Dual LAN, Dual WAN, procurve routing
I have an interesting network setup here and do to cost sharing issues among other things I can not change the physical or logical layout of the network so I need to get this working as shown here.
There are 2 LANs
1) HRI 192.168.45.0 /24
2) DEED 192.168.124.0 /24
There are two WANS IPS are fake)
1) 1.1.1.1 / 1.1.1.2 (VSAT)
2) 2.1.1.1 (MICROWAVE)
There are two ASA
1) ASA 5510 (ON HRI LAN)
2) ASA 5505 (ON DEED LAN)
The HRI ASA is using the 2.1.1.1 internet connection with a fail over to 1.1.1.2 (this works no problem)
The DEED network must use the 1.1.1.1 public IP for internet, this is configured and working
The HRI network must use the 2.1.1.1 or 1.1.1.2 public IP for internet, again this is configured and working
I have a procurve 2910al-24G switch connected to each flan
VLAN1 192.168.45.254 (can be pinged from HRI LAN)
VLAN2 192.168.124.254 (can be pinged from DEED LAN)
I want to do the routing between the VLANS on the 2910 but I can move it to the two ASAs if needed
I will accept either guidance on what needs to be done or exact configuration commands.
eb
HRI-Network.bmp
There are 2 LANs
1) HRI 192.168.45.0 /24
2) DEED 192.168.124.0 /24
There are two WANS IPS are fake)
1) 1.1.1.1 / 1.1.1.2 (VSAT)
2) 2.1.1.1 (MICROWAVE)
There are two ASA
1) ASA 5510 (ON HRI LAN)
2) ASA 5505 (ON DEED LAN)
The HRI ASA is using the 2.1.1.1 internet connection with a fail over to 1.1.1.2 (this works no problem)
The DEED network must use the 1.1.1.1 public IP for internet, this is configured and working
The HRI network must use the 2.1.1.1 or 1.1.1.2 public IP for internet, again this is configured and working
I have a procurve 2910al-24G switch connected to each flan
VLAN1 192.168.45.254 (can be pinged from HRI LAN)
VLAN2 192.168.124.254 (can be pinged from DEED LAN)
I want to do the routing between the VLANS on the 2910 but I can move it to the two ASAs if needed
I will accept either guidance on what needs to be done or exact configuration commands.
eb
HRI-Network.bmp
hi ebjers
i am not quite understand what you illustrated in the diagram as the descriptive text seems inconsistent with the labels in the diagram, e.g. eth4 and two public IPs do not exist in the diagram, 2910's IP for VLAN2 is not valid for VLAN2's IP subnet, and etc.
however, i reckon i can know your basic requirement: to enable routing between VLAN1 and VLAN2. am i right?
> I want to do the routing between the VLANS on the 2910
> but I can move it to the two ASAs if needed
"VLANS" is for VLANs connecting to 2910al-24G switch? additionally, the switch may be moved to connect ASA5505 and ASA5510 and you hope the configuration can be kept or reused. am i right?
i assume:
1. the 2910al-24G switch has been configured to support routing between VLAN1 and VLAN2.
2. the default gateway of client computers on VLAN1 is ASA5505, say 192.168.124.1.
3. the default gateway for VLAN2 is ASA5510, say 192.168.45.1.
OK, if the answers are all YES, then basically there are TWO approaches for you.
1. the FIREWALL based solution
add one more static routing item on ASA5505 to send all traffic for VLAN2 to 2910, it looks like this:
192.168.45.0 255.255.255.0 192.168.124.254 metric 1
add one more static routing item on ASA5510 to send all traffic for VLAN1 to 2910, it looks like this:
192.168.124.0 255.255.255.0 192.168.45.254 metric 1
as the result, all hosts on VLAN1 and VLAN2 can PING each other through the ProCurve switch via the two ASAs (of course, the computers' firewall should allow PING). the inter-VLAN traffic does not go through any external network (such as 1.1.1.0 subnet).
this approach also allows you to transparently move the ProCurve switch to directly connect the two ASAs. the clients won't be aware of this change. in this case, you need to define two more subnets for each ASA connecting to the ProCurve switch. the routing table should be updated as well but still similar as above.
