Wired Intelligent Edge

 View Only
last person joined: 14 hours ago 

Bring performance and reliability to your network with the HPE Aruba Networking Core, Aggregation, and Access layer switches. Discuss the latest features and functionality of your switching devices, and find ways to improve security across your network to bring together a mobile-first solution
Expand all | Collapse all

How do I create a new VLAN within my core?

This thread has been viewed 22 times
  • 1.  How do I create a new VLAN within my core?

    Posted Jan 27, 2023 02:53 PM
    I am a relatively new network manager, and I am trying to create a new VLAN, but I can't seem to find any documentation that applies to my network. I have a core switch (a 6400) which I can log into in the web interface and see all of the VLANS and there is a '+' control at the top of the window, but I can't find any documentation anywhere that tells me how to use the interface and I'm leery of just blundering around! I'm find with the CLI, too, but I don't know how to find the commands.

    Here's the task: Our food service company has their own firewall and switch in our dining hall. It's located in the student union IDF closet and is a simple setup. Their firewall is plugged into a port on my switch, and that port is native to our campus' VLAN 3, which is basically just an unobstructed path out to the internet. That firewall then leads to their managed switch and all of this is bolted into one rack. Then they have various jacks throughout the building, and then on the patch panel the jacks that go on their network are patched to their switch.

    This works great, except that they run two coffee shops in two other campus buildings, and they need to be able to reach their switch from those jacks which are far away.

    I know how this should work, because I've got other similar use cases on campus. Those were set up before my time, though!

    What I need is to set up another VLAN in my core, which I want to call VLAN 810*

    Once I have the VLAN, I need three 810-native ports on three of my switches. The first of these will be another port in my building switch where their firewall is already connected to that native VLAN 3 port. The 810 port will be hooked into one of the ports on their switch that's behind their firewall. I'm a visual person, here's a picture:
    In the campus switch, port 10 is native VLAN 3, and I want to make port 20 be the native to my newly created VLAN 810. Then I hook one of the ports in their switch (I used 17 in the picture) to my port 20. (In this picture the port 10 to firewall to Aramark switch is showing what's already hooked up. What I'm adding is the connection back.)

    Then in the other 2 buildings, I put 810 on one port in each of the 2 building switches, patch the cash registers into those ports, and voila! those two cash registers are connected to the Aramark switch which is behind the Aramark firewall and under their control.

    As I understand this, I need to 
    1. create VLAN 810 in the core, which is 10.10.x.1
    2. figure out what core ports go to each of my 3 building switches, which are 10.10.x.79, x.11, x.24 and add VLAN 810 to their trunks (Does that happen at the core or at the settings of the uplink port on each building switch?)
    3. make port 20 in 10.10.x.79 be native VLAN 810 -- I know how to do this
    4. choose a port on 10.10.x.11 and 10.10.x.24 and make those native VLAN 810 -- I know how to do this
    BUT at the same time, I do NOT need to set up routing for the VLAN, because that needs to be controlled by their switch. (I'm not even sure what their router is -- I know it's 192.168.something.something...)

    Can somebody point me to some step-by-step instructions on the core (first choice CLI, second choice web interface)?
    And then any instructions on the building switches beyond changing a port to be native to a VLAN, as I know how to do that. (two are Alcatel-Lucent OS6850E, one is an HPE1920)? 

    I'm hoping that some detailed step-by-step instructions might help some future searching netadmin, too!

    *(My VLAN that is upstream to their firewall is VLAN 3. Our food service is Aramark. This is a link from VLAN 3 to Aramark. As in "3-2-A". The hex number 0x32a is 810 in decimal.)

  • 2.  RE: How do I create a new VLAN within my core?

    Posted Jan 27, 2023 04:10 PM
    To start to answer my own question...

    I have identified the interfaces on my core switch that I need ('show arp' is your friend!)

    1/3/17 is the physical port on the core where the "campus switch" in my picture lives

    1/4/18 & 1/3/11 are the physical ports for the other two remote buildings.

    So, what do I need to do to ?
    1. create VLAN 810 on my core switch
    2. put 1/3/17, 1/4/18, 1/3/11 on as being associated to VLAN 810

    I believe that what I need from VLAN 810 is called a "layer 2 only vlan"

    Learning is a great thing!

