Original Message:
Sent: 2/12/2023 8:12:00 PM
From: manly009
Subject: RE: Configuring a 2930M switch with Palo Firewall
hi David,
Yes, I removed Management VLAN 10. All good. As default, should I put Native VLAN to Management VLAN or just leave Management VLAN empty? What would be the best practise?
Thanks
ML
Original Message:
Sent: Feb 10, 2023 02:23 AM
From: parnassus
Subject: Configuring a 2930M switch with Palo Firewall
Give this command a try first:
no management-vlan 10
because you should not desire to use the VLAN id 10 as the isolated Management VLAN (a Management VLAN doesn't partecipate to routing).
In your scenario indeed we suppose that the VLAN 10 should act just like all others VLANs you defined (VLAN 20 and 30). Isn't it?
Then be sure hosts you use to test pings don't have OS Firewall blocking incoming ICMP...this happens quite often.
If:
1 - VLAN 10 has 192.168.0.254
2 - VLAN 20 has 10.32.0.1
3 - VLAN 30 has 10.33.0.1
4 - ip routing is enabled on the Switch
and hosts belonging to - say - VLAN 20 are correctly addressed on their
10.32.0.0/24 network segment (using proper GW 10.32.0.1 address) and all other hosts involved in your tests are correctly addressed into their respective VLAN too THEN you are good (I expect that the VLAN tagging membership - thus applying native VLAN aka untagging to ports where you connect your pc/servers - is correctly assigned to edge ports used by your various hosts).
Original Message:
Sent: 2/10/2023 12:24:00 AM
From: manly009
Subject: RE: Configuring a 2930M switch with Palo Firewall
Now I really cannot figure out what is going with my core switch, I can ping anything from the core switch,,I just cannot ping from 192.168.0.55 (DNS server) to any other ranges except vlans gateway, for exmaple, once I have a mchine on 10.32.0.10, the dns server can ping 10.32.0.1, but cannot ping 10.32.0.10.... From 10.32.0.10, I can ping 192.168.0.254 (Gateway), but I cannot ping 192.168.0.55 or something else.....
PA trust interface: 192.168.0.1
Running configuration:
hostname "Larryswitch"
module 1 type jl320a
flexible-module A type JL083A
console idle-timeout 3600
console idle-timeout serial-usb 3600
radius-server host 192.168.0.55 key ""
radius-server host 192.168.0.55 dyn-authorization
radius-server host 192.168.0.55 time-window 0
no telnet-server
telnet-server listen data
web-management listen data
ip dns server-address priority 1 192.168.0.55
ip dns server-address priority 2 8.8.8.8
ip ssh filetransfer
ip ssh listen data
ip route 0.0.0.0 0.0.0.0 192.168.0.1
ip routing
ip source-interface radius vlan 10
key-chain ""
snmp-server community "public" unrestricted
snmp-server listen data
aaa authentication num-attempts 2
aaa authentication login privilege-mode
aaa authentication web login peap-mschapv2 local
aaa authentication web enable peap-mschapv2 local
aaa authentication ssh login peap-mschapv2 local
aaa authentication ssh enable peap-mschapv2 local
aaa authentication port-access chap-radius
aaa port-access authenticator 1 tx-period 10
aaa port-access authenticator 1 client-limit 2
aaa port-access authenticator active
oobm
disable
ip address dhcp-bootp
exit
vlan 1
name "DEFAULT_VLAN"
no untagged 3-10,13-16,18
untagged 1-2,11-12,17,19-24,A1-A4
ip address dhcp-bootp
exit
vlan 10
name "management"
untagged 3-10
ip address 192.168.0.254 255.255.255.0
exit
vlan 20
name "Wifi"
untagged 15-16,18
ip address 10.32.0.1 255.255.255.0
ip helper-address 192.168.0.55
exit
vlan 30
name "HomeUse"
untagged 13-14
ip address 10.30.0.1 255.255.255.0
ip helper-address 192.168.0.55
exit
management-vlan 10
no tftp client
no tftp server
tftp server listen data
password manager
password operator
Show IP:
Internet (IP) Service
IP Routing : Enabled
Default TTL : 64
Arp Age : 20
Domain Suffix :
DNS server : 192.168.0.55
| Proxy ARP
VLAN | IP Config IP Address Subnet Mask Std Local
-------------------- + ---------- --------------- --------------- ----------
DEFAULT_VLAN | DHCP/Bootp
management | Manual 192.168.0.254 255.255.255.0 No No
Wifi | Manual 10.32.0.1 255.255.255.0 No No
HomeUse | Manual 10.30.0.1 255.255.255.0 No No
SHow vlan:
show vlan
Status and Counters - VLAN Information
Maximum VLANs to support : 256
Primary VLAN : DEFAULT_VLAN
Management VLAN : DEFAULT_VLAN
VLAN ID Name | Status Voice Jumbo
------- -------------------------------- + ---------- ----- -----
1 DEFAULT_VLAN | Port-based No No
10 management | Port-based No No
20 Wifi | Port-based No No
30 HomeUse | Port-based No No
Any idea why?
Thanks,
ML
Original Message:
Sent: Feb 09, 2023 06:43 PM
From: parnassus
Subject: Configuring a 2930M switch with Palo Firewall
By enabling ip routing on your Aruba 2930M.
