PVID

---

@Renato_Freitas wrote: A PC at VLAN 1800, would be achieve the Internet? My doubt is because the PVID of VLAN1800 is 1800, so the Port 48 the PVID is 1320, and the Firewall can't tagged VLAN1800, because the VLAN1800 doesn't belonging the Firewall. The communication between PC and Internet through the Firewall will be possible?

---

Yes, it would...provided that VLAN 1800 is properly managed by the Firewall (the Firewall, as you wrote, owns the VLAN's SVI IP address and should also have the proper policy to let hosts on VLAN 1800 to reach the Internet).

I don't see any issue in the scenario.

The uplink is untagged on VLAN 1320 and tagged on 1010, 1800 and 3000 so it's expected that the Firewall has the peer interface used to connect to the switch with four IP address assigned: one on the main ethernet interface (probably on VLAN 1, doesn't matter) and the other three respectively assigned on sub-interfaces of the main one (each one respectively assigned to VLAN 1010, 1800 and 3000).

The interface 1/0/1 looks correctly configured as an access port on VLAN 1800.

I'm not an HPE Employee

First of all thanks for your answer and help.

@parnassus wrote:

1. "Yes, it would...provided that VLAN 1800 is properly managed by the Firewall (the Firewall, as you wrote, owns the VLAN's SVI IP address and should also have the proper policy to let hosts on VLAN 1800 to reach the Internet)."

Sorry if I said this, but is not correct. The Firewall only manages VLAN 1320 and 3000. The others (1800 and 1010) it doesn't manage. For VLAN 1800 and 1010, there is only static route in Firewall for Switch, the Firewall only works at layer 3 for "VLAN 1800 and 1010". Because of this issue, my doubt.

2. "The uplink is untagged on VLAN 1320 and tagged on 1010, 1800 and 3000 so it's expected that the Firewall has the peer interface used to connect to the switch with four IP address assigned: one on the main ethernet interface (probably on VLAN 1, doesn't matter) and the other three respectively assigned on sub-interfaces of the main one (each one respectively assigned to VLAN 1010, 1800 and 3000)."

At VLAN 1010 and 1800 I don't have assigned sub-interfaces in the Firewall - the Firewall only have two routes "for VLAN 1010 and 1800" to Switch, because the gateway of these two VLAN is in Switch as Virtual Interface.

The Firewall assign sub-interfaces only for VLAN 1320 and 3000, so Switch will tagg the packets for VLAN 1800 and PVID 1800, right? but the Firewall won't manage packets for VLAN 1010 and 1800 at layer 2. Between Switch (port 48) and Firewall for VLANs 1010 and 1800 there's only route, because the Firewall is the default gateway for the Switch.

Hi Renato, you're correct. Forget about my whole answer above. I misunderstood your setup.

Can you pinpoint exactly what SVI Addresses are there and where they are?

I mean could you specify:

1. VLAN 1320 -> SVI on Firewall with <ip-address-of-VLAN-1320> (no IP address also on the Switch?)
2. VLAN 3000 -> SVI on Firewall with <ip-address-of-VLAN-3000>
3. VLAN 1010 -> SVI on Switch (?) with <ip-address-of-VLAN-1010>
4. VLAN 1800 -> SVI on Switch (?) with <ip-address-of-VLAN-1800>

because I see an asymmetry (VLAN 1320 and 3000 routed by the Firewall, VLAN 1010 and 1800 routed by the Switch, the Switch has a default route pointing on the VLAN 1320 BUT has no IP on that VLAN, right?).

If VLAN 1320 and 3000 SVI IPv4 addresses are only defined on the Firewall (and thus it acts are the IPv4 router for both) then it's correct to tag both VLANs on the Switch uplink port to your Firewall LAN interface (with LAN.1320 and LAN.3000 as logical sub-interfaces respectively with VLAN id 1320 + IP on VLAN 1320 and VLAN id 3000 + IP on VLAN 3000) but then how hosts on VLANs 1010 and 1800 will be able to be routed to your Firewall (to exit on the Internet) if the very same Switch where they are hasn't a foot on the VLAN 1320 (notice you used the Default Route citing the VLAN 1320 SVI on the Firewall as next hop gateway)?

I'm not an HPE Employee

Hello @parnassus, in advance thanks your attention.

1. "Can you pinpoint exactly what SVI Addresses are there and where they are?"

I'll explain bellow.

