HPE Community
HPE Aruba Networking & ProVision-based
1834818 Members
2583 Online
110070 Solutions
New Discussion

firewall vlan access from mpls *edited*

 
mstrmp3
Advisor

‎06-09-2013 10:51 AM - edited ‎06-10-2013 02:07 PM

‎06-09-2013 10:51 AM - edited ‎06-10-2013 02:07 PM

firewall vlan access from mpls *edited*

I am trying to connect our outer office that uses an mpls network to use our main office firewall. please see attachment for full explanation. any help would be greatly appreciated.

 

Switches are both v1910G-24poe. There are 3 vlans. VLAN 1 (management), VLAN 100 for data, and VLAN 102 for VOIP. Currently VLAN 102 works perfectly. The phones on the 10.11.2.x subnet connect to the PBX on the 10.10.2.x subnet. What I need to do is have the vlan 100 on the 10.11.0.x subnet use the firewall on the 10.10.0.x subnet.

 

Here are the routing tables for each
SW#1
0.0.0.0 0.0.0.0 Static 60 192.168.1.5 Vlan-interface1
10.10.0.0 255.255.255.0 Direct 0 10.10.0.253 Vlan-interface100
10.10.0.253 255.255.255.255 Direct 0 127.0.0.1 InLoopBack0
10.10.2.0 255.255.255.0 Direct 0 10.10.2.253 Vlan-interface102
10.10.2.253 255.255.255.255 Direct 0 127.0.0.1 InLoopBack0
10.11.0.0 255.255.255.0 Static 60 10.10.0.254 Vlan-interface100
10.11.2.0 255.255.255.0 Static 60 10.10.2.254 Vlan-interface102
127.0.0.0 255.0.0.0 Direct 0 127.0.0.1 InLoopBack0
127.0.0.1 255.255.255.255 Direct 0 127.0.0.1 InLoopBack0
192.168.1.0 255.255.255.0 Direct 0 192.168.1.22 Vlan-interface1
192.168.1.22 255.255.255.255 Direct 0 127.0.0.1 InLoopBack0

 

SW#2
0.0.0.0 0.0.0.0 Static 60 192.168.1.254 Vlan-interface1
10.11.0.0 255.255.255.0 Direct 0 10.11.0.253 Vlan-interface100
10.11.0.253 255.255.255.255 Direct 0 127.0.0.1 InLoopBack0
10.11.2.0 255.255.255.0 Direct 0 10.11.2.253 Vlan-interface102
10.11.2.253 255.255.255.255 Direct 0 127.0.0.1 InLoopBack0
10.10.0.0 255.255.255.0 Static 60 10.11.0.254 Vlan-interface100
10.11.0.0 255.255.255.0 Static 60 10.11.2.254 Vlan-interface102
127.0.0.0 255.0.0.0 Direct 0 127.0.0.1 InLoopBack0
127.0.0.1 255.255.255.255 Direct 0 127.0.0.1 InLoopBack0
192.168.1.0 255.255.255.0 Direct 0 192.168.1.254 Vlan-interface1
192.168.1.254 255.255.255.255 Direct 0 127.0.0.1 InLoopBack0

 

SW#1 ports 1-22 are Untagged for VLAN102, the link type is access, and the PVID is 102
SW#1 ports 23-24 are Untagged for Vlan 1 and Tagged for VLAN100, 102, the link type is TRUNK and the PVID is 1

 

SW#2 ports 1-23 are Untagged for VLAN102, the link type is access, and the PVID is 102
SW#2 port 24 is Untagged for Vlan 1 and Tagged for VLAN100, 102, the link type is TRUNK and the PVID is 1

 

Obviously I must be missing something in the tagged/untagged setup for VLAN 100 on both switches. However, I can ping 10.10.0.1 from SW#1 but cannot ping 10.10.0.1 from SW#2. I can ping 10.10.2.x from SW#2 and can ping 10.11.2.x from SW#1.

 

1 person had this problem.
0 Kudos
12 REPLIES 12
dmesser-hhs
Frequent Advisor

‎06-11-2013 07:54 AM

‎06-11-2013 07:54 AM

Re: firewall vlan access from mpls *edited*

I have a similar setup with a Metro-E (MPLS) link between my two sites.  I route all "internet" based traffic to my main site like you are trying to do.  What I see different in what you are doing is the default route you have setup for SW2.  Is 192.168.1.254 on SW1 ?.  