I suppose that each VLAN Id defined into (and used by) your Aruba 2930M will be configured with an IP address (SVI). Edge devices belonging to a particular VLAN shall use the relevat VLAN IP address (SVI) as their default gateway (indeed your Aruba 2930M is going to be the router for its VLANs and each VLAN will be tied to a particular network segment).
A discussion about how to made the Firewall and your routing switch to interact each other would also be possible (Routing through a Transit VLAN between the two or just letting - as it probably happens now - your Firewall to have its LAN interface directly connected in Layer 2 with a particular VLAN Id of your Aruba 2930M?) but that is just the next step for a robust setup.
Original Message:
Sent: 2/9/2023 5:20:00 PM
From: manly009
Subject: RE: Configuring a 2930M switch with Palo Firewall
Hi parnassus,
Thanks for your help.
How can I get Intravlan reachable to each other without going through the Firewall ( gateway ) ? Donot use static route ip route 0.0.0.0 0.0.0.0 10.0.0.5 ?
Thanks
ML
Original Message:
Sent: Feb 09, 2023 06:34 AM
From: parnassus
Subject: Configuring a 2930M switch with Palo Firewall
Hi, correct.
When you configure the RoLR (Route of Last Resort) to a NHG (Next Hop Gateway) by issuing the ip route 0.0.0.0 0.0.0.0 <NHG-IP-Address> your are saying that any net with any mask destination (excluded your directly connected networks) can be reached via the NHG IP Address.
If 10.0.5.0 and/or 172.31.0.0 are networks routed by (or reachable through your) Firewall - which is the NHG for any other network - the RoLR takes care of that.
Original Message:
Sent: Feb 08, 2023 11:29 PM
From: manly009
Subject: Configuring a 2930M switch with Palo Firewall
Also,
Also, is it unnecessary to run this:
ip route 0.0.0.0 0.0.0.0 10.0.0.5
ip route 10.0.5.0 255.255.255.0 10.0.0.5 name "VPN"
ip route 172.31.0.0 255.255.255.252 10.0.0.5 name "PaloAlto"
Since ip route 0.0.0.0 0.0.0.0 10.0.0.5 will include all subnet forwarding to 10.0.0.5?
Thanks
Original Message:
Sent: Feb 08, 2023 09:05 AM
From: Herman Robers
Subject: Configuring a 2930M switch with Palo Firewall
Do you want to route traffic between the VLANs 10,20,30 on the switch? Or on the firewall?
Also it looks like none of the ports in vlan 20,30 (no port assigned in VLAN20!; port 1,3 vlan 30) are up, so you can't reach anything in those subnets.
And there is no default route (0.0.0.0/0) which normally would go to the firewall (and internet with NAT after that). And the firewall should have a route back to the VLANs 20,30. Note that a VLAN (and it's interface) will be down/unaccessible if there is no interface up that is configured for that VLAN; which means you can't even ping the switch IP in those VLANs.
If you are not familiar with IP routing, this 'let's build a network' video series may get you started.
Personally, I would create VLANs on the firewall and do the routing there so you can put firewall policies between server-mgmt-home; but if you don't need firewalling between those subnets you can do the ip forwarding on the switch as well, then make sure you have the return route on the firewall and a defaut route from switch to firewall.
------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.
In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
Original Message:
Sent: Feb 08, 2023 12:15 AM
From: manly009
Subject: Configuring a 2930M switch with Palo Firewall
Dear Friends,
I was trying to build a testing network at home with a Switch 2930M.
Now I have got all basic things working. However, I cannot ping other vlan interfaces. I logged with SSH from my Computer: 192.168.0.91. Palo firewall is: 192.168.0.1
Seems everything with vlan 10 is working. However, I cannot ping anything else. I got the internet from PALO as well... Can you help me figure out why? I have attached show ip route as well. ...
here is my command:
hostname "Larryswitch"
module 1 type jl320a
flexible-module A type JL083A
console idle-timeout 3600
console idle-timeout serial-usb 3600
no telnet-server
ip dns server-address priority 1 192.168.0.55
ip dns server-address priority 2 10.8.0.1
ip route 10.8.0.0 255.255.255.0 192.168.0.1
ip route 10.32.0.0 255.255.255.0 192.168.0.1
ip route 192.168.0.0 255.255.255.0 192.168.0.1
ip routing
ip source-interface radius vlan 10
oobm
ip address dhcp-bootp
exit
vlan 1
name "DEFAULT_VLAN"
no untagged 1,3-10,13
untagged 2,11-12,14-24,A1-A4
ip address dhcp-bootp
exit
vlan 10
name "Server"
untagged 3-10
ip address 192.168.0.254 255.255.255.0
exit
vlan 20
name "Management"
ip address 10.32.0.1 255.255.255.0
exit
vlan 30
name "home"
untagged 1,13
ip address 10.8.0.254 255.255.255.0
exit
no tftp client
no tftp server
password manager
password operator
Larryswitch(config)# show ip route
IP Route Entries
Destination Gateway VLAN Type Sub-Type Metric Dist.
------------------ --------------- ---- --------- ---------- ---------- -----
10.8.0.0/24 192.168.0.1 10 static 1 1
10.32.0.0/24 192.168.0.1 10 static 1 1
127.0.0.0/8 reject static 0 0
127.0.0.1/32 lo0 connected 1 0
192.168.0.0/24 Server 10 connected 1 0
Any idea please? Do I need to configure Palo's virtual router or NAT as well?
Thanks,
Nameless