LAN Routing
1748243 Members
4219 Online
108760 Solutions
New Discussion

Re: Firewall connection to A5800 series switches doing intra vlan routing

 
SOLVED
Go to solution
blockjs
Occasional Contributor

Firewall connection to A5800 series switches doing intra vlan routing

I am having a problem getting a connection to my firewall to work with 2 a5800 series switches doing intra vlan routing. Here is my current config:

 

<switch1>system-view
System View: return to User View with Ctrl+Z.
[switch1]display cu
[switch1]display current-configuration
#
 version 5.20, Release 1211P08
#
 sysname switch1
#
 irf domain 10
 irf mac-address persistent timer
 irf auto-update enable
 undo irf link-delay
 irf member 1 priority 32
#
 domain default enable system
#
vlan 1
#
vlan 2
 description vlan 2
#
vlan 100
 description vlan 100
#
vlan 110
 description vlan 110
#
vlan 120
 description vlan 120
#
vlan 130
 description vlan 130
#
vlan 140
 description vlan_140
#
vlan 150 to 200
#
radius scheme system
 primary authentication 127.0.0.1 1645
 primary accounting 127.0.0.1 1646
 user-name-format without-domain
#
domain system
 access-limit disable
 state active
 idle-cut disable
 self-service-url disable
#
user-group system
#
local-user blockjs
 password simple XXXXXXXXXXX
 authorization-attribute level 3
 service-type ssh
#
interface Bridge-Aggregation10
 description Storage 1 aggregation
 port access vlan 190
 link-aggregation mode dynamic
#
interface Bridge-Aggregation20
 description Storage 2 aggregation
 port access vlan 190
 link-aggregation mode dynamic
#
interface NULL0
#
interface Vlan-interface1
 ip address dhcp-alloc client-identifier mac Vlan-interface1
#
interface Vlan-interface100
 ip address 10.10.100.1 255.255.255.0
#
interface Vlan-interface110
 ip address 10.10.110.1 255.255.255.0
#
interface Vlan-interface120
 ip address 10.10.120.1 255.255.255.0
#
interface Vlan-interface130
 ip address 10.10.130.1 255.255.255.0
#
interface Vlan-interface140
 description Vlan 140
 ip address 10.10.140.1 255.255.255.0
#
interface Vlan-interface150
 description VLAN_150
 ip address 10.10.150.1 255.255.255.0
#
interface Vlan-interface160
 description VLAN_160
 ip address 10.10.160.1 255.255.255.0
#
interface Vlan-interface170
 description VLAN_170
 ip address 10.10.170.1 255.255.255.0
#
interface Vlan-interface180
 description VLAN_180
 ip address 10.10.180.1 255.255.255.0
#
interface Vlan-interface190
 description VLAN_190
 ip address 10.10.190.1 255.255.255.0
#
interface Vlan-interface200
 description VLAN_200
 ip address 10.100.10.1 255.255.255.0
#
interface GigabitEthernet1/0/1
 port link-mode bridge
 port link-type trunk
 port trunk permit vlan all
#
interface GigabitEthernet1/0/2
 port link-mode bridge
 port access vlan 200
#
interface GigabitEthernet1/0/3
 port link-mode bridge
 port access vlan 200
#
interface GigabitEthernet1/0/4
 port link-mode bridge
 port access vlan 200
#
interface GigabitEthernet1/0/5
 port link-mode bridge
 port access vlan 200
#
interface GigabitEthernet1/0/6
 port link-mode bridge
 port access vlan 200
#
interface GigabitEthernet1/0/7
 port link-mode bridge
 port access vlan 200
#
interface GigabitEthernet1/0/8
 port link-mode bridge
 port access vlan 200
#
interface GigabitEthernet1/0/9
 port link-mode bridge
 port access vlan 200
#
interface GigabitEthernet1/0/10
 port link-mode bridge
 port access vlan 200
#
interface GigabitEthernet1/0/11
 port link-mode bridge
 port access vlan 200
#
interface GigabitEthernet1/0/12
 port link-mode bridge
 port access vlan 200
#
interface GigabitEthernet1/0/13
 port link-mode bridge
 description Storage-1 nic 3
 port access vlan 200
#
interface GigabitEthernet1/0/14
 port link-mode bridge
 description Storage-1 nic 4
 port access vlan 200
#
interface GigabitEthernet1/0/15
 port link-mode bridge
 port access vlan 200
#
interface GigabitEthernet1/0/16
 port link-mode bridge
 description Storage-2 OA
 port access vlan 200
#
interface GigabitEthernet1/0/17
 port link-mode bridge
 description C7000 OA
