Web and Unmanaged
cancel
Showing results for 
Search instead for 
Did you mean: 

Connecting HP 1810-8G v2 with Sophos UTM with multiple VLANs

bloudraak
Occasional Collector

Connecting HP 1810-8G v2 with Sophos UTM with multiple VLANs

This is my current setup in a remote data center, which works

 

  • A Sophos UTM 110 that is configured with 12 VLANs (VLAN 10 thru 22).  
  • Ports eth0, eth2 and eth3 are bridged and connected to three ESXi Hypervisors
  • eth1 is connected to the internet.  
  • Each of the ESXi Hypervisors have 12 vSwitches, one for each VLAN.  
  • Each VLAN has its own DHCP, DNS and NTP servers (provided by the Sophos UTM device). The convenion I'm following is that VLAN 10 belongs to network 172.16.10.0/24, VLAN 11 to 172.16.11.0/24, VLAN 12 to 172.16.12.0/24 and so forth.
  • The Sophos UTM controls traffic between the VLANs

Why did I do this?  Well, a while back I installed a Apache Tomcat application.  A warning was sent about a remote execution vulnerability in Apache Tomcat.  By the time I logged in to patch it, the virtual machine was already compromised and causing havoc with other servers. Since I created the VLANs, similiar things have happened, but none of the other hosts (e.g. my email servers) were impacted. 

 

I'd like to connect more devices to my configuratioin.  Folks recommended HP 1810-8G v2 devices due to their size and reliability, so I bought two.  Lets call them HP1 and HP2.

 

The plan to install and configure HP1 was as follows:

 

  • Create a new VLAN on the Sophos UTM, say VLAN 5 with a DHCP server (172.16.5.2 - 172.16.5.254)
  • Connect to the HP1 device on port 1 from a laptop per documentation
  • Turn on HP1
  • Connect to http://192.168.2.10 
  • Login to HP1 
  • In VLANs, VLAN Configuration, create VLAN 5
  • In VLANs, Participation / Tagging, select VLAN 5 and select "Tagged" on all the ports and select "apply".  (VLAN 1 remains untagged on all port)
  • In Setup Network, select DHCP and select 5 as the Management VLAN and select "apply"
  • Connect a cable from eth0 on the Sophos UTM to port 8 on HP1.
  • Restart HP1

The plan to install and configure HP2 was as follows:

  • Connect to the HP2 device on port 1 from a laptop per documentation
  • Turn on HP2
  • Connect to http://192.168.2.10 
  • Login to HP2 
  • In VLANs, VLAN Configuration, create VLAN 5
  • In VLANs, Participation / Tagging, select VLAN 5 and select "Tagged" on all the ports and select "apply".  (VLAN 1 remains untagged on all port)
  • In Setup Network, select DHCP and select 5 as the Management VLAN and select "apply"
  • Connect a cable from port 1 on HP1 to port 1 on HP2.
  • Restart HP2

At this stage I'm expecting to connect to the Sophos UTM and

  • be able to look at the DHCP reservations and see two IP addresses (anything from 172.16.5.2 - 172.16.5.254) to be reserved.  The MAC addresses should match HP1 and HP2.
  • SSH to the Sophos UTM and ping 172.16.5.1 (which is the router)
  • SSH to the Sophos UTM and ping 172.16.5.2 (or whatever IP address was reserved for the HP1 device)
  • SSH to the Sophos UTM and ping 172.16.5.3 (or whatever IP address was reserved for the HP2 device)

After that we were unable to ping either 172.16.5.2 or 172.16.5.3.  In essence the network was unreachable.  We disconnected everything and restored it like before (so folks can have their precious email).  The plan is to try again.

 

Did we miss any steps during the configuration?  Is there anything else you'd add to configure HP1 and HP2 to be administered over VLAN 5?

3 REPLIES
Vince-Whirlwind
Honored Contributor

Re: Connecting HP 1810-8G v2 with Sophos UTM with multiple VLANs

I'm not sure I quite understand your design - if you patch eth0 on the UTM, then one of your ESX servers loses its uplink, no?

 

The whole point of having 3 interfaces on the UTM for your ESX cluster is to provide a bit of redundancy, right?

 

Your new switches have a single uplink, and even worse, your second switch is uplinked through your first switch.

(Incidentally, if you can afford Sophos UTM & ESX servers, it is surprising that your HP people have recommended such a basic switch to you).

 

Anyway, what is your intention for these new devices? To add them to the existing VLANs that exist in the V environment?

Or are you going to create a new sequence of VLANs? (eg, 23, 24, 25, etc...)

 

If I were designing this, and assuming what you are creating is a new and non-virtualised networking environment in order to support some non-virtualised resources, I would probably want to put it between the UTM & the ESX environment in order to preserve the existing connectivity while at the same time providing more ports for additional devicesw that aren't inside the ESX V environment.

 

Additionally, I might look into moving my routing off the UTM and putting it on a device that is going to give me better routing performance.

 

 

bloudraak
Occasional Collector

Re: Connecting HP 1810-8G v2 with Sophos UTM with multiple VLANs

I assumed you'll read between the lines and make the leap that the ESXi hypervisors will be connected to the HP devices, as would other devices.

 

My first goal is to get the Sophos UTM to connect to the HP1 and HP2 devices.  The devices are sufficient. There is no need for redundancy.  All the devices are under warranty. If it fails, then I replace the device and restore my backups.  It may take an hour, a day or a weekend.  Its fine, no one will die.

 

I already bought a NAS, which I'll use for backups and shared storage.  I don't see a need to add more VLANs; but that may change. I may add more hypervisors in the future.

 

 

Vince-Whirlwind
Honored Contributor

Re: Connecting HP 1810-8G v2 with Sophos UTM with multiple VLANs

Ok, so just for VLAN 5, I would first check that the UTM eth0 is correctly configured for passing VLAN 5 as a tagged VLAN.