  • 3.  RE: How do I create a new VLAN within my core?

    Posted Jan 27, 2023 06:01 PM
    Hi! personally I think that providing a "communication path" through (for a VLAN that you expressly don't want to be routed by) your Core to a VLAN segment which belongs (and is routed by) another Switch behind a Firewall is...something...very strange.

    In other terms you're forced to create the VLAN 810 on you Core because it is the same VLAN Id that is present on the Switch behind the Firewall (this, I believe, is a prerequisite to let VLAN 810 to flow from the Firewall through its Switch up to your Core and then to other Switches up to, finally, the required edge devices...which need to speak with your Firewall...not your Core)...and you're forced to do so due to cabling limitations. Isn't it?

    I believe that, if you have no alternative approach, at least do not create a VLAN interface for VLAN 810 on the Core (and on any Core connected) portion of your network...so that that VLAN 810 will not partecipate in Core routing...the VLAN 810 will remain a L2 object traversing all you Core side network.

    But the central point to me is...why the hell is used a Firewall (which provide physical separation of networks and security policies) if then you're going to reinject logically (L2) and physically (through uplink to your Core) one of its protected network into the network zone the Firewall is protecting its networks against?

    Commands aren't your main issue here.

    P.S. if forced - if I were you - I will at least try to work with a "network path" where all involved ports (uplinks) between all involved switches are all tagged (native = untagged, only the counter intuitive native tag = tagged on a port operating indifferently in access or trunk mode)...and go untagged (native) only at arrival edge port(s). The idea of going untagged really end-to-end is not something I like so much.

  • 4.  RE: How do I create a new VLAN within my core?

    Posted Jan 28, 2023 12:12 AM
    I'm not really sure that I'm following what you are saying. We already have multiple vlans which are physically routing through our wired and wireless infrastructure while isolated from each other, and managing that seems to be the core's main job.

    Our food service contractors need to have their cash registers and their company PCs that are in the dining hall behind a firewall. We do that by plugging their firewall into a port on our switch which is native to our vlan 3, and then they have a 24-port switch behind that firewall and they plug their dining hall cash registers and office PCs into the various ports on their switch. Their firewall and switch know nothing about vlan 3 because the port on our switch is vlan 3 native and so our switch adds tags in one direction and removes them in the other and the tags are never on their side of the port. That is pretty simple and straightforward and works by the simple physical paths. Of course that one vlan 3 native port is just one port out of 96 ports on a busy 2-switch stack, and we've got four other vlans with various uses for other clients on other ports. (A port tag is pretty rare in my network, as virtually every port that has a client plugged into it is native in a particular vlan.)

    The fun part is that they have one cash register in the library coffee shop. They need for the cash register to look like it's plugged into their switch which is behind their firewall, when that switch and firewall are across campus in the dining hall. Directly plugging that in would be a very expensive cable run! Right now the way they connect that one cash register to the internet is that they have a cell phone modem (at $25/month) and then another fortinet firewall plugged into the modem, and then their cash register is the sole device on the LAN side of that firewall. This is not just stupid, it's a very expensive stupid! Not as stupid and not as expensive as pulling a cable across campus, but certainly dumb enough, LOL! And they have another coffee shop in another academic building across campus in the other direction, so it's not just $25/month-and-a-second-firewall stupid, it's actually $50/month-and-two-extra-firewalls stupid!

    Now this was all set up before I got here, and fixing the stupidity has become personal. Yes, I know I could fix the $50/month cell phone problem by plugging the fortinet that's in front of each solo cash register to a vlan 3 native port in the remote building, but that only fixes those two isolated cash registers. Another single cash register in another building means another firewall, and sometimes it would be pretty convenient to pop up a cash register in a remote location for a short time. For example if you have a fire in the dining hall and the students are eating off paper plates in a temporary location across campus for four months... (Our dining hall fire happened 4 months ago, which is when I found out about the cell phone modems.)

