• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1540
  • Last Modified:

Is a "Router-On-A-Stick" my only option?

We have a Procurve 3500yl switch.  The switch is split into 2 VLANS one for VOIP and the default VLAN.  Some ports are setup as "access" ports (called "Untagged" in HP Procurve speak) some are "trunk" ports (called "Tagged" or "Auto" in HP Procurve speak).  Currently the Sonicwall NSA 240 firewall is set on one of the switches' Untagged ports in VLAN 1.  The server that needs internet access in the VOIP VLAN (VLAN 50) can ping everything else on the default VLAN (as the Procurve is an L3 switch and has routing enabled) except for the LAN interface of the NSA 240.  The NSA 240 from its diagnostic screen however, CAN ping this exact same server.  To me this proves (although i certainly could be wrong) that there is nothing wrong with the VLANs or L3 routing.  I think it must be a security setting on the NSA 240.  BTW, both the VOIP VLAN server and the NSA 240