 port access vlan 200
#
interface GigabitEthernet1/0/18
 port link-mode bridge
 port access vlan 190
#
interface GigabitEthernet1/0/19
 port link-mode bridge
 port access vlan 190
#
interface GigabitEthernet1/0/20
 port link-mode bridge
 port access vlan 190
#
interface GigabitEthernet1/0/21
 port link-mode bridge
 description NAS-2 Port 1
 port access vlan 190
#
interface GigabitEthernet1/0/22
 port link-mode bridge
 description NAS-2 Port 2
 port access vlan 190
 stp edged-port enable
#
interface GigabitEthernet1/0/23
 port link-mode bridge
 description Storage-1 net 1
 port access vlan 190
 port link-aggregation group 10
#
interface GigabitEthernet1/0/24
 port link-mode bridge
 description Storage-1 net 2
 port access vlan 190
 port link-aggregation group 10
#
interface GigabitEthernet2/0/1
 port link-mode bridge
 port access vlan 2
#
interface GigabitEthernet2/0/2
 port link-mode bridge
 port access vlan 100
#
interface GigabitEthernet2/0/3
 port link-mode bridge
 port access vlan 200
#
interface GigabitEthernet2/0/4
 port link-mode bridge
 port access vlan 200
#
interface GigabitEthernet2/0/5
 port link-mode bridge
 port access vlan 200
#
interface GigabitEthernet2/0/6
 port link-mode bridge
 port access vlan 200
#
interface GigabitEthernet2/0/7
 port link-mode bridge
 port access vlan 200
#
interface GigabitEthernet2/0/8
 port link-mode bridge
 port access vlan 200
#
interface GigabitEthernet2/0/9
 port link-mode bridge
 port access vlan 200
#
interface GigabitEthernet2/0/10
 port link-mode bridge
 port access vlan 200
#
interface GigabitEthernet2/0/11
 port link-mode bridge
 port access vlan 200
#
interface GigabitEthernet2/0/12
 port link-mode bridge
 port access vlan 200
#
interface GigabitEthernet2/0/13
 port link-mode bridge
 port access vlan 200
#
interface GigabitEthernet2/0/14
 port link-mode bridge
 description Storage-2 nic 4
 port access vlan 200
#
interface GigabitEthernet2/0/15
 port link-mode bridge
 description Storage-2 nic 3
 port access vlan 200
#
interface GigabitEthernet2/0/16
 port link-mode bridge
 description NAS-2 OA
 port access vlan 200
#
interface GigabitEthernet2/0/17
 port link-mode bridge
 description Storage-2 OA
 port access vlan 200
#
interface GigabitEthernet2/0/18
 port link-mode bridge
 port access vlan 190
#
interface GigabitEthernet2/0/19
 port link-mode bridge
 port access vlan 190
#
interface GigabitEthernet2/0/20
 port link-mode bridge
 port access vlan 190
#
interface GigabitEthernet2/0/21
 port link-mode bridge
 description NAS-1 Port 1
 port access vlan 190
#
interface GigabitEthernet2/0/22
 port link-mode bridge
 description NAS-1 Port 2
 port access vlan 190
#
interface GigabitEthernet2/0/23
 port link-mode bridge
 description Storage-2 net 1
 port access vlan 190
 port link-aggregation group 20
#
interface GigabitEthernet2/0/24
 port link-mode bridge
 description Storage-2 net 2
 port access vlan 190
 port link-aggregation group 20
#
interface M-GigabitEthernet0/0/0
#
interface Ten-GigabitEthernet1/0/26
 port link-mode bridge
 shutdown
#
interface Ten-GigabitEthernet1/0/27
 port link-mode bridge
 shutdown
#
interface Ten-GigabitEthernet1/0/28
 port link-mode bridge
 description Trunk to vconnect 1
 port link-type trunk
 port trunk permit vlan all
 stp edged-port enable
#
interface Ten-GigabitEthernet2/0/25
 port link-mode bridge
#
interface Ten-GigabitEthernet2/0/27
 port link-mode bridge
#
interface Ten-GigabitEthernet2/0/28
 port link-mode bridge
 description Trunk to Vconnect 2
 port link-type trunk
 port trunk permit vlan all
 stp edged-port enable
#
interface Ten-GigabitEthernet1/0/25
#
interface Ten-GigabitEthernet2/0/26
#
rip 1
 version 2
#
 ssh server enable
#
 load xml-configuration
#
 load tr069-configuration
#
user-interface aux 0 1
user-interface vty 0 4
 authentication-mode scheme
 protocol inbound ssh
user-interface vty 5 15
#
irf-port 1/1
 port group interface Ten-GigabitEthernet1/0/25 mode enhanced
#
irf-port 2/2
 port group interface Ten-GigabitEthernet2/0/26 mode enhanced
#
return
[switch1]