2. VLAN 1320 -> SVI on Firewall with <ip-address-of-VLAN-1320> (no IP address also on the Switch?)

This VLAN was configured for communication between Firewall and Switch - administration purpose.
Firewall: 10.172.32.2/29
SVI Switch VLAN 1320: 10.172.32.1/29

3. VLAN 3000 -> SVI on Firewall with <ip-address-of-VLAN-3000>

This VLAN is not configured with a SVI on Switch - there's no Virtual Interface in Switch
This VLAN is managed by Firewall, it's GUEST WI-FI. If it was configured at Switch as a SVI, then the GUESTs will be access to my LAN networking, so it's only on Firewall. The main purpose of control access.

4. VLAN 1010 -> SVI on Switch (?) with <ip-address-of-VLAN-1010>

There's no one IP on Firewall for this Network.
This is SERVERs VLAN, it has the SVI on Switch: 10.172.1.10/20

5. VLAN 1800 -> SVI on Switch (?) with <ip-address-of-VLAN-1800>

There's no one IP on Firewall for this Network.
This is WORKSTATION VLAN, it has the SVI on Switch: 10.172.81.10/20

We do not use the VLAN 1 for any purpose.

6. "because I see an asymmetry (VLAN 1320 and 3000 routed by the Firewall, VLAN 1010 and 1800 routed by the Switch,"

- VLAN 1320 and 3000 the Gateway IP is on Firewall.
- VLAN 1010 and 1800 the Gateway IP is on Switch (inter-vlan)

7. "the Switch has a default route pointing on the VLAN 1320"

- ip default-gateway 10.172.32.2 #This is the route on the Switch

8. "BUT has no IP on that VLAN, right?)."

- no, the Switch has an IP at this VLAN: SVI Switch VLAN 1320: 10.172.32.1/29

9. "If VLAN 1320 and 3000 SVI IPv4 addresses are only defined on the Firewall (and thus it acts are the IPv4 router for both) then it's correct to tag both VLANs on the Switch uplink port to your Firewall LAN interface (with LAN.1320 and LAN.3000 as logical sub-interfaces respectively with VLAN id 1320 + IP on VLAN 1320 and VLAN id 3000 + IP on VLAN 3000)"

- Yes, right, we don't have issue with this both VLAN. It's working.

10. "but then how hosts on VLANs 1010 and 1800 will be able to be routed to your Firewall (to exit on the Internet) if the very same Switch where they are hasn't a foot on the VLAN 1320 (notice you used the Default Route citing the VLAN 1320 SVI on the Firewall as next hop gateway)?"

- At level of routing they have a foot on it, because the default gateway for Switch is the Firewall, but my doubt is about layer 2. If this two VLAN (1010 and 1800) will be able to exit on the Internet.

To better explain, below the Switch configuration:
# STP
stp global enable
stp enable
stp mode rstp

# Routing
ip default-gateway 10.172.32.2
ip routing

# ENABLING DHCP SERVICE
dhcp enable

# VLAN
vlan 1010
description SERVER
quit

vlan 1320
description FIREWALL
quit

vlan 1800
description WORKSTATION
quit

vlan 3000
description WI-FI GUEST
quit

# VIRTUAL VLAN INTERFACE
interface Vlan-interface101
ip address 10.172.1.10 255.255.240.0
quit

interface Vlan-interface132
ip address 10.172.32.1 255.255.255.248
quit

interface Vlan-interface180
ip address 10.172.81.10 255.255.240.0
dhcp select relay
dhcp relay server-address 10.172.1.1
quit

# WORKSTATION
interface GigabitEthernet 1/0/1
description WORKSTATION
port link-type access
port access pvid 1800
port access vlan 1800
stp edged-port enable
undo shutdown
quit

# ACCESS POINT
interface GigabitEthernet 1/0/27
description ACCESS POINT
port link-type trunk
undo port trunk vlan 1 untagged
port trunk pvid 1800
port trunk vlan 3000 tagged
port trunk vlan 1800 untagged
stp edged-port enable
quit

# TRUNK (uplink with Firewall)
interface GigabitEthernet 1/0/48
port link-type trunk
undo port trunk vlan 1
port trunk pvid 1320
port trunk vlan 1320 untagged
port trunk vlan 1010 1800 3000 tagged
stp edged-port enable
undo shutdown
quit

Hi Renato!

---

@Renato_Freitas wrote: This VLAN was configured for communication between Firewall and Switch - administration purpose. Firewall: 10.172.32.2/29 SVI Switch VLAN 1320: 10.172.32.1/29

Perfect (please note immediately that since the Switch has the IP Routing feature enabled having the VLAN id 1320 with an associated SVI 10.172.32.1/29 address means that the switch is capable of routing between this subnet and the others two, Servers VLAN id 1010 and Workstation VLAN id 1800, respectively through theirs 10.172.1.10/20 and 10.172.81.10/20 SVIs addresses).