 

What I have done is on my SW2 my default route is the switch on the other side (SW1).  So my Vlan100 has only two nodes and they are SW1 and SW2.  All traffic destin for remote get routed to SW2 via Vlan100 and all traffic destin for main (including internet) get routed to SW1 via Vlan100.  The default route on SW1 is like you have it (to the FW). 

 

To pass traffic from SW2 to SW1 I created a Vlan- Vlan100 and all traffic bound for resouces on each side are statically routed to the opposing side of Vlan100.   So SW1 is member of Vlan100 at 10.7.3.1 and SW2 is member of Vlan 100 at 10.7.3.2.  I will attach a diagram as well.

 

I think if you make your default route on SW2 the VLAN100 IP on SW1 you will start sending internet bound traffic accross the MPLS link.

 

My static routes...

SW1 (Main)

ip route 0.0.0.0 0.0.0.0 10.7.1.1 ---  (10.7.1.1 is my FW )
ip route 172.18.0.0 255.255.0.0 10.7.3.2
ip route 172.19.0.0 255.255.192.0 10.7.3.2

 

SW2 (Remote)

ip route 0.0.0.0 0.0.0.0 10.7.3.1  (10.7.3.1 is My VLAN100)
ip route 10.10.7.0 255.255.255.0 10.7.3.1
ip route 172.16.0.0 255.255.0.0 10.7.3.1
ip route 172.17.1.0 255.255.255.0 10.7.3.1

Vlan 100 is untagged on my ports that connect both switches.  So on SW1 Port 1 VLAN100 is untagged and on SW2 Port1 VLAN 100 is untagged.

I created a VLAN for my FW Vlan5 and untagged port2 on this VLAN.  10.7.1.10.  All internet traffic is routed here because my 0000 route sends it to FW at 10.7.1.1...

 

I hope this helps...

 

0 Kudos
mstrmp3
Advisor

‎06-11-2013 10:16 AM

‎06-11-2013 10:16 AM

Re: firewall vlan access from mpls *edited*

Ok, I don’t’ get it..I can ping from PC#2 to PC#1, I can ping from PC#1 to the firewall, but cannot ping from PC#2 to the firewall. (see attahced)
SW#1 ports are:

G0/1 is untagged none, tagged vlan 104, type hybrid, PVID 104.
 G0/3 untagged none, tagged vlan 104, type hybrid, PVID 104.
 G0/24 Untagged vlan 1, tagged 104, type hybrid, PVID 1

 

SW#2 ports are: G0/1 untagged none, tagged vlan 104 hybrid pvid 104
G0/24 untagged vlan 1, tagged vlan 104, type hybrid, pvid 1

 

No matter what I change SW#1 port 3 to (Trunk, or PVID 1, or untagged) I lose ping from the PC#1 to the firewall.  I'm about to go crazy with this!!!

0 Kudos
dmesser-hhs
Frequent Advisor

‎06-11-2013 11:15 AM

‎06-11-2013 11:15 AM

Re: firewall vlan access from mpls *edited*

Can you ping the FW from SW2 CLI?  If you can this means you need to create a path for the VLAN that PC2 is on to the FW.  If you cannot then you need a route added that provisions traffic from SW2 to FW.

0 Kudos
mstrmp3
Advisor

‎06-11-2013 12:09 PM

‎06-11-2013 12:09 PM

Re: firewall vlan access from mpls *edited*

I can ping the firewall from SW#2 cli. I ran a packet monitor on the sonicwall when I pinged fom SW#2 adn it actually sees it, but doesn't respong back to the ping.

 

I'm thinkling I have something wrong or backwards with my tag/untag methods.

 

I'm still kinda new to VLANS and tagging.

0 Kudos
dmesser-hhs
Frequent Advisor

‎06-12-2013 05:37 AM

‎06-12-2013 05:37 AM

Re: firewall vlan access from mpls *edited*

You may be on to something but unfortunatly I am not familiar with "hybrid" ports.  I came from an Avaya/Cisco shop to this new HP shop.  The HP manual "Advanced Traffic Management" does a good job of explaining Vlans and tagging. 

