Wired Intelligent Edge

Hello Guys

 

I am very new to this networking business but I have a project that I have spent countless of sleepless night trying to solve to no avail. I am trying to connect multiple clients in the same building sharing internet connection from an ISP (Leased line) and since most of the clients will be their own firewall I am trying to avoid the use of a router if possible. I am using a single 2930f switch and wouldn't adding a 2nd switch if that will help. I have gone as far as creating the vlans and the switch issuing the DHCP address on the defined scope, that is what I want but unfortunately the clients cannot ping their own defined default gate but can ping the their defined DHCP address even if I enable ip routing. Issue no2 is how to configure the uplink for the internet connection. I have a /28 public address from the ISP. Any help will be greatly appreciated. Thank you Joe

Hello Joe,

---

@Joeyorke12 wrote: ... and since most of the clients will be their own firewall I am trying to avoid the use of a router if possible.

What do you mean with "their own firewall"? ...at OS level?

 

---

@Joeyorke12 wrote: have a /28 public address from the ISP.

---

Aruba 2930F is a switch with (some/limited) Layer 3 capabilities/features...AFAIK NAT - and routed physical/logical interface too...just to say - is not among them...so, as a Layer 2/Layer 3 Switch, it can be efficiently deployed (e.g. with IP Routing enabled) to act as the router (gateway) for your internal VLANs (Subnets) but, generally speaking, a gateway to your ISP - performing NAT to your public /28 IP addressing - should be necessary.

Hello Parnassus,

 

Thanks for getting back to me.What I meant by that is some of them will be using their own cisco router as their firewall but  a branch off from the switch network and others will just use their windows firewall

 

Thanks

Joe

missing a "default route" on your configuration

Following up from here, have decided to introduce a router and went for Cisco1941 something that i know best. I have configured the router and enable ip routing and added route 0.0.0.0 0.0.0.0 10.200.58.49 (Routers lan interface) to the switch but the issue I am having is I cannot ping anything which is not directly connected, ie the end devices get their ip addresses as the should from their relevant subnet and can ping their default gateway but they cannot ping the routers lan, althought I can ping that from the switch. Is there anything that I am missing in the config please. Any help will be gladly appreciated. Thanks

Have you set a route back from the router to the switch?

Hello Willem Bargeman

 

Thanks for getting back to me.

Yes that has been done

 

Regards

 

Joe

The Cisco 1941 - your router/gateway - is directly connected to your Aruba 2930F...I presume the Cisco is downlinked to your Switch through interface 48 on the Aruba 2930F...isn't it?

 

This means that interface 48 should be assigned as tagged member of all your (routed) VLANs...and this was already done.

 

Since 10.200.58.49 is an IP Address which belongs to a Subnet which is not known to your Switch (VLAN 200 hasn't any IP...nor others VLANs belong to 10.200.58.49's Subnet)...how can this work?

 

IMHO you should add a VLAN IP Address for VLAN 200...a free IP Address that will belong to the same Subnet of your's Cisco LAN interface (10.200.58.49) treating the VLAN 200 as a "transport" VLAN, by partecipating to your Switch IP Routing it should then work.

Thank you parnassus

 

I will go through the config again once I get back in later this evening

 

Regards

 

Joe

 

 

Forget (now I see) to say that IF your Aruba is doing IP Routing for all your LAN's Subnets THEN you just need the uplink port to be tagged on just one (transport) VLAN, which in your case is VLAN 200...and you need an IP Address for that VLAN in order to communicate with the Cisco.

IF INSTEAD routing is in charge to your Cisco then it is correct to tag the uplink port with all required VLANs BUT, at that point, it is non essential to give each of them an IP identity on the Switch SINCE gateway IP addresses will be on the router and the router will route to/from your devices.

Thank you Parnassus,

 

The aruba 2930f is the one doing all the routing. I have tried both suggestings and but did not work but if disconnect the switch and i assign an ip in the range of the routers lan to my laptop, i can surf the net without any issues. I also tried with no config on the switch ie the default switch config and the router and that also work. This appears to be something to do with the switch config that I am missing. I will configure a cisco sg500 which i know my what i am doing with and if that works, then ma be have to switch to the cisco

On which VLAN you tested your laptop directly connected to your router's LAN interface?

Yes Parnassus

 

2 separete  test carried out

 

1. Laptop assigned a static IP from the routers LAN subnet and that works (can surf the net)
2. Laptop and switch both assigned a static IP from the routers LAN subnet, switch connected to the router, then laptop connected to the switch, switch has the original config (default IP) and that also works. NB. IP for the switch was assigned to the default vlan (Vlan 1)

Thank you

 

Joe

So in my head, case 2 you tested through the Aruba 2930F, the scenario would require:

 

1. VLAN 200 with IP Address assigned (belonging to the same subnet to which the Palo Alto's LAN IP Address belongs...as example 10.200.58.50 considering a 10.200.58.0/24 subnet so a /24 subnet mask) <-- VLAN 200 partecipates to the Aruba 2930F routing.
2. Port 48 used as uplink to the Palo Alto firewall.
3. Port 48 should set to be just (and only) an untagged member of the VLAN 200 (VLAN 200 is used as a "transport" VLAN...even if generally this is really true for subnets like /30 or /31).
4. VLAN 200 on the Palo Alto firewall is untagged on its LAN port.
5. no other VLANs are tagged on the uplink (Aruba 2930F port 48 <--> Palo Alto firewall LAN designated port).
6. IP routing enabled on Aruba 2930F (as is yet per your attached testing.txt).
7.  Palo Alto firewall should havewall should have the defined routes to forward back traffic for Aruba 2930F's VLANs subnets (e.g. to reach back the VLAN 4 "CLIENT1" on the Aruba 2930F a route to 10.1.4.0/24 via 10.200.58.50 through Palo Alto's LAN should be defined).
8. Palo Alto firewall should have IPv4 Access Rules to let traffic from/to Aruba 2930F's VLANs subnets and your other networks (Rest of the World = Internet) via requires NATs (if any/if required).
9. Clients (e.g. clients of CLIENT1 VLAN connected to Aruba 2930F ports 16-17 should have the 10.1.4.1 IP Address as their Default Gateway (Firewall OS disabled...DNS OK) and so IP Addressing on the related subnet 10.1.4.0/24 <-- that should be OK if the authoritative DHCP provides them correct IP assignments yet.

Once 1-9 are satisfied...your issue goes away or not (provided Palo Alto firewall side is OK)?

Thank you Parnassus

 

Apologies about my late response, been on holiday so just back to the project

Your solution worked perfectly. Your support is greatly appreaciated.

One last question, I am all ok on the cisco's router configuration but i am wondering, if I want to assign one of my public IP addresses to the client's own router but still going through the switch if the switch support that, how to go about it. e.g. CLIENT1 VLAN connected to Aruba 2930F ports 16-17 will be assigned one of the ISP's address instead a 10.1.4.1 IP Address. If i bypass the switch, this works but can't seem to get that to work via the switch.

Any help will be greatly appreciated.

 

Thank you

 

Regards

 

Ray