Switches, Hubs, and Modems
cancel
Showing results for 
Search instead for 
Did you mean: 

layer3 (routing) question on 8212zl

lightxx
Frequent Advisor

layer3 (routing) question on 8212zl

ok guys. i' coming from a Cisco background and i'm having a hard time solving this issue on a Procurve.

for simplicity, let's say i have just two VLANs. a production VLAN and a management VLAN. my Procurve has routing enabled and IPs defined in both VLANs, and is managed via the IP in the management VLAN.
even though, for various reasons, i want to route all traffic from the production VLAN to the management VLAN over a firewall.

now of course since the Procurve has interfaces in both VLANs (having the lowest possible cost, since locally connected), the switch attempts to route traffic over those interfaces. which is NOT what i want, because it bypasses the firewall.

i can define a route on the Procurve and tell it which gateway to use (the IP of the firewall), but its no good since those static routes have higher costs.

on Catalysts, i could create a separate layer 3 instance (virtual routing instance) to prevent that problem.

is there a solution for those "fully featured layer 3" procurves as well?

Thanks,
Tom
4 REPLIES
Michael_Breuer
Esteemed Contributor

Re: layer3 (routing) question on 8212zl

Hi Tom,

the ProCurve have no virtualization feature like vrfs on Cisco.
What about the following workaround:
Use the command "management-vlan" that you can only access the switch from this vlan. The switch will not route to this VLAN and access is only possible from IP addresses within that IP subnet. Use NAT (source and destination NAT) on the firewall then you have direct connection to the switches.

Cheers,

Michael
Ingentive Networks GmbH
lightxx
Frequent Advisor

Re: layer3 (routing) question on 8212zl

Michael,

thank you very much for your reply. it is much appreciated.
however, NATing is not an option. it will put lots of unnecessary load on the firewalls, and we are not talking about two VLANs here but rather a few hundred. what matters most though is the fact that _routing_ is not the job of a firewall but the very reason why layer3 switches where introduced in the first place. plus it will shift part of our job to the firewall department, which is a no go anyways.
unfortunately our bean counters were blinded with buzzwords such as lifetime warranty and free software updates. after all, if there are no features to maintain, it is easy to provide free updates ...
i find it hard to understand that a $50k device (discounts included) lacks such essential features such as VRF instances ...
Michael_Breuer
Esteemed Contributor

Re: layer3 (routing) question on 8212zl

Hi Tom,

maybe it's worth contacting your local ProCurve SE and he can check if this feature can be put on the roadmap. If there is increasing need for a specific feature HP might add it in future.
Regarding the current setup: Check the command "ip authorized-manager". It will not change the routing, but it helps you to secure the management access to the box if you need to bypass the firewall.

Cheers,

Michael
Ingentive Networks GmbH
lightxx
Frequent Advisor

Re: layer3 (routing) question on 8212zl

Michael,

once again thank you for your input. i assigned your answer all the remaining points.

after all i decided to give src. & dest. NATing a chance, kinda. it ended up being a Frankenstein setup, but the only one possible as it seems. configuring the
zl is now done via a small /30 subnet in our management VLAN which is NATed on the firewall, and "management-vlan xxxx" stays turned on, so all the other devices on our management VLAN are invisible to the other VLANs. sigh.

i won't however contact HP, i actually see no good in doing so. i mean, c'mon VRFs have been around for ages on IOS ... so obviously there is no demand or HP is just ignorant ...