Wired Intelligent Edge (Campus Switching and Routing)

Reply
Occasional Contributor I

Multiple VLAN's with one internet connections

Hello people!

I'm setting up a network for a WeWork kind of scenario, when a bunch of different businesses share a common infrastructure. I have a bunch of 2930F switches and a Check Point 790 Firewall/Router that connects to the Internet. I want to assign every business a dedicated VLAN and subnet to segregate them, so they cannot see each other, but they could get Internet connectivity and DHCP from the router for each subnet.

 

A good guide would be much appreciated!

Guru Elite

Re: Multiple VLAN's with one internet connections

You did not mention what Aruba equipment you have in your possession.  That could dictate the design.

 

EDIT:  Yes you did.  I apologize.


*Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba Networks or Hewlett Packard Enterprise.*
ArubaOS 8.4 User Guide
InstantOS 8.3 User Guide
Airheads Knowledgebase
Airheads Learning Videos
Aruba Central Documentation
Sign up for Security Alerts
Aruba Technical Webinars
Occasional Contributor I

Re: Multiple VLAN's with one internet connections

I have 3 2930F swithces. the gateway/firewall/router is a Check Point 790 which I know very well. It has 16 LAN ports that I can configure in every way I want, even as separated virtual switches.

MVP Expert

Re: Multiple VLAN's with one internet connections

What "a bunch of different businesses" means exactly?

3 Businesses for 3 Aruba 2930F (where each Business uses one specific assigned Aruba 2930F) OR a lot more Businesses (dynamically, from the short/mid/long term time standpoint) sharing 3 Aruba 2930F?

Deploynent scenarios would vary with regards to given answer.

If each Business uses its assigned Aruba 2930F specifically and statically...you could use each one as a (physically) isolated switched network connected to a specific Firewall's LAN interface, Firewall will apply all required NAT/Access policies to grant each Business its slice of WAN connectivity, this for each LAN downlink to each Aruba 2930F (that's "total separation"...the Firewall does all and it is SPoF, no IP Routing on Switches is necessary since each Switch will manage basically one VLAN/Subnet...at least until you start eventually to want VLANs on each Switch to do sub-separation...and that less simple scenario could/couldn't imply enabling IP Routing - and ACL? - at Switches level for convenience and rethinking the role of your Firewall)...if, instead, the scenario is "all Businesses share all the whole switching infrastructure" then VLANs deployment shall become a mandatory requirement even if NAT/Access policies should be still performed at Firewall level...but downlink(s) to entire switching infrastructure can be simplified (or not) transporting all necessary VLANs IDs over a single uplink (or over an aggregated one) to one (multiple) Firewall LAN interface(s) (so there will still be a logical separation of Businesses subnets), VLANs IP interfaces would be defined on the Firewall (where, as first case, you will continue to provide DHCP services) and, each one of them, would be the gateway for its subnet...clearly Firewall will do all IP Routing to Internet and, as written, it will provide all NAT/Access required features for each VLAN.

In this latter case maybe you can create, switching infrastructure side, a Virtual Switch by using Aruba VSF...and, to enhance resiliency, use a LACP aggregated group of ports (three) as uplinks to your Firewall...if it supports IEEE 802.3ad on its LAN interfaces.

There are, for sure, many other possible solutions or variants...
Occasional Contributor I

Re: Multiple VLAN's with one internet connections

Thank you for your reply. I'm talking about the second scenario, when all the businesses using all the switching infrastructure, so VLAN's are necessary.

MVP Expert

Re: Multiple VLAN's with one internet connections


@David_Fainshtein wrote:

Thank you for your reply. I'm talking about the second scenario, when all the businesses using all the switching infrastructure, so VLAN's are necessary.


That's OK so now you should know what other requirements you need to fullfill (or what other questions you should ask yourself) while deploying this scenario...it's a matter of selecting which device shall be responsible for providing IP routing and (if necessary) ACL between various VLANs operated at access level by your three Aruba 2930F.

Re: Multiple VLAN's with one internet connections

This sounds pretty straight forward unless I'm missing a requirement.

 

As you mentioned, each 'business' gets it's own VLAN on the switch infrastructure. The Checkpoint firewall should be the router interface for each VLAN, so it needs to have a trunk interface to the switching core. The Checkpoint then can be the DHCP server for each subnet, as well as provide the filtered access to the Internet and any inter-business communications that needs to happen.


Charlie Clemmer
Aruba Customer Engineering
Occasional Contributor I

Re: Multiple VLAN's with one internet connections

Hi!

That's exactly the idea, but unfortunately this is my first experience of setting up such infrastructure, so guide will be much appreciated. There is a lot of info on the web regarding setting up a Cisco staff but not a lot about HPE/Aruba.

The only decent tutorial I found is this one: https://www.youtube.com/watch?v=YvYXoc8xVpk&list=PLsYGHuNuBZcZuXwRU4JXMDa-Lm_YIrkBg

 

At the beginning I started with Aruba 2350's but the I realized that since they are not layer 3 switches, they cannot do routing, so I replaced them with 2930F's... But somehow it looks more complicated then I thought (or it's just that I'm stupid...) :-(

Re: Multiple VLAN's with one internet connections


@David_Fainshtein wrote:

Hi!

That's exactly the idea, but unfortunately this is my first experience of setting up such infrastructure, so guide will be much appreciated. There is a lot of info on the web regarding setting up a Cisco staff but not a lot about HPE/Aruba.

The only decent tutorial I found is this one: https://www.youtube.com/watch?v=YvYXoc8xVpk&list=PLsYGHuNuBZcZuXwRU4JXMDa-Lm_YIrkBg

 

At the beginning I started with Aruba 2350's but the I realized that since they are not layer 3 switches, they cannot do routing, so I replaced them with 2930F's... But somehow it looks more complicated then I thought (or it's just that I'm stupid...) :-(


For the scenario you described, you would want the switches to be layer 2 so that the layer 3 connection is maintained at the Checkpoint firewall. If doing layer 3 at the switch interface, the switches would also need to add filters to prevent inter-vlan routing from taking place. These filters would not be required if the Checkpoint is the router interface. 

 

Are there further requirements that necesitate users being able to communicate across VLANs without traversing the firewall?


Charlie Clemmer
Aruba Customer Engineering
Occasional Contributor I

Re: Multiple VLAN's with one internet connections

Thank you for the reply.

At this point we don't know what requirements may arise in the future.

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: