Wired Intelligent Edge

Hi,

Just hoping someone could help with a problem we are having with our switch config.

Basically we have a stack of 4 3810m’s. Port 1/1 is connected to a Sophos firewall. Ports 1/2 and 2/2 are connected to ports 49 and 50 on a 2930f

The Sophos firewall has an ip of 172.16.98.2 and this can be pinged from the core stack. The core stack can also ping the outside world.

However the 2930f can’t ping the Sophos or the outside world.

The default gateway on the 2930f is set to 10.0.0.1 so any traffic outside the 10.0.0.0/24 subnet should route through the core and then the ip route setting on that switch should route basically everything through to the Sophos.

Below are the configs for the switches. Any ideas?

Running configuration:

; hpStack_KB Configuration Editor; Created on release #KB.16.07.0003

; Ver #14:01.4f.f8.1d.fb.7f.bf.bb.ff.7c.59.fc.7b.ff.ff.fc.ff.ff.3f.ef:4e

stacking

   member 1 type "JL075A" mac-address 9020c2-e28000

   member 2 type "JL075A" mac-address 9020c2-e1bc80

   member 3 type "JL075A" mac-address 9020c2-e2f880

   member 4 type "JL075A" mac-address 9020c2-e20600

   exit

hostname "CORE"

trunk 1/2,2/2 trk1 lacp

ip route 0.0.0.0 0.0.0.0 172.16.98.2

ip routing

snmp-server community "public" unrestricted

oobm

   ip address dhcp-bootp

   member 1

      ip address dhcp-bootp

      exit

   member 2

      ip address dhcp-bootp

      exit

   member 3

      ip address dhcp-bootp

      exit

   member 4

      ip address dhcp-bootp

      exit

   exit

vlan 1

   name "DEFAULT_VLAN"

   no untagged 1/1

   untagged 1/3-1/16,2/1,2/3-2/16,3/1-3/16,4/1-4/16,Trk1

   ip address dhcp-bootp

   ipv6 enable

   ipv6 address dhcp full

   exit

vlan 98

   name "VLAN98"

   untagged 1/1

   ip address 172.16.98.1 255.255.255.0

   exit

vlan 120

   name "TEMP"

   tagged Trk1

   ip address 10.0.0.1 255.255.255.0

   exit

spanning-tree Trk1 priority 4

Running configuration:

; JL256A Configuration Editor; Created on release #WC.16.07.0003

; Ver #14:01.4f.f8.1d.9b.3f.bf.bb.ef.7c.59.fc.6b.fb.9f.fc.ff.ff.37.ef:02

hostname "Aruba-2930F-48G-PoEP-4SFPP"

module 1 type jl256a

trunk 49-50 trk1 lacp

ip default-gateway 10.0.0.1

no ip source-route

snmp-server community "public" unrestricted

vlan 1

   name "DEFAULT_VLAN"

   no untagged 1

   untagged 2-48,51-52,Trk1

   ip address dhcp-bootp

   ipv6 enable

   ipv6 address dhcp full

   exit

vlan 120

   name "TEMP"

   untagged 1

   tagged Trk1

   ip address 10.0.0.2 255.255.255.0

   exit

spanning-tree Trk1 priority 4

Hi!
Does the Sophos Firewall (172.16.98.2) know how to reach subnet 10.0.0.0/24? in other terms...on Sophos did you configure a static route to 10.0.0.0 255.255.255.0 net destination via 172.16.98.1 hop?

Considering that:

(1) the Aruba 2930F is just a Layer 2 extension (through aggregated logical interface tagged on VLAN 120 on both ends of the link) of your stacked Core for VLAN 120.
(2) the Aruba 2930F uses 172.16.98.2 as its Default Gateway (which is the VLAN SVI on the stacked Core for VLAN 120).
(3) your Stacked Core has Gateway of Last Resort properly set to point to Sophos Firewall (represented by the static route 0.0.0.0/0.0.0.0 to 172.16.98.2)

If your Sophos Firewall is then properly instructed on how to route back to routed nets defined on stacked Core it should work as you correctly expect.

Cheers for the answer Parnassus. It was a routing issue back from the Sophos. The static route was configured but another interface was configured on the same 10.0.0.0/24 subnet which messed the routing up. Removed that interface configuration and it all magically started working.

I'm glad that you solved!