NOTE: if you don't have any security policy applied on 2910al-24G, and only use it as a L3 routing switch for ONLY two subnets, why don't you connect the two ASAs by a single cross-over cable??
2. the CLIENT based solution
if for same reason you can't change the routing table of the two ASAs, and you have a DHCP server for each VLAN, you may add one more DHCP option on each DHCP server. the DHCP option is for routing, which adds one more gateway to client's routing table. it should look like these:
for VLAN1:
192.168.45.0 255.255.255.0 192.168.124.254 metric 1
for VLAN2:
192.168.124.0 255.255.255.0 192.168.45.254 metric 1
in this approach, all client computers use DHCP to obtain their IPs and the routing table, they will know where to send their packets to the other internal VLAN. therefore, they don't need any help from the default (central) gateway.
due to the limitation of this approach, you need to update the DHCP options if you move the 2910 to the middle of the two ASAs.
does it make sense?
hope it helps
bbao
i am not quite understand what you illustrated in the diagram as the descriptive text seems inconsistent with the labels in the diagram, e.g. eth4 and two public IPs do not exist in the diagram, 2910's IP for VLAN2 is not valid for VLAN2's IP subnet, and etc.
however, i reckon i can know your basic requirement: to enable routing between VLAN1 and VLAN2. am i right?
> I want to do the routing between the VLANS on the 2910
> but I can move it to the two ASAs if needed
"VLANS" is for VLANs connecting to 2910al-24G switch? additionally, the switch may be moved to connect ASA5505 and ASA5510 and you hope the configuration can be kept or reused. am i right?
i assume:
1. the 2910al-24G switch has been configured to support routing between VLAN1 and VLAN2.
2. the default gateway of client computers on VLAN1 is ASA5505, say 192.168.124.1.
3. the default gateway for VLAN2 is ASA5510, say 192.168.45.1.
OK, if the answers are all YES, then basically there are TWO approaches for you.
1. the FIREWALL based solution
add one more static routing item on ASA5505 to send all traffic for VLAN2 to 2910, it looks like this:
192.168.45.0 255.255.255.0 192.168.124.254 metric 1
add one more static routing item on ASA5510 to send all traffic for VLAN1 to 2910, it looks like this:
192.168.124.0 255.255.255.0 192.168.45.254 metric 1
as the result, all hosts on VLAN1 and VLAN2 can PING each other through the ProCurve switch via the two ASAs (of course, the computers' firewall should allow PING). the inter-VLAN traffic does not go through any external network (such as 1.1.1.0 subnet).
this approach also allows you to transparently move the ProCurve switch to directly connect the two ASAs. the clients won't be aware of this change. in this case, you need to define two more subnets for each ASA connecting to the ProCurve switch. the routing table should be updated as well but still similar as above.
NOTE: if you don't have any security policy applied on 2910al-24G, and only use it as a L3 routing switch for ONLY two subnets, why don't you connect the two ASAs by a single cross-over cable??
2. the CLIENT based solution
if for same reason you can't change the routing table of the two ASAs, and you have a DHCP server for each VLAN, you may add one more DHCP option on each DHCP server. the DHCP option is for routing, which adds one more gateway to client's routing table. it should look like these:
for VLAN1:
192.168.45.0 255.255.255.0 192.168.124.254 metric 1
for VLAN2:
192.168.124.0 255.255.255.0 192.168.45.254 metric 1
in this approach, all client computers use DHCP to obtain their IPs and the routing table, they will know where to send their packets to the other internal VLAN. therefore, they don't need any help from the default (central) gateway.
due to the limitation of this approach, you need to update the DHCP options if you move the 2910 to the middle of the two ASAs.
does it make sense?
hope it helps
bbao
ASKER
bbao,
Thanks for the input, I see where I made the mistakes on my diagram that have you a little confused.
