LAN Routing
cancel
Showing results for 
Search instead for 
Did you mean: 

HP 2920 Aruba Inter Vlan routing: disable only for one VLAN (use vlan as a isolated virtual cable )

execcr
Occasional Contributor

HP 2920 Aruba Inter Vlan routing: disable only for one VLAN (use vlan as a isolated virtual cable )

Hello, i'm new to VLAN and i'm trying to figure out how to move my Kerio Control Firewall from physical to virtual. on an esxi server

As today, i have 1 HP2920 with ip routing enabled in trunk with a HP2530. Each switch have 4 VLAN and everything is working fine (dhcp works, each client in each subnet can see each other becouse no acl is set up, and for now for me is ok)  .

I want now to connect my ISP router to a new virtualized Kerio control firewall in esxi. Before when i had the physcal machine e have 2 lan card, one WAN for the cable that goes out from the isp router and one for the lan interface to my switch. Now i would like to delete this cable as it eat me a cable that i could reuse it for the LACP trunk between the 2920 and the 2530 (distant 20-30 meters). 

My idea is that: Create a new VLAN999, untagged a port of the 2920, autorize 999 on the trunk with the 2530 and serve the 999 directly on the virtual appliance via dot1q aware virtual switch in ESXi . Then connect on the HP 2920 the wan port of the ISP router and assign in Kerio the VLAN999 to the wan interfaces, replicating de facto the old system with the physical machine

How can i do? I will leave the VLAN999 without ip address on the interfaces of the 2 switch? Is this ok for create a "virtual" replacement of the physical cable? There is a need to deactivate interval routing only for this valn999 to avoid collision or talking with other subnet? 

Thank you!

4 REPLIES
Ian Vaughan
Honored Contributor

Re: HP 2920 Aruba Inter Vlan routing: disable only for one VLAN (use vlan as a isolated virtual cab

Hello,

Yes. Your logic is sound.

VLAN 999 just gives that layer 2 stretch between the WAN Router LAN port and the WAN port on the firewall.

Just make sure that their is no Layer 3 configurations on VLAN 999 for the 2 switches - only the router and vFirewall.

You could even use a /30 (255.255.255.252) subnet with just the 2 IP addresses that face each other.

If you web search for "router on a stick" or "lolipop router" that's kind of what you are doing with the kerio.

Do your testing and get comfortable with the configuration. Please let us know how you get on and maybe that will help someone else.

Thanks

Ian

 

Hope that helps - please click "Thumbs up" for Kudos if it does
## ---------------------------------------------------------------------------##
Which is the only cheese that is made backwards?
Edam!
Tweets: @2techie4me
execcr
Occasional Contributor

Re: HP 2920 Aruba Inter Vlan routing: disable only for one VLAN (use vlan as a isolated virtual cab

Hello! thank you for your kind response!

Sorry, I don't understand the subnet part.

For example, my isp gave me the ip configuration for my old firewall WAN port, ie IP 193.xxx.xxx.55 , Subnet 255.255.255.240, GW 193.xxx.xxx.54 and i can't change that. That was the configuration of the wan card of my old firewall.

Now actually my 999 interface on the 2920 have no ip address configured (actuallyIPv4 Configuration is disabled on the 2920 vlan 999) and with 

#config
#vlan 999 
#disable layer3

i disabled layer 3 routing for the VALN999 only. (i do that on the 2920 and on the 2530)

You are telling me that i need to configure a ipv4 interface on the 999 vlan of the 2920 with a /30 subnet? And so i have to change my WAN firewall port IP configuration?

 

Ian Vaughan
Honored Contributor

Re: HP 2920 Aruba Inter Vlan routing: disable only for one VLAN (use vlan as a isolated virtual cab

Hi,

No. You are correct as you are. The switches do not participate in Layer 3 on VLAN 999. They are simple Layer 2 "passthrough" so that the LAN side of the Router can see the WAN side of the Kerio. 

If you have a known and well understood IP scheme for your internet access just keep that as it is. 

I was merely pointing out that a "point to point" type connection can utilise a subnet with a very small number of IP addresses and doesn't need a /24 network (i.e. one with a 255.255.255.0 netmask) if there are only ever going to be 2 devices in that IP space. 

Does the LAN side of your Kerio just participate in your "normal" production LAN or have you segregated it into a "transit" network northbound off your Layer 3 switch? Can give you a bit more flexibility if your egress route for all of the networks is always from your switch. 

As you were. Carry on. 

Thanks

Ian

Hope that helps - please click "Thumbs up" for Kudos if it does
## ---------------------------------------------------------------------------##
Which is the only cheese that is made backwards?
Edam!
Tweets: @2techie4me
execcr
Occasional Contributor

Re: HP 2920 Aruba Inter Vlan routing: disable only for one VLAN (use vlan as a isolated virtual cab

Hello, sorry for the long delay, i was ill. The LAN side of kerio partecipate yes and no, i should be able to connect to servers on vlans and other service...

today i've tried again with vlan 888 (WAN) and it works with this configuration:

Running configuration:

; J9728A Configuration Editor; Created on release #WB.16.01.0004
; Ver #0b:34.59.14.29.eb.8f.fc.f3.ff.37.2d:d5

hostname "mgz-b-cs-1"
module 1 type j9728a
trunk 43-48 trk1 lacp
trunk 39-42 trk2 lacp
trunk 35-38 trk3 lacp
trunk 33-34 trk4 lacp
logging severity error
timesync sntp
sntp unicast
sntp server priority 1 10.0.10.100 4
ntp unicast
ntp server 10.0.10.100
time timezone 120
ip default-gateway 10.0.10.1
ip route 0.0.0.0 0.0.0.0 10.0.10.1 metric 250 name "FW"
ip routing
interface 1
   name "WAN_VLAN999"
   exit
interface 33
   name "Trunk4-To-LAB-PT-CS-0"
   exit
interface 34
   name "Trunk4-To-LAB-PT-CS-0"
   exit
interface 35
   name "Trunk3-TO-VLL-P1-CS-0"
   exit
interface 36
   name "Trunk3-TO-VLL-P1-CS-0"
   exit
interface 37
   name "Trunk3-TO-VLL-P1-CS-0"
   exit
interface 38
   name "Trunk3-TO-VLL-P1-CS-0"
   exit
interface 39
   name "Trunk2-TO-MGZ-B-CS-0"
   exit
interface 40
   name "Trunk2-TO-MGZ-B-CS-0"
   exit
interface 41
   name "Trunk2-TO-MGZ-B-CS-0"
   exit
interface 42
   name "Trunk2-TO-MGZ-B-CS-0"
   exit
interface 43
   name "Trunk1-To-SRV-SO-CS-0"
   exit
interface 44
   name "Trunk1-To-SRV-SO-CS-0"
   exit
interface 45
   name "Trunk1-To-SRV-SO-CS-0"
   exit
interface 46
   name "Trunk1-To-SRV-SO-CS-0"
   exit
interface 47
   name "Trunk1-To-SRV-SO-CS-0"
   exit
interface 48
   name "Trunk1-To-SRV-SO-CS-0"
   exit
snmp-server community "public" unrestricted
snmp-server contact "Boldori Federico" location "Armadio B Magazzino Officina"
oobm
   ip address dhcp-bootp
   exit
vlan 1
   name "DEFAULT_VLAN"
   no untagged 1-11,13-32
   untagged 12
   tagged Trk1-Trk4
   no ip address
   ip helper-address 10.0.10.100
   exit
vlan 10
   name "VLAN10 Server"
   untagged 3,5-6,10-11,13-22,26-32
   tagged Trk1-Trk4
   ip address 10.0.10.15 255.255.255.0
   ip helper-address 10.0.10.100
   exit
vlan 20
   name "VLAN20 Workstation"
   untagged 2,4,7-9,23-25
   tagged Trk1-Trk4
   ip address 10.0.20.15 255.255.255.0
   ip helper-address 10.0.10.100
   exit
vlan 30
   name "VLAN30 Wifi"
   tagged Trk1-Trk4
   ip address 10.0.30.15 255.255.255.0
   ip helper-address 10.0.10.100
   exit
vlan 40
   name "VLAN40 Wifi_Guest"
   tagged Trk1-Trk4
   ip address 10.0.40.15 255.255.255.0
   ip helper-address 10.0.10.100
   exit
vlan 90
   name "VLAN90 Management"
   tagged Trk1-Trk4
   ip address 10.0.90.15 255.255.255.0
   ip helper-address 10.0.10.100
   exit
vlan 888
   name "VLAN888 Link router-firewall"
   tagged Trk1
   ip address 10.0.200.1 255.255.255.252
   exit
vlan 999
   name "WAN verso Router Telecom"
   untagged 1
   tagged Trk1
   no ip address
   disable layer3
   exit
primary-vlan 90
spanning-tree Trk1 priority 4
spanning-tree Trk2 priority 4
spanning-tree Trk3 priority 4
spanning-tree Trk4 priority 4
vlan 999
   name "WAN verso Router Telecom"
   untagged 1
   tagged Trk1
   no ip address
   disable layer3
   exit

i can send the wna port from the isp router to inside kerio Virtual machine with no problem

The problem is now to create the uplink from switch to kerio. Now kerio have an ip address from VLAN 10 and switch have this route table:

                               IP Route Entries

  Destination        Gateway         VLAN Type      Sub-Type   Metric     Dist.
  ------------------ --------------- ---- --------- ---------- ---------- -----
  0.0.0.0/0          10.0.10.1       10   static               250        1
  10.0.10.0/24       VLAN10 Server   10   connected            1          0
  10.0.20.0/24       VLAN20 Works... 20   connected            1          0
  10.0.30.0/24       VLAN30 Wifi     30   connected            1          0
  10.0.40.0/24       VLAN40 Wifi_... 40   connected            1          0
  10.0.90.0/24       VLAN90 Manag... 90   connected            1          0

i have active also ip default-gateway 10.0.10.1 on hp 2920

On kerio i have static route for each vlan to the vlan 10 gw ip. address on the switch (ie for vlan 20: 10.0.20.0/24 gw 10.0.10.15) to have internet access on the client

No i'm trying to use vlan 888 to made an isolated uplink from switch to kerio (becouse now on kerio a i have a vlan10 interface as lan side to network)  Vlan 888 on 2920 have a ip adrress of 10..0.200.1 and on kerio machine a create a new vlan interface 888 with 10.0.200.2 ip address and blank gateway, 255.255.255.252 subnet mask.

But here comes the problems...

I've configured the 2920 with a new static route (deletic the old one) 0.0.0..0/0 10.0.200.2 metric 250 , disabled ip routing, change ip default-gateway to 10.0.200.2 (kerio ip lan side)

but i have no internet on the clients in my network. What i'm missing?

ps: i have modified all the static route gw address on kerio fw from gw 10.0.10.15 to the ip address of the VLAN 888 on 2920 (10.0.200.1)

Pps: i have to leave enable layer3 routing for the VLAN 888 interface or i can disable it?