    We want to simulate those cable runs by creating a layer 2 only vlan, 810. It will be native to one port on my switch in the dining hall (a different port in the same switch stack from my vlan 3 port on the front side of their firewall.) Then on my switch stacks in the two building with lone cash registers, we give them one port for their cash register on that building's switch, and we make that one port vlan 810 native.

    Late this afternoon my boss realized that he had notes describing how to program the core to do the vlan, and we created it and associated it with the core switch port for the dining hall switch. We made another port on our dining hall switch vlan 810 native, but when we try to patch the 810 port to a port on the food service switch, the lights on the food serve switch port flicker once very briefly, so I'm thinking that they have port security enabled on their switch. It's now late Friday, so we will have to deal with their infrastructure team on Monday.

  • 5.  RE: How do I create a new VLAN within my core?

    Posted Jan 28, 2023 11:09 AM
    Hi Cathy

    "We already have multiple vlans which are physically routing through our wired and wireless infrastructure while isolated from each other, and managing that seems to be the core's main job."

    Well, I'm not sure to understand the above sentence correctly: if you mean that a Core's main job is to switch and to route (particularly route) its directly connected VLANs (and having routes to any "external" network which is non-directly connected <- through one ore more next-hop-gateways) I'm with you...if the above sentence means instead that one (not the main) of the Core's duties is to also switch (not route) one ore more Layer 2 VLANs along with its Layer 3 ones...I'm less prone to agree (even if it's an admitted scenario). 

    As a side note, once a Core routes its internal Layer 3 VLANs (VLANs with IP addresses) then will rise the issue of segregating them (generally that is done by applying ACL at/on the Core level) so in a mixed scenario (Layer 3 VLANs routed by the Core along with Layer 2 VLANs switched by the same Core) you will end up with ACL applied to routed VLANs while the others, since they don't partecipate to Core's routing, are free Layer 2 objects trespassing your Core (and consequently all the Switches along the way moving far from the Core up to the place they are required to be)....I agree with you that latter VLANs (L2) are logically separated by all the others but, regardless of that, I dislike the having such mix inside a Core network (OK, often disliking will "cost us more" than liking because disliking requires that things are made in a particular way and that way requires adaptations to network architectures born differently).

    My objection is that this "asymmetry" is not elegant but I agree with you that, sometime, is necessary.

    What makes it so strange to me is to see (as per your drawing) a physical Firewall placed - let me use the term "internal" - inside your "internal" network zone (at least that seems its position/role from the standpoint of your Core, so not a Firewall used to connect any other "external" network) to clearly physically separate (indeed it has its dedicated switch forming its network) your "Cash Registers" network from your "internal" network (the one managed by your Core)...at the point that one could ask: why this clear physical and logical separation was made if then the very network protected by that Firewall is (at least logically) re-injected back into the Core's network?

    My above question arises with the assumption that Cash Registers' Firewall has one or more networks just behind it and it protects them allowing or disallowing communications with your Core...and it was placed exactly to protect them (the assumption works also with just one network too)...so again...one could then ask: is it really necessary? why not creating a dedicated VLAN Id for Cash Registers directly on the Core and apply to it a specific ACL to protect its hosts? you will save (a) a physical Firewall, you will enhance (b) the control over that network segment and its hosted devices by protecting them via (c) a properly configured ACL getting rid of a VLAN Id traversing your Core infrastructure in Layer 2 and having all and only Layer 3 VLANs (that new VLAN will clearly be transported where it needs as it happens today with your VLAN 810).

    Hope to have clarified my point of view. It's not a problem of CLI commands, it's a matter of (re-thing) your network architecture to be more flexible and more secure.

    I could be totally wrong because - maybe - there are other requirements/restrictions operating in your network...but, pardon me, I can't exactly image all of them...so I'm just "speculating" a simple scenario (to be clear: I'm dealing with same issues but if a contractor requires expressly that its devices are protected by a physical Firewall then I require it has its physical infrastructure totally separated from my Core one otherwise - if that requirement is not so hard - I will manage things directly getting rid of unrequired devices [*]).

    Just my two cents.

    [*] and also supposing a particular VLAN (network segment) requires a specific routing to Internet (via a dedicated ISP) then, after ACL, there is also PBR (Policy Based Routing) to help overcome such of requirement.