First I removed the actual public IP addresses to keep them private but I guess I forgot to change the gateway addresses I showed in the text and Eth4 should have been Eth3. Anyway I have corrected and reattached the diagram.
Please note that the public IPs shown are not real but at least now everything should be consistent in the diagram.
1. the 2910al-24G switch has been configured to support routing between VLAN1 and VLAN2.
A) The 2910's primary function is on VLAN2 though it has a connection to both VLANs as of right now nothing other than creating the VLANs and setting the IPs for the VLANs no configuration has been done
2. the default gateway of client computers on VLAN1 is ASA5505, say 192.168.124.1.
A) Yes
3. the default gateway for VLAN2 is ASA5510, say 192.168.45.1.
A) Yes
In option 1 where you ask why I don't just connect the two ASAs with a crossover cable. I am assuming that to do this I would need to have an interface for one of the VLANs on each ASA. The 5505 is not a Sec+ so I can not do it on this one, I guess I could use the management port on the 5510 and put it on VLAN1 (.124) then configure routing here.
Option 2
I was not aware that I could assign multiple routes in DHCP. I think if I get the routing configured correctly on the 2910 this will be the best option as it will keep the load off the ASAs and on the switch where it belongs.
eb
Thanks for the input, I see where I made the mistakes on my diagram that have you a little confused.
First I removed the actual public IP addresses to keep them private but I guess I forgot to change the gateway addresses I showed in the text and Eth4 should have been Eth3. Anyway I have corrected and reattached the diagram.
Please note that the public IPs shown are not real but at least now everything should be consistent in the diagram.
1. the 2910al-24G switch has been configured to support routing between VLAN1 and VLAN2.
A) The 2910's primary function is on VLAN2 though it has a connection to both VLANs as of right now nothing other than creating the VLANs and setting the IPs for the VLANs no configuration has been done
2. the default gateway of client computers on VLAN1 is ASA5505, say 192.168.124.1.
A) Yes
3. the default gateway for VLAN2 is ASA5510, say 192.168.45.1.
A) Yes
In option 1 where you ask why I don't just connect the two ASAs with a crossover cable. I am assuming that to do this I would need to have an interface for one of the VLANs on each ASA. The 5505 is not a Sec+ so I can not do it on this one, I guess I could use the management port on the 5510 and put it on VLAN1 (.124) then configure routing here.
Option 2
I was not aware that I could assign multiple routes in DHCP. I think if I get the routing configured correctly on the 2910 this will be the best option as it will keep the load off the ASAs and on the switch where it belongs.
eb
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
I will post the diagram again I may have accidently uploaded the same one not the edited version.
VPN solution was done to get things running right away so I could work. I will change dhcp in the morning and try routing this way.
Eb
VPN solution was done to get things running right away so I could work. I will change dhcp in the morning and try routing this way.
Eb
ASKER
ASKER
I got it working but I used option 249 and not option 33. Option 33 only lets me set gateway addresses for /32 devices (a single computer) but with option 249 I could create a route to the network. This plus using ROUTE ADD to add persistent routes to my servers that use static IP and the routing was set.
After that all I had to do was enable IP routing on the 2910 and all was good and now my ping response is >1ms and not 15 - 30ms like it was with the VPN solution.
Thanks again for the assistance.
eb
After that all I had to do was enable IP routing on the 2910 and all was good and now my ping response is >1ms and not 15 - 30ms like it was with the VPN solution.
Thanks again for the assistance.
eb
glad to help. :-)
and thanks for correcting me regarding the DHCP option number.
ASKER
I will leave this open for the next week to see if anyone else has any other ideas on the matter that may work better. Other wise I will ask to accept this as the answer or delete the question.
eb