We have a HP Switch as our Core switch doing Layer 3 routing. A small percentage of our VLAN interfaces have ACL's and I'd like to move the security to our Firewall.
The IP Address for the port on the firewall that connect to the core switch is 10.255.254.254
The trunk port on the core switch is configured as this:#interface GigabitEthernet4/0/23port link-mode bridgedescription Trunk to Firewall LANport link-type trunkundo port trunk permit vlan 1port trunk permit vlan 210 4000port trunk pvid vlan 4000#
The VLAN Interface for VLAN 4000 is configured on the core switch as#interface Vlan-interface4000ip address 10.255.254.1 255.255.255.0#
For testing I created a new VLAN Interface as a sub-interface on the physical port connecting the firewall to the switch. The VLAN Interface is on the firewall as 10.1.210.1. On the firewall and I created firewall policies for that Interface that look like this:
Name From To Source Dest ServiceVLAN 210 - Out to LAN VLAN 210 LAN All All AllVLAN 210 - In from LAN LAN VLAN 210 All All All
I have two resources that are downstream off the Core switch on the new VLAN. The resources are on different distribution switches connected to the core switch and are all able to see each other.10.1.210.1010.1.210.75
From the console of the Core Switch I can ping 10.1.210.1
From the console of the Core switch I am unable to ping the two resources on the the new VLAN. Nor am I able to ping those resources from the firewall.
Any help is appreciated. Thank you
Does the Vlan exist on all the switches in-between and is the vlan allowed on all the trunk ports in-between?
Core side the uplink port's VLAN Membership:
port trunk permit vlan 210 4000port trunk pvid vlan 4000
means that your Core's physical interface 4/0/23 (used as uplink to your Firewall) is going to use the VLAN 4000 untagged (PVID) and the VLAN 210 tagged.
If the Core is able to ping both VLAN 4000 and VLAN 210 IP interfaces on the Firewall (respectively 10.255.254.254 and 10.1.210.1) then it means that Core - Firewall communication (which is happening without a Transit VLAN point-to-point but it is just a Layer 2 extension) is working as expected.
As written above, you should then ensure that VLAN 4000 and VLAN 210 are transported (allowed) along the whole chain of involved switches (Core - Distribution - Access) and that's to permit your testing resources to reach the Firewall's VLAN 210 IP interface (and eventually the Firewall's VLAN 4000 IP interface).
We are implying that both your two resources (hosts 10.1.210.10 and 10.1.210.75 belonging to VLAN 210) are connected to access ports untagged members of VLAN 210 and that VLAN 210 is transported - tagged or untagged (tagged as best practice I would say) - up to the Core where finally there is the uplink to your Firewall's LAN physical interface (and where routing of this new VLAN 210 happens). Double check that.
© Copyright 2023 Hewlett Packard Enterprise Development LPAll Rights Reserved.