Switches, Hubs, and Modems
1748151 Members
3682 Online
108758 Solutions
New Discussion

Gateway question on 5400zl?

 
SOLVED
Go to solution
JeffM_1
Occasional Contributor

Gateway question on 5400zl?

Currently I have Procurve 4000m switches and the ip of my firewall is configured as my gateway to our MPLS network and the internet. Now I'm upgrading our network with 5400zl/3500yl switches and adding several VLAN's. I want to use one of my 5400zl switches instead of the firewall to do routing since it's faster but I'm trying to figure out how to setup the gateway to the firewall.

My thoughts are that I have to create another VLAN and subnet just for the firewall... then in the routing table create a static default route to the new ip address for the firewall (or should it go to the VLAN ip on the switch?). Then the gateway for hosts on each VLAN will be the VLAN ip address on the switch. Is this a good way to setup my default gateway or is there a better way to set it up?

Also one more question... I've setup my VLAN's and routing on my switch but I can't ping between PC's on different VLAN's. I thought someting was wrong with routing at first until I realized I could access shares between them... this tells me that icmp messages are being blocked but I do not have any ACL's applied yet. Is icmp blocked by default when ip routing is enabled? If it is how do you disable it?
1 REPLY 1
Jeff Carrell
Honored Contributor
Solution

Re: Gateway question on 5400zl?

Your plan is good. Make sure you tell the f/w where to find those other networks (or at least how to get back to the 5400) - each side of a dedicated link needs a static route pointing to the other.

I'd use a ip addr scheme that allows for good summarization: vlan 10 = 10.1.10.1/24, vlan 20 = 10.1.20.1/24, vlan 99 (to the f/w) 10.1.99.1/24 [f/w 10.1.99.2/24].

Then the f/w static route back can be 10.0.0.0/16 10.1.99.1...5400 static would be 0.0.0.0/0 10.1.99.2

There are no acl's applied until you create them. ICMP will go through as normal. What are the def g/w's of the clients? And of course, make sure there are no local f/w blocks on the clients (like windows f/w will block icmp by default).

hth...Jeff