- Community Home
- >
- Networking
- >
- Legacy
- >
- Switches, Hubs, Modems
- >
- layer3 (routing) question on 8212zl
Categories
Company
Local Language
Forums
Discussions
Forums
- Data Protection and Retention
- Entry Storage Systems
- Legacy
- Midrange and Enterprise Storage
- Storage Networking
- HPE Nimble Storage
Discussions
Discussions
Discussions
Forums
Forums
Discussions
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
- BladeSystem Infrastructure and Application Solutions
- Appliance Servers
- Alpha Servers
- BackOffice Products
- Internet Products
- HPE 9000 and HPE e3000 Servers
- Networking
- Netservers
- Secure OS Software for Linux
- Server Management (Insight Manager 7)
- Windows Server 2003
- Operating System - Tru64 Unix
- ProLiant Deployment and Provisioning
- Linux-Based Community / Regional
- Microsoft System Center Integration
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Community
Resources
Forums
Blogs
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО01-18-2010 10:57 AM
тАО01-18-2010 10:57 AM
layer3 (routing) question on 8212zl
for simplicity, let's say i have just two VLANs. a production VLAN and a management VLAN. my Procurve has routing enabled and IPs defined in both VLANs, and is managed via the IP in the management VLAN.
even though, for various reasons, i want to route all traffic from the production VLAN to the management VLAN over a firewall.
now of course since the Procurve has interfaces in both VLANs (having the lowest possible cost, since locally connected), the switch attempts to route traffic over those interfaces. which is NOT what i want, because it bypasses the firewall.
i can define a route on the Procurve and tell it which gateway to use (the IP of the firewall), but its no good since those static routes have higher costs.
on Catalysts, i could create a separate layer 3 instance (virtual routing instance) to prevent that problem.
is there a solution for those "fully featured layer 3" procurves as well?
Thanks,
Tom
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО01-18-2010 12:09 PM
тАО01-18-2010 12:09 PM
Re: layer3 (routing) question on 8212zl
the ProCurve have no virtualization feature like vrfs on Cisco.
What about the following workaround:
Use the command "management-vlan" that you can only access the switch from this vlan. The switch will not route to this VLAN and access is only possible from IP addresses within that IP subnet. Use NAT (source and destination NAT) on the firewall then you have direct connection to the switches.
Cheers,
Michael
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО01-18-2010 10:33 PM
тАО01-18-2010 10:33 PM
Re: layer3 (routing) question on 8212zl
thank you very much for your reply. it is much appreciated.
however, NATing is not an option. it will put lots of unnecessary load on the firewalls, and we are not talking about two VLANs here but rather a few hundred. what matters most though is the fact that _routing_ is not the job of a firewall but the very reason why layer3 switches where introduced in the first place. plus it will shift part of our job to the firewall department, which is a no go anyways.
unfortunately our bean counters were blinded with buzzwords such as lifetime warranty and free software updates. after all, if there are no features to maintain, it is easy to provide free updates ...
i find it hard to understand that a $50k device (discounts included) lacks such essential features such as VRF instances ...
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО01-19-2010 02:36 AM
тАО01-19-2010 02:36 AM
Re: layer3 (routing) question on 8212zl
maybe it's worth contacting your local ProCurve SE and he can check if this feature can be put on the roadmap. If there is increasing need for a specific feature HP might add it in future.
Regarding the current setup: Check the command "ip authorized-manager". It will not change the routing, but it helps you to secure the management access to the box if you need to bypass the firewall.
Cheers,
Michael
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО01-19-2010 02:51 AM
тАО01-19-2010 02:51 AM
Re: layer3 (routing) question on 8212zl
once again thank you for your input. i assigned your answer all the remaining points.
after all i decided to give src. & dest. NATing a chance, kinda. it ended up being a Frankenstein setup, but the only one possible as it seems. configuring the
zl is now done via a small /30 subnet in our management VLAN which is NATed on the firewall, and "management-vlan xxxx" stays turned on, so all the other devices on our management VLAN are invisible to the other VLANs. sigh.
i won't however contact HP, i actually see no good in doing so. i mean, c'mon VRFs have been around for ages on IOS ... so obviously there is no demand or HP is just ignorant ...