 

0 Kudos
Vince_Whirlwind
Trusted Contributor

‎06-12-2013 04:49 PM

‎06-12-2013 04:49 PM

Re: firewall vlan access from mpls *edited*

Before even looking at the VLAN tagging, the first thing that leaps out is that your default route is wrong on SW#2.

 

0.0.0.0 0.0.0.0 should be pointing at 10.11.0.254 on SW#2.

Vince_Whirlwind
Trusted Contributor

‎06-12-2013 05:07 PM

‎06-12-2013 05:07 PM

Re: firewall vlan access from mpls *edited*

I'm going to ignore your second comment, as you have inexplicably introduced a VLAN 104 and "hybrid" port type in that comment.

 

From your original post, I am not clear on what you think you are doing. You appear to be making 3 mistakes:

trying to extend VLANs over your WAN link,

not using VLANs to separate PCs from phones,

extending subnets past their gateway layer3 hop on your switches.

 

Where is VLAN 100 used? I can see it is configured on the trunk to the MPLS routers (which is incorrect - they are routers, you don't extend VLANs across a layer-3 boundary), but I can't see it used anywhere on your switches.

I have a sneaking suspicion your PCs are sitting on VLAN 102, along with your phones, but using a different subnet. Your diagram leaves a lot out, it has no information about VLAN 102, for example.

 

Your switch ports should be both configured like this:

ports 1-22: type trunk. VLAN 100 untagged. VLAN 102 tagged.

port 24: type access. VLAN 99.

 

Then switch #1 has:

VLAN 100 - IP 10.10.0.253

VLAN 102 - IP 10.10.2.253

VLAN 99 - 10.10.99.253

 

MPLS router # 1 has 10.10.99.254 facing you

 

Switch #2 has:

VLAN 100 - IP 10.11.0.253

VLAN 102 - IP 10.11.2.253

VLAN 99 - 10.11.99.253

 

MPLS router # 2 has 10.11.99.254 facing you

 

Then Switch #2 needs a default route: 0.0.0.0 0.0.0.0 --> 10.11.99.254

 

Then you configure:

Switch #1:

port 23: Access port in VLAN 90.

VLAN 90 - IP 10.10.90.253

and a default route: 0.0.0.0 0.0.0.0 pointing at 10.10.90.254

 

Then you need to readdress your FW "inside" to 10.10.90.254.

Your firewall needs routes for:

10.10.0.0 --> 10.10.90.253

10.11.0.0 --> 10.10.90.253

0.0.0.0 --> ISP

 

I've ignored the 192.168.0.0 network because it appears irrelevant to the problem.

 

 

0 Kudos
mstrmp3
Advisor

‎06-13-2013 03:17 AM - edited ‎06-13-2013 03:18 AM

‎06-13-2013 03:17 AM - edited ‎06-13-2013 03:18 AM

Re: firewall vlan access from mpls *edited*

I really am grateful for your reply. However I was trying to separate the phone vlan (102) from the data (100). I setup ports 1-12 for data (access port untagged vlan 100) and ports 13-22 for phone (access port untagged vlan102). (this is this same for all the switches at all the locations)

 

port 23 was going to the firewall and port 24 was going to the mpls router.

 

The biggest surprise in your reply was that I couldn't move vlans across routers! (no one told me that...) 

 

Was I correct in my assumption about setting up the vlan ports like above?

 

again, thanks in advance.

0 Kudos
Vince_Whirlwind
Trusted Contributor

‎06-13-2013 04:47 PM

‎06-13-2013 04:47 PM

Re: firewall vlan access from mpls *edited*

A VLAN is a layer-2 segment. Think of it as a cloud that has no routers inside it, but routers on the edge of the cloud wherever it intersects with another Layer-2 segment.

So, each of your subnets is a cloud, anchored by that subnet's "default GW" to a router. (The router is a layer-3 switch, or a router, as applicable).

 

Some WAN providers provide a layer-2 VPLS service, but it is at the very least debatable whether it is desirable to extend a VLAN over a WAN service to a Branch office.

 

Even if you call your Data VLAN, "100" on *both* sites (that's what I always do), those are two entirely separate VLANs that are not connected or related to each other in any way.

 

If your design calls for PCs on ports 1-12 VLAN 100 untagged and phones on ports 13-22 VLAN 102 untagged, and as long as the phones do not have 802.1q enabled, then that is perfectly fine, (although it's a waste of cabling).

