- Community Home
- >
- Networking
- >
- Legacy
- >
- Switches, Hubs, Modems
- >
- Re: 5406zl/Firewall VLAN configuration
Categories
Company
Local Language
Forums
Discussions
Forums
- Data Protection and Retention
- Entry Storage Systems
- Legacy
- Midrange and Enterprise Storage
- Storage Networking
- HPE Nimble Storage
Discussions
Discussions
Discussions
Forums
Forums
Discussions
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
- BladeSystem Infrastructure and Application Solutions
- Appliance Servers
- Alpha Servers
- BackOffice Products
- Internet Products
- HPE 9000 and HPE e3000 Servers
- Networking
- Netservers
- Secure OS Software for Linux
- Server Management (Insight Manager 7)
- Windows Server 2003
- Operating System - Tru64 Unix
- ProLiant Deployment and Provisioning
- Linux-Based Community / Regional
- Microsoft System Center Integration
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Community
Resources
Forums
Blogs
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО01-18-2010 09:26 PM
тАО01-18-2010 09:26 PM
I started to configure IP addresses for the VLAN interfaces on the 5406 and did so using the web gui so I could see what the default settings were as I muddled through the CLI, but am confused as to the proper configuration. With IP routing not enabled the only default gateway is the one assigned to the default vlan. I know without IP routing enabled vlan-to-vlan communication will not occur, but will the other vlans use this as the default gateway out to my firewall?
When i enable IP routing I notice that each VLAN now can be assigned a default gateway. What does the default gateway for each vlan need to be? Is this the IP of an interface that is capable of passing traffic towards my WAN?
Since at the moment the only route to my firewall is through the default vlan, do I need to create a new subnet just to pass traffic back and forth between the firewall and would this be a port on the switch that is tagged with all available VLANs?
As it stands I have my E5500 configured with a physcial interface that has vlan subinterfaces, one for each vlan I configured on the 5406. I assigned the first IP in a subnet to the 5406 vlan interface and the next IP to the E5500 vlan interface.
Guess my biggest confusion is how I route traffic to the E5500 from multiple vlans and not do it using the mgmt vlan.
Thanks,
David
Solved! Go to Solution.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО01-19-2010 08:59 AM
тАО01-19-2010 08:59 AM
Solutionif you want your switch to operate as L3 routing switch use the "ip routing" command to enable inter VLAN routing. The command "ip default-gateway" is only applicable if you are using the switch in layer 2 mode. In your case you have to use "ip route" command to point to your firewall. Best practice is to use a dedicated transfer VLAN (i.e. VLAN 60) with only two IPs: the firewall and the routing switch. On the switch you can route between the VLANs 10-50 and then you have a static (default) route to the IP address of the firewall within VLAN 60. On the firewall you have to use a static route for IP subnets of VLAN 10-50 in the opposite direction.
Hope this will help.
Cheers,
Michael
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО01-19-2010 07:58 PM
тАО01-19-2010 07:58 PM
Re: 5406zl/Firewall VLAN configuration
Thank you for the information, it was a big help. I currently have the new vlan configured between the FW and my switch per your recommendation.
I turned on routing on the switch and I set the default route for the switch to be the IP of the FW interface that is within this new vlan. I can ping the FW from the switch, ping a site on the Internet from the switch and K can ping from the FW to the switch. I can also ping the IP of each vlan interface.
However I am not able to ping a host assigned to a vlan, nor is a host able to ping out of the vlan (Internet or other vlan). The host can't ping anything other then the IP assigned to the switches vlan interface for the vlan it is part of.
Any ideas?
Thanks,
David
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО01-19-2010 09:01 PM
тАО01-19-2010 09:01 PM
Re: 5406zl/Firewall VLAN configuration
and check where the trace stops,
also i think he recommended that you use static routes on the FW poiting to the vlans on the switch, have you done that ?
Regards
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО01-19-2010 09:29 PM
тАО01-19-2010 09:29 PM
Re: 5406zl/Firewall VLAN configuration
My network is setup as such:
10.200.5.0/29 is the vlan between my FW and my switch; VLAN500 (actually there are two switches LACP trunked together via 2 10Gb fiber links. IP 10.200.5.1 is assigned to my FW, 10.200.5.5 is assigned to Switch 1, 10.200.5.6 is assigned to switch 2.
VLAN 1 (not using it but its defined) has 10.200.1.0/26, switch 1 is assigned 10.200.1.1 and switch 2 is assigned 10.200.1.2.
VLAN 10 has 10.200.1.64/26, switch 1 is assigned 10.200.1.65 and switch 2 is assigned 10.200.1.66.
VLAN 20 has 10.200.2.0/26, switch 1 is assigned 10.200.2.1 and switch 2 is assigned 10.200.2.2.
VLAN 30 has 10.200.2.64/26, switch 1 is assigned 10.200.2.65 and switch 2 is assigned 10.200.66.
VLAN 40 has 10.200.3.0/26, switch 1 is assigned 10.200.3.2 and switch 2 is assigned 10.200.3.2.
VLAN 50 has 10.200.3.64/26, switch 1 is assigned 10.200.3.65 and switch 2 is assigned 10.200.3.66.
VLAN 60 has 10.200.4.0/24, switch 1 is assigned 10.200.4.1 and switch 2 is assigned 10.200.4.2.
I am offsite so I will have to wait to traceroute from a host.
This is what I have so far:
ping from a host to the vlan interface IP of the vlan the host is part of- succesful.
ping from a host to the vlan interface IP of another vlan - fail
ping from the firewall to all interface IPs of all vlans - successful
ping from the firewall to a host in a vlan - fail
ping from both switches to the firewall - pass
ping from the switches to the Internet - pass
David
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО01-19-2010 11:39 PM
тАО01-19-2010 11:39 PM
Re: 5406zl/Firewall VLAN configuration
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО01-20-2010 12:22 AM
тАО01-20-2010 12:22 AM
Re: 5406zl/Firewall VLAN configuration
if you are using 2 switches you are running VRRP between the switches, aren't you? Check wether all virtual IP are sitting on the master (otherwise they are not pingable).
Best way is to check MAC, ARP and routing tables of the involved hosts:
sh mac
sh arp
sh ip route
Also check defualt GW of the PC.
Cheers,
Michael
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО01-20-2010 11:31 AM
тАО01-20-2010 11:31 AM
Re: 5406zl/Firewall VLAN configuration
Not having VRRP configured was my issue and i see why now that you pointed it out, both switches were "competting" for the routing of packets.
So now I have all my vlans defined, vrrp running, mstp running and everything seems ok so far.
Thanks for all the help from everyone!!
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО01-21-2010 03:28 PM
тАО01-21-2010 03:28 PM