The VLAN id 1320 (no matter the SVI on the Switch for management) is directly transported at Layer 2 to the Firewall (uplink port needs to be tagged with VLAN id 1320, as it actually isn't...indeed actually the VLAN id 1320 is untagged on the uplink, this means that LAN Main interface on the Firewall has VLAN id set to 1320 instead of default VLAN id 1…but above you wrote that Firewall LAN has two subinterfaces for, respectively, 1320 and 3000...this, if I read it correctly, means exactly that downlink to Switch has 1320 and 3000 tagged and so the uplink on the switch should do the same...which brings us back to the fact that VLAN id 1320 should be tagged on the uplink along with VLAN id 3000).

---

@Renato_Freitas wrote: This VLAN is not configured with a SVI on Switch - there's no Virtual Interface in Switch This VLAN is managed by Firewall, it's GUEST WI-FI. If it was configured at Switch as a SVI, then the GUESTs will be access to my LAN networking, so it's only on Firewall. The main purpose of control access.

Perfect. Totally reasonable. The VLAN id 3000 (without a SVI on the Switch) is directly transported at Layer 2 to the Firewall (uplink port needs to be tagged with VLAN id 3000, as it actually is).

---

@Renato_Freitas wrote: There's no one IP on Firewall for this Network. This is SERVERs VLAN, it has the SVI on Switch: 10.172.1.10/20

Perfect. Totally reasonable approach. Switch is the router/gateway (SVI address) for that Subnet.

---

@Renato_Freitas wrote: There's no one IP on Firewall for this Network. This is WORKSTATION VLAN, it has the SVI on Switch: 10.172.81.10/20 We do not use the VLAN 1 for any purpose.

Perfect. As above. VLAN id 1 (Default): it's safe not using it for any purpose.

---

@Renato_Freitas wrote: ip default-gateway 10.172.32.2 #This is the route on the Switch

Generally the Default Gateway is ignored when IP Routing is enabled. With IP Routing enabled you need o Route of Last Resort (0/0 via Next Hop Gateway directly connected) and/or ad-hoc static routes (not necessarily with a Route of Last Resort) for specific destination networks. More below on this part.

---

@Renato_Freitas wrote: no, the Switch has an IP at this VLAN: SVI Switch VLAN 1320: 10.172.32.1/29

OK, Perfect, the main reason (Switch management) was clarified by you above.

---

@Renato_Freitas wrote: Yes, right, we don't have issue with this both VLAN. It's working.

---

That's pretty strange considering the VLAN membership of the uplink...but not having an idea how exactly is your Firewall configured in terms of LAN interface VLANs assignments...it's possible that my assumptions above aren't correct (I really don't understand why the uplink port was configured as untagged member of VLAN id 1320).

---

@Renato_Freitas wrote: At level of routing they have a foot on it, because the default gateway for Switch is the Firewall, but my doubt is about layer 2. If this two VLAN (1010 and 1800) will be able to exit on the Internet.

And now the trick part (for any error done, please forgive me...it's really really really late night here now! 8-) ).

Well the point here is: VLAN id 1010 and 1800 are routed with VLAN id 1320 (remember VLAN id 1320's SVI address on the Switch?) so any host on VLAN id 1010 Switch SVI 10.172.1.10/20 (range: 10.172.0.1 – 10.172.15.254) or any host on VLAN id 1800 Switch SVI 10.172.81.10/20 (range: 10.172.80.1 – 10.172.95.254) can be routed by the Switch to any host on VLAN id 1320 Switch SVI 10.172.32.1/29 (range: 10.172.32.1 – 10.172.32.6), Firewall included having the IP 10.172.32.2.

The fact is that any host (clearly excluded the Firewall, giving its particular status of "router" for its interfaces) on VLAN id 1320's subnet uses the Firewall as its next hop gateway (default gateway) and the Firewall is probably configured to deny routing/access (ACL) back to VLAN id 1010 and 1800's Subnets (this to hide the asymmetricity) to essentially block traffic back to those subnets.

The initial question: will an host on VLAN id 1010 (or 1800)'s subnet (using the Switch as its gateway through VLAN id 1010 (or 1800)'s Switch SVI address) be able to reach the external networks behind the Firewall?