 

I am new to hp switches and any inputs are definately appreciated

 

 

7 REPLIES 7
paulgear
Esteemed Contributor

Re: Firewall connection to A5800 series switches doing intra vlan routing

Hi blockjs,

 

I'm afraid "having a problem getting a connection to my firewall" is too vague a description for anyone to help you.  What exactly is not working?  Which connections are working?  What steps have you tried to troubleshoot?

 

If you can be more specific about defining the problem we can be a lot more helpful.

Regards,
Paul
Vince_Whirlwind
Trusted Contributor

Re: Firewall connection to A5800 series switches doing intra vlan routing

I don't see a default route on your switch.

 

Is your firewall receiving RIP updates? Check its routing table.

 

Did you mean "inter"-VLAN routing?

 

Otherwise, what Paul said - what's the problem?

blockjs
Occasional Contributor

Re: Firewall connection to A5800 series switches doing intra vlan routing

My problem is understanding how to set up the port that the firewall is connected to.  the port is gigabitethernet 2/0/1. Here are the settins that i initially had on that port:

 

interface GigabitEthernet2/0/1
 port link-mode route
 ip address 10.10.10.2 255.255.255.252
 I also added the following static route

 

 ip route-static 0.0.0.0 0.0.0.0 GigabitEthernet2/0/1 10.10.10.1

 

I I set the firewall inside interface ip as 10.10.10.1 255.255.255.252

 

I can ping 10.10.10.2, but not thru to 10.10.10.1 Also, I can ping 10.10.10.2 from the firewall side.

 

I feel that I am missing something but I have not been using HP switches very long and this is the most complicated config that I have tried to implement

 

 

 

 

paulgear
Esteemed Contributor
Solution

Re: Firewall connection to A5800 series switches doing intra vlan routing

OK, given what you have in your switch config now, you need to add an IP address to VLAN 2:

 

interface Vlan-interface2
 ip address 10.10.10.2 255.255.255.252

 

And you need to keep your static route.  But i would suggest removing the interface name from it, because the switch will know where to find 10.10.10.1 based on its connected routes.

 

I haven't used RIP on Comware in quite a while (or maybe at all), but i'm guessing you are planning to use it to communicate routes to the firewall?  In that case you'll need to tell it to talk on VLAN 2 by using

 

rip 1

   version 2

   network 10.10.10.0

 

You probably can't ping the firewall from client VLANs because RIP is not working and the firewall has no route to your client VLANs (but that's only a guess; a copy of your routing tables on the switch and the firewall would help to confirm this).

 

Once you have RIP working, you can probably dispense with the default route as well, assuming your firewall is distributing a default route correctly.

 

Hope that helps - good luck!

Regards,
Paul
paulgear
Esteemed Contributor

Re: Firewall connection to A5800 series switches doing intra vlan routing

Another thing you might need to check is whether your firewall is using a tagged VLAN, in which case you would need to make the port a trunk rather than an access port.
Regards,
Paul
blockjs
Occasional Contributor

Re: Firewall connection to A5800 series switches doing intra vlan routing

That pushed me over the top.  The configuration changes that Paul suggested plus some changed to the firewall config did it.  Thanks to all for their suggestions.  They all helped me alot about understanding HP switches

 

Jeffrey Block

 

paulgear
Esteemed Contributor

Re: Firewall connection to A5800 series switches doing intra vlan routing

Good to hear you got it sorted.
Regards,
Paul