0 Kudos
mstrmp3
Advisor

‎06-14-2013 10:10 AM

‎06-14-2013 10:10 AM

Re: firewall vlan access from mpls *edited*

AARRRGGGG! This is infuriating!  I still cannot ping from PC#2 to anything past it's router. I can ping PC#2 just fine from the firewall, or PC#1. I can ping SW#2 from the firewall, and ping the firewall from SW#2. 

 

this is what I can ping.

 

from 10.10.0.17  to  10.11.0.17  --- yes

from  10.11.0.17  to  10.10.0.17  --- NO

from  10.11.0.17  to 10.11.0.253 --- yes

from 10.11.0.17 to 10.11.0.254 ---yes

from 10.10.0.253 to 10.11.0.254--- yes

from 10.11.0.253 to 10.10.0.253 --- yes

from 10.11.0.253 to 10.10.0.17 -- yes

from 10.11.0.17 to 10.10.0.254 --- NO

from 10.11.0.17 to (anything outside of 10.11.0.254) ---NO

 

routing tables are basically the same between the two switches. The MPLS routers are ROAS because I have to utilize a vlan tag to get out anywhere.

 

SW#1

0.0.0.0 0.0.0.0 Static 60 10.10.0.1 Vlan-interface100

10.10.0.0 255.255.255.0 Direct 0 10.10.0.253 Vlan-interface100

10.10.0.253 255.255.255.255 Direct 0 127.0.0.1 InLoopBack0
10.10.2.0 255.255.255.0 Direct 0 10.10.2.253 Vlan-interface102
10.10.2.253 255.255.255.255 Direct 0 127.0.0.1 InLoopBack0
10.11.0.0 255.255.255.0 Static 60 10.10.0.254 Vlan-interface100
10.11.2.0 255.255.255.0 Static 60 10.10.2.254 Vlan-interface102
127.0.0.0 255.0.0.0 Direct 0 127.0.0.1 InLoopBack0
127.0.0.1 255.255.255.255 Direct 0 127.0.0.1 InLoopBack0
192.168.1.0 255.255.255.0 Direct 0 192.168.1.1 Vlan-interface1
192.168.1.1 255.255.255.255 Direct 0 127.0.0.1 InLoopBack0

 

SW#2

10.11.0.0 255.255.255.0 Direct 0 10.11.0.253 Vlan-interface100
10.11.0.253 255.255.255.255 Direct 0 127.0.0.1 InLoopBack0
10.11.2.0 255.255.255.0 Direct 0 10.11.2.253 Vlan-interface102
10.11.2.253 255.255.255.255 Direct 0 127.0.0.1 InLoopBack0
10.10.0.0 255.255.255.0 Static 60 10.11.0.254 Vlan-interface100
10.11.0.0 255.255.255.0 Static 60 10.11.2.254 Vlan-interface102
127.0.0.0 255.0.0.0 Direct 0 127.0.0.1 InLoopBack0
127.0.0.1 255.255.255.255 Direct 0 127.0.0.1 InLoopBack0
192.168.2.0 255.255.255.0 Direct 0 192.168.2.1 Vlan-interface1
192.168.2.1 255.255.255.255 Direct 0 127.0.0.1 InLoopBack0

 

I cannot change anything about my MPLS routers. This is baffling why I can ping one way but not the other. See attachement)

0 Kudos
Vince_Whirlwind
Trusted Contributor

‎06-16-2013 03:11 PM

‎06-16-2013 03:11 PM

Re: firewall vlan access from mpls *edited*

One thing to watch out for is the asymmetric routing resulting from your addressing scheme on the MPLS routers: your PC sends traffic to its default GW on the switch, the switch routes on to the router, but return traffic will be passed from the router directly to the PC. Who knows what might get upset by this? It's poor design that should be avoided.

 

You should really not use the same subnet between your layer-3 devices as you have all your hosts on. Either re-address the MPLS router, re-address the hosts, or disable IP routing on the switch and change the hosts' default GW to the .254 address.

0 Kudos
mstrmp3
Advisor

‎06-17-2013 03:55 PM

‎06-17-2013 03:55 PM

Re: firewall vlan access from mpls *edited*

I cant change anything about the routers, but I can change the hosts to anything..I will try that..thanks.

0 Kudos
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.