Given your configuration then let's forget for a moment my doubts about the VLAN tagging memberships on the uplink port...let's focus on VLAN id 1010: any host on VLAN id 1010 Switch SVI 10.172.1.10/20 (range: 10.172.0.1 – 10.172.15.254) is going to use 10.172.1.10/20 as its Default Gateway and so it relies on the Switch routing capabilities to route to all networks that aren't its network…at that point the packets are routed by the Switch if (a big if) there is a Route of Last Resort (destination 0.0.0.0 mask 0.0.0.0 via 10.172.32.2)...remember what I worte above? ...so let me suppose this RoLR really exists on the Switch (since I presume the default gateway directive becomes inoperative IF the routing is enabled)...so the packets are routed through the uplink port and they arrives to the Firewall 10.172.32.2, at that point through the Firewall – if appropriated ACLs are applied – the external desired destination could be reached...but the traffic back should be able to reach the source too.

A packet with destination the originating host need to be routed back to via (a) Firewall LAN interface on VLAN id 1320, so passing through 10.172.32.2, and should (b) be able to know how to reach, for the example I built, the 10.172.1.10/20 subnet through a directly reacheable Switch SVI…so through the VLAN 1320's Switch SVI which is (purpose: management) 10.172.32.1…provided that there is no other way to bypass that point...this means the Firewall should have a static route like destination 10.172.1.10 mask 255.255.240.0 via 10.172.32.1. The packet transit to/from the Firewall happens by routing over the uplink using the VLAN 1320.

The same example could be done around VLAN 1800.

Does it sound reasonable?

This opens up another question: why also tagging the uplink port with VLAN id 1010 and 1800?

I'm not an HPE Employee

Hello @parnassus !

1. @parnassus wrote
"The VLAN id 1320 (no matter the SVI on the Switch for management) is directly transported at Layer 2 to the Firewall (uplink port needs to be tagged with VLAN id 1320, as it actually isn't...indeed actually the VLAN id 1320 is untagged on the uplink, this means that LAN Main interface on the Firewall has VLAN id set to 1320 instead of default VLAN id 1…but above you wrote that Firewall LAN has two subinterfaces for, respectively, 1320 and 3000...this, if I read it correctly, means exactly that downlink to Switch has 1320 and 3000 tagged and so the uplink on the switch should do the same...which brings us back to the fact that VLAN id 1320 should be tagged on the uplink along with VLAN id 3000)."

- These following way would be better?

- Creating a default vlan, to substitute the default VLAN 1

vlan 999
description PVID(native vlan)
quit

- On trank port. I substitute PVID 1320 for 999, so all traffic will be tagged, right? Is it better?

# TRUNK (uplink with Firewall)
interface GigabitEthernet 1/0/48
port link-type trunk
undo port trunk vlan 1
port trunk pvid 999
port trunk vlan 1010 1320 1800 3000 tagged
stp edged-port enable
undo shutdown
quit

2. @parnassus wrote
"Generally the Default Gateway is ignored when IP Routing is enabled. With IP Routing enabled you need o Route of Last Resort (0/0 via Next Hop Gateway directly connected) and/or ad-hoc static routes (not necessarily with a Route of Last Resort) for specific destination networks. More below on this part."

- As the Default Gateway will be ignored, must I create a static route like follow, right?
Ex. For GUESTs Network, VLAN 300, Where 172.16.151.10 is the SVI on Firewall.

ip route-static 172.16.151.0 255.255.255.0 Vlan-interface300 172.16.151.10

Is it correct, if not how will I perform this? 
Is there some way to configure Default Dateway and using inter-vlan, or does it necessary to create a lot of static routes for all? For example to Internet access, the Switch need a default gateway. Ex. The Workstation 10.172.81.1 connect to Google DNS 8.8.8.8. The 10.172.81.1 sendo to next hop 10.172.81.10 (in this case is the this interface is on Switch), and? The package won't be to Internet, right?

3. @parnassus wrote
"That's pretty strange considering the VLAN membership of the uplink...but not having an idea how exactly is your Firewall configured in terms of LAN interface VLANs assignments..."

- For VLANs directely managed by Firewall (VLANs 1320 and 3000), for both of these VLANs the Firewall will tagged the frames, as they are managed by Firewall, so there is an IP configured, 10.172.32.2/29 and 172.16.151.10/24 respectively, then I need to creating nothing more.
Already for VLANs (VLAN 1010 and 1800) not directely managed by Firewall, I created an Virtual Interface but without IP, where I created static routes informing the Interface instead of next hop.

"it's possible that my assumptions above aren't correct (I really don't understand why the uplink port was configured as untagged member of VLAN id 1320)."

- I'm changing this as above, right?

4. @parnassus wrote
"The fact is that any host (clearly excluded the Firewall, giving its particular status of "router" for its interfaces) on VLAN id 1320's subnet uses the Firewall as its next hop gateway (default gateway) and the Firewall is probably configured to deny routing/access (ACL) back to VLAN id 1010 and 1800's Subnets (this to hide the asymmetricity) to essentially block traffic back to those subnets."

- As we doing some changing as above, it is no longer the scenario.

5. @parnassus wrote
"The initial question: will an host on VLAN id 1010 (or 1800)'s subnet (using the Switch as its gateway through VLAN id 1010 (or 1800)'s Switch SVI address) be able to reach the external networks behind the Firewall?"

- yes

6. @parnassus wrote
"(destination 0.0.0.0 mask 0.0.0.0 via 10.172.32.2)"

- How can I do this? Because I was thoughting that the command would be: 'ip default-gateway 10.51.32.2'.

'ip route-static 0.0.0.0 0.0.0.0 Vlan-interface132 10.172.32.2' Would be it?

7. @parnassus wrote
"A packet with destination the originating host need to be routed back to via (a) Firewall LAN interface on VLAN id 1320, so passing through 10.172.32.2, and should (b) be able to know how to reach, for the example I built, the 10.172.1.10/20 subnet through a directly reacheable Switch SVI…so through the VLAN 1320's Switch SVI which is (purpose: management) 10.172.32.1…provided that there is no other way to bypass that point...this means the Firewall should have a static route like destination 10.172.1.10 mask 255.255.240.0 via 10.172.32.1. The packet transit to/from the Firewall happens by routing over the uplink using the VLAN 1320."

- It's correct.

- In a perfect scenario, let's taking an example, only layer 2.

• Sending
  The server 10.172.1.7 sent a frame, where the destination is 8.8.8.8, where this frame is belonging VLAN1010, that frame will arrive on port 1/0/048, where the port is a trunk port and the VLAN1010 is tagged, the Switch will tagged the frame and sending it. The Firewall will receive the frame and will remove the tagged and send it to Internet.
• Returning
  The 8.8.8.8 will respond, the Firewall will identify the frame and will tagged it (VLAN1010) and sending it back to Switch (port 1/0/48), the Switch will remove the tagged and take the frame to 10.172.1.7.
  This example is right?

8. @parnassus wrote
"Does it sound reasonable?"

- Yes.

9. @parnassus wrote
"This opens up another question: why also tagging the uplink port with VLAN id 1010 and 1800?"

- I was thinking that is because without the tagged the Switch would reject the frame. Will it not? Or they will send using PVID?

------- // -------

@parnassus, this issue is being so big, I'm thinking about you this could annoying you. Sorry about that.

To try to simplify. I'll put bellow the new config. The firewall IP 10.172.32.2.

# VLAN
vlan 1010
description SERVER
quit

vlan 1320
description FIREWALL
quit

vlan 1800
description WORKSTATION
quit

vlan 3000
description WI-FI GUEST
quit

vlan 999
description PVID(native vlan)
quit

# VIRTUAL VLAN INTERFACE
interface Vlan-interface101
ip address 10.172.1.10 255.255.240.0
quit

interface Vlan-interface132
ip address 10.172.32.1 255.255.255.248
quit

interface Vlan-interface180
ip address 10.172.81.10 255.255.240.0
dhcp select relay
dhcp relay server-address 10.172.1.1
quit

ip routing
ip route-static 172.16.151.0 255.255.255.0 Vlan-interface300 172.16.151.10
ip route-static 0.0.0.0 0.0.0.0 Vlan-interface132 10.172.32.2

# WORKSTATION
interface GigabitEthernet 1/0/1
description WORKSTATION
port link-type access
port access pvid 1800
port access vlan 1800
stp edged-port enable
undo shutdown
quit

# ACCESS POINT
interface GigabitEthernet 1/0/27
description ACCESS POINT
port link-type trunk
undo port trunk vlan 1 untagged
port trunk pvid 1800
port trunk vlan 3000 tagged
port trunk vlan 1800 untagged
stp edged-port enable
quit

# TRUNK (uplink with Firewall)
interface GigabitEthernet 1/0/48
port link-type trunk
undo port trunk vlan 1
port trunk pvid 999
port trunk vlan 1010 1320 1800 3000 tagged
stp edged-port enable
undo shutdown
quit

Is this new scenario works for you?