HPE Community
Comware Based
1823959 Members
4241 Online
109667 Solutions
New Discussion

Re: HP 5500 EI switch routing VLANs to specified Gateway/Firewall

 
Macoyzki
Visitor

‎06-15-2016 06:34 PM

‎06-15-2016 06:34 PM

HP 5500 EI switch routing VLANs to specified Gateway/Firewall

Hi,

We have currently 3 Firewalls in the environment and we have HP5500 EI switch as our Core, we implemented VLANs and is having problem with the below.

Requirements

We have defined multiple VLANs in the core switch and wants this VLAN to route to specific firewall. The Core Switch VLAN IP address is the gateway of the clients. Firewall is configured with static route to the Core switch and we confirm it's working well. 

DHCP server is configured to broadcast DHCP scope. Only one DHCP server is currently running in the network. We confirm that DHCP is also working well.

 

Issue

We have configured static routes from VLAN to route to one of the firewall. The client is able to get DHCP address correctly but is unable to connect to the internet (ping www.google.com). We also notice that it is inactive when we checked the route.

 

By the issue above we have configured Policy Based Routing to certain VLANs , but is unable to get DHCP address. If we configure the IP static we're able to connect to the internet and the network successfully.

 

Attached is the network diagram and the core switch config. 

0 Kudos
5 REPLIES 5
parnassus
Honored Contributor

‎06-16-2016 03:50 AM

‎06-16-2016 03:50 AM

Re: HP 5500 EI switch routing VLANs to specified Gateway/Firewall

What's about DHCP Snooping (which is Enabled) and Trust(ing) all ports involved in desiderd DHCP traffic?


I'm not an HPE Employee
Kudos and Accepted Solution banner
0 Kudos
Macoyzki
Visitor

‎06-16-2016 03:55 AM

‎06-16-2016 03:55 AM

Re: HP 5500 EI switch routing VLANs to specified Gateway/Firewall

That's where the DHCP servers connected. Can you advise me on on how can I able to solve it.
0 Kudos
parnassus
Honored Contributor

‎06-16-2016 09:42 AM - edited ‎06-16-2016 10:37 AM

‎06-16-2016 09:42 AM - edited ‎06-16-2016 10:37 AM

Re: HP 5500 EI switch routing VLANs to specified Gateway/Firewall

I mean, as far as I understood DHCP Snooping, once DHCP Snooping is Enabled globally on a Switch, you have to set each DHCP Server-facing involved port of that Switch as a "Trust(ed)" port in order to let DHCP traffic to flow from that DHCP Server through its potential DHCP Clients.

I Hope not to be wrong here.


I'm not an HPE Employee
Kudos and Accepted Solution banner
0 Kudos
Macoyzki
Visitor

‎06-16-2016 07:59 PM

‎06-16-2016 07:59 PM

Re: HP 5500 EI switch routing VLANs to specified Gateway/Firewall

Hi Parnassus,

Thank you for the response. I verify that the DHCP clients from any VLAN can obtain the correct IP address from the server. However my problem lies in routing the specific VLANs to a specific firewall/gateway. If I do PBR then my DHCP clients cannot obtain IP from the server which is in VLAN 1, and all the firewall also in VLAN 1.

Regards,

Mark

0 Kudos
Vince-Whirlwind
Honored Contributor

‎06-19-2016 05:58 PM

‎06-19-2016 05:58 PM

Re: HP 5500 EI switch routing VLANs to specified Gateway/Firewall

I can't help you on why DHCP-forwarding and PBR would affect each other (although I am very interested in finding out what behaviour you are seeing. Perhaps your PBR needs specific filters for local subnets before hitting the policy pointing at the FW?).

I would point out, however, that having servers (or any kind of hosts) within a subnet that is also being used for Layer-3 hops is almost always a bad idea.
Each Layer3 hop should be on its own point-to-point segment.
In your position, I'd be looking at re-addressing firewalls 1 & 2 so that for each of them, their leg off the core switch is in a unique subnet. This hugely simplifies things.

Less importantly, you have a subnet that is mixed services & management.
Personally, I would have a management VLAN and a seperate Services VLAN. 
Also, shutting down VLAN1 is a good idea: move the .4. subnet to a new VLAN4, and readdress all the network devices to a new subnet, VLAN199 for monitoring and management.

The effort that goes into a cleanup and re-design will often obviate the need for effort into solving weird issues.

0 Kudos
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.