0.0.0 ...
but you have them pointing at two different things, so you need to get rid of one of them.
Personally, I'd get rid of the IP DEFAULT GATEWAY and change the IP ROUTE 0.0.0.0 0.0.0.0 to point at 192.168.9.252

You will then need to add to the switch at least one route:
ip route 192.168.1.0 255.255.255.0 172.16.0.1

For the finer points: having the link to the firewall being in the same subnet as your hosts is a big no-no. (Did your expensive 3rd party set that up? Don't spend any more money on them). Various weird things could happen, especially if ICMP redirects get blocked (or the FW doesn't emit them in the first place).
Also, having an untagged VLAN on an inter-switch trunk is a security no-no.

hch-ntaylor
Visitor

Re: Help adding DIA to existing switch preconfigured with VLAN

That helps ALOT!  I've been looking over both switches that the expensive 3rd party set up.  I've connected to the switch at "Home" and have downloaded the config file as well to use that as a reference point.  It has a lot of the same "No No's" that you mentioned.  I definitely won't be calling Databranch in the future with problems.

I've been reading through a number of manuals, guides, and message boards.  I've learned alot over the past few days.  I'll update the system tomorrow morning when noone is in the office and will update this post with the result.  

Thank you SO much for all your assistance.  Kudos definitely deserved (and a big cup of coffee).  For Critique's sake, I've attached the config from the other switch (changing IPs and names of course).

 

; J9728A Configuration Editor; Created on release #WB.16.01.0006
; Ver #0c:00.34.59.14.29.eb.8f.fc.f3.ff.37.2d:d2

hostname "Home"
module 1 type j9728a
mirror-port 26
fault-finder broadcast-storm sensitivity high
fault-finder bad-driver sensitivity high
fault-finder bad-transceiver sensitivity high
fault-finder bad-cable sensitivity high
fault-finder too-long-cable sensitivity high
fault-finder over-bandwidth sensitivity high
fault-finder loss-of-link sensitivity high
fault-finder duplex-mismatch-hdx sensitivity high
fault-finder duplex-mismatch-fdx sensitivity high
fault-finder link-flap sensitivity high
timesync sntp
sntp unicast
sntp server priority 1 129.6.15.30
time timezone -300
ip dns server-address priority 1 192.168.1.7
ip dns server-address priority 2 192.168.1.10
ip route 0.0.0.0 0.0.0.0 192.168.1.252
ip route 192.168.1.0 255.255.255.0 172.16.0.1
ip routing
interface 1
monitor
speed-duplex 100-full
exit
interface 2
monitor
speed-duplex auto-10-100
exit
interface 3
monitor
exit
interface 4
monitor
speed-duplex auto-10-100
exit
interface 5
monitor
speed-duplex auto-10-100
exit
interface 6
monitor
speed-duplex auto-10-100
exit
interface 7
monitor
speed-duplex auto-10-100
exit
interface 8
monitor
speed-duplex auto-10-100
exit
interface 9
monitor
speed-duplex auto-10-100
exit
interface 10
monitor
speed-duplex auto-10-100
exit
interface 11
monitor
exit
interface 12
monitor
speed-duplex auto-10-100
exit
interface 13
monitor
speed-duplex auto-10-100
exit
interface 14
monitor
speed-duplex auto-10-100
exit
interface 15
monitor
speed-duplex auto-10-100
exit
interface 16
monitor
speed-duplex auto-10-100
exit
interface 17
monitor
speed-duplex auto-10-100
exit
interface 18
monitor
speed-duplex auto-10-100
exit
interface 19
monitor
speed-duplex auto-10-100
exit
interface 20
monitor
speed-duplex auto-10-100
exit
interface 21
monitor
speed-duplex auto-10-100
exit
interface 22
monitor
speed-duplex auto-10-100
exit
interface 23
monitor
speed-duplex auto-10-100
exit
interface 24
monitor
speed-duplex auto-10-100
exit
interface 25
monitor
speed-duplex auto-10-100
exit
interface 26
speed-duplex auto-10-100
exit
interface 27
monitor
speed-duplex auto-10-100
exit
interface 28
monitor
speed-duplex auto-10-100
exit
interface 29
monitor
speed-duplex auto-10-100
exit
interface 30
monitor
speed-duplex auto-10-100
exit
interface 31
monitor
speed-duplex auto-10-100
exit
interface 32
monitor
speed-duplex auto-10-100
exit
interface 33
monitor
speed-duplex auto-10-100
exit
interface 34
monitor
speed-duplex auto-10-100
exit
interface 35
monitor
speed-duplex auto-10-100
exit
interface 36
monitor
speed-duplex auto-10-100
exit
interface 37
monitor
speed-duplex auto-10-100
exit
interface 38
monitor
speed-duplex auto-10-100
exit
interface 39
monitor
speed-duplex auto-10-100
exit
interface 40
monitor
speed-duplex auto-10-100
exit
interface 41
monitor
speed-duplex auto-10-100
exit
interface 42
monitor
speed-duplex auto-10-100
exit
interface 43
monitor
speed-duplex 100-full
exit
interface 44
monitor
speed-duplex auto-10-100
exit
interface 45
monitor
speed-duplex auto-10-100
exit
interface 46
monitor
speed-duplex auto-10-100
exit
interface 47
monitor
speed-duplex auto-10-100
exit
interface 48
monitor
exit
snmp-server community "public" unrestricted
snmp-server contact "IT Support" location "wiring closet"
oobm
ip address dhcp-bootp
exit
vlan 1
name "DEFAULT_VLAN"
no untagged 48
untagged 1-47
ip address 192.168.1.254 255.255.255.0
forbid 48
exit
vlan 101
name "LinkToRemote"
untagged 48
ip address 172.16.0.1 255.255.255.0
exit
spanning-tree

hch-ntaylor
Visitor

Re: Help adding DIA to existing switch preconfigured with VLAN

I applied the new configuration and everything is working WONDERFULLY!  My manager was very pleased to come in this morning to faster internet and to see the EPL between the 2 offices less congested.

 

Thank you very much for your help @Vince-Whirlwind, it is greatly appreciated AND, I learned alot.  Kudos definitely well deserved.  I've marked your response as the solution as well.