Comware

 View Only
last person joined: yesterday 

Back to discussions
Expand all | Collapse all

Problems with VLAN Configuration between HP 2920-24G Switch and Firewall

This thread has been viewed 1 times

  • 1.  Problems with VLAN Configuration between HP 2920-24G Switch and Firewall

    Posted Jan 16, 2014 09:34 AM

    Hello there,

     

    we've got some issues with the configuration of vlans between a HP 2920-24G switch and a WatchGuard XTM330 Firewall.

    We have configured 2 VLANs on the Switch. VLAN-21 and VLAN-24.

    VLAN-21 192.168.2.1 Ports 3-12 untagged

    VLAN-24 192.168.4.1 Ports 13-22 untagged

     

    We enabled Routing and configured DHCP-Helper IP for DHCP-Server which is in VLAN-21 to work also in VLAN-24.

     

    The Interface on the Firewall which is connected to Port1 of the Switch has the IP 192.168.1.254.

    In The Firewall Configuration this Interface is configured as TAGGED with VLAN-21 and VLAN-24.

     

    Also Port1 (2, 23/24) on the Switch is TAGGED with both VLANs (VLAN-21 and VLAN-24).

     

    If we now plug in a client in  VLAN-21 or VLAN-24 Port we cannot reach/ping the Firewall (192.168.1.254).

    But clients/devices can communicate with each other from VLAN-21 to VLAN-24 and vice versa, that works.

    And also the DHCP-Server in VLAN-21 can provide IP-Adresses to clients in the VLAN-24.

     

    We did test several things but do not know why we cannot communicate with the firewall from the VLAN-21 or VLAN-24 on the Switch Side.

    Even if we plug the firewall directy to a VLAN-21 or VLAN-24 Port communication is not possibly.

     

    Did we miss something elementary? 

    Would be great if you could provide us some input what we can do to solve this problem.

     

    Here's the Config of the Switch:

    ------------------------------------------------------------------------

    ; J9726A Configuration Editor; Created on release #WB.15.12.0010
    ; Ver #04:01.ff.35.0d:c2

    hostname "HP-2920-24G"
    module 1 type j9726a
    ip default-gateway 192.168.0.254
    ip routing
    snmp-server community "public" unrestricted
    snmp-server contact "XXX" location "YYY"
    vlan 1
       name "VLAN_21"
       no untagged 13-22
       untagged 3-12,A1-A2,B1-B2
       tagged 1-2,23-24
       ip address 192.168.1.1 255.255.255.0
       exit
    vlan 2
       name "VLAN_24"
       untagged 13-22
       tagged 1,23-24
       ip address 192.168.4.1 255.255.255.0
       ip helper-address 192.168.1.1
       exit
    no autorun
    no dhcp config-file-update
    no dhcp image-file-update
    password manager

    ---------------------------------------------

     

    Basically we want to achieve, that the Switch does the internal LAN routing, so that the Firewall Load isn't additionally getting stressed by doing LAN routing. Firewall should only do "WAN-Stuff". One Interface from the Firewall should be connected to Switch. And via this Interface both VLANs should exchange their Traffic.

    Perhaps there's a better way or other approach to accomplish that!?

     

    Any Ideas and inout is appreciated...



  • 2.  RE: Problems with VLAN Configuration between HP 2920-24G Switch and Firewall

    EMPLOYEE
    Posted Feb 03, 2014 08:03 PM
    Howdy,
    Firstly fix the names of your VLANs to match their VLAN numbering to avoid confusion :-)
    We could have a simple VLAN1 & VLAN2 for clients as 192.168.1.0/24 and 192.168.2.0/24 make the switch IP 192.168.x.1 in each subnet with a 255.255.255.0 mask.
    Or use .2 and .4 it really doesn't matter but tr yand keep it as simple as possible.
    Secondly your IP helper address in vlan 2 is pointing to the switch IP in vlan 1? It should be the IP of the DHCP serving server in 192.168.1.x not the switch L3 interface.
    Then...
    Create a third VLAN (say VLAN 99) and put the uplink port of the switch (to the firewall) in vlan99 as an untagged port.
    You only need 2 IP addresses in this subnet but lets have some wriggle room just in case we need to do something else with it one day - with 192.168.99.1 255.255.255.248 on the switch and 192.168.99.2 255.255.255.248 on the firewall.
    Create a static route 0.0.0.0 0.0.0.0 192.168.99.2
    This sends any unknown traffic out towards the firewall / internet.

    You should then be routing between VLANs 1& 2 and routing via VLAN99 whenever you need to go elsewhere (via the firewall).

    You don't need "tagged" ports in this design as you are routing between all your VLANs which are connected on the same switch.
    HTH
    Ian
    #transit-vlan
    #static-route
    #default-gateway
    #2920
    #VLAN


  • 3.  RE: Problems with VLAN Configuration between HP 2920-24G Switch and Firewall

    Posted Mar 05, 2014 09:00 AM

    We found the problem.

    It was a missmatch of the vlan name.

    I did the switch configuration and my workmate did the firewall configuration.

    For me it would be obvious to name the vlans identical on both sides (firewall and switch)

    but my workmate thought only vlan id had to be identical.

     

    So this problem is fixed.

     

     

     



  • 4.  RE: Problems with VLAN Configuration between HP 2920-24G Switch and Firewall

    Posted Aug 07, 2014 03:37 PM

    In the solution offerred what do you put in the default gateway in the switch IP address? I set up as you suggested. I have 5 VLANs one for the firewall and remote clients, the rest for VoIP phones, wireless, clients, and servers. The fw is on 192.168.244.1/24 but if I set that as the default gateway on the switch (via the GUI) it didn't route. Do I have to reboot the switch to see the affect. The old default route was on the server vlan and has been working that way for a long time. I wanted to get the firewall traffice off the server network.

     

    Much thx