Wired Intelligent Edge

Hello people!

I'm setting up a network for a WeWork kind of scenario, when a bunch of different businesses share a common infrastructure. I have a bunch of 2930F switches and a Check Point 790 Firewall/Router that connects to the Internet. I want to assign every business a dedicated VLAN and subnet to segregate them, so they cannot see each other, but they could get Internet connectivity and DHCP from the router for each subnet.

 

A good guide would be much appreciated!

You did not mention what Aruba equipment you have in your possession.  That could dictate the design.

 

EDIT:  Yes you did.  I apologize.

I have 3 2930F swithces. the gateway/firewall/router is a Check Point 790 which I know very well. It has 16 LAN ports that I can configure in every way I want, even as separated virtual switches.

What "a bunch of different businesses" means exactly?

3 Businesses for 3 Aruba 2930F (where each Business uses one specific assigned Aruba 2930F) OR a lot more Businesses (dynamically, from the short/mid/long term time standpoint) sharing 3 Aruba 2930F?

Deploynent scenarios would vary with regards to given answer.

If each Business uses its assigned Aruba 2930F specifically and statically...you could use each one as a (physically) isolated switched network connected to a specific Firewall's LAN interface, Firewall will apply all required NAT/Access policies to grant each Business its slice of WAN connectivity, this for each LAN downlink to each Aruba 2930F (that's "total separation"...the Firewall does all and it is SPoF, no IP Routing on Switches is necessary since each Switch will manage basically one VLAN/Subnet...at least until you start eventually to want VLANs on each Switch to do sub-separation...and that less simple scenario could/couldn't imply enabling IP Routing - and ACL? - at Switches level for convenience and rethinking the role of your Firewall)...if, instead, the scenario is "all Businesses share all the whole switching infrastructure" then VLANs deployment shall become a mandatory requirement even if NAT/Access policies should be still performed at Firewall level...but downlink(s) to entire switching infrastructure can be simplified (or not) transporting all necessary VLANs IDs over a single uplink (or over an aggregated one) to one (multiple) Firewall LAN interface(s) (so there will still be a logical separation of Businesses subnets), VLANs IP interfaces would be defined on the Firewall (where, as first case, you will continue to provide DHCP services) and, each one of them, would be the gateway for its subnet...clearly Firewall will do all IP Routing to Internet and, as written, it will provide all NAT/Access required features for each VLAN.

In this latter case maybe you can create, switching infrastructure side, a Virtual Switch by using Aruba VSF...and, to enhance resiliency, use a LACP aggregated group of ports (three) as uplinks to your Firewall...if it supports IEEE 802.3ad on its LAN interfaces.

There are, for sure, many other possible solutions or variants...

Thank you for your reply. I'm talking about the second scenario, when all the businesses using all the switching infrastructure, so VLAN's are necessary.

---

@David_Fainshtein wrote:

Thank you for your reply. I'm talking about the second scenario, when all the businesses using all the switching infrastructure, so VLAN's are necessary.

---

That's OK so now you should know what other requirements you need to fullfill (or what other questions you should ask yourself) while deploying this scenario...it's a matter of selecting which device shall be responsible for providing IP routing and (if necessary) ACL between various VLANs operated at access level by your three Aruba 2930F.

This sounds pretty straight forward unless I'm missing a requirement.

 

As you mentioned, each 'business' gets it's own VLAN on the switch infrastructure. The Checkpoint firewall should be the router interface for each VLAN, so it needs to have a trunk interface to the switching core. The Checkpoint then can be the DHCP server for each subnet, as well as provide the filtered access to the Internet and any inter-business communications that needs to happen.

Hi!

That's exactly the idea, but unfortunately this is my first experience of setting up such infrastructure, so guide will be much appreciated. There is a lot of info on the web regarding setting up a Cisco staff but not a lot about HPE/Aruba.

The only decent tutorial I found is this one: https://www.youtube.com/watch?v=YvYXoc8xVpk&list=PLsYGHuNuBZcZuXwRU4JXMDa-Lm_YIrkBg

 

At the beginning I started with Aruba 2350's but the I realized that since they are not layer 3 switches, they cannot do routing, so I replaced them with 2930F's... But somehow it looks more complicated then I thought (or it's just that I'm stupid...) :-(

---

@David_Fainshtein wrote:

Hi!

That's exactly the idea, but unfortunately this is my first experience of setting up such infrastructure, so guide will be much appreciated. There is a lot of info on the web regarding setting up a Cisco staff but not a lot about HPE/Aruba.

The only decent tutorial I found is this one: https://www.youtube.com/watch?v=YvYXoc8xVpk&list=PLsYGHuNuBZcZuXwRU4JXMDa-Lm_YIrkBg

 

At the beginning I started with Aruba 2350's but the I realized that since they are not layer 3 switches, they cannot do routing, so I replaced them with 2930F's... But somehow it looks more complicated then I thought (or it's just that I'm stupid...) :-(

---

For the scenario you described, you would want the switches to be layer 2 so that the layer 3 connection is maintained at the Checkpoint firewall. If doing layer 3 at the switch interface, the switches would also need to add filters to prevent inter-vlan routing from taking place. These filters would not be required if the Checkpoint is the router interface. 

 

Are there further requirements that necesitate users being able to communicate across VLANs without traversing the firewall?

Thank you for the reply.

At this point we don't know what requirements may arise in the future.

---

@David_Fainshtein wrote:

Thank you for the reply.

At this point we don't know what requirements may arise in the future.

---

All the more reason to not over-complicate the solution for now. From the executive offices I've worked in, the main goal is to block intra-device communication and force everything to the Internet. If you are doing unique VLANs per company, you're already providing more flexibility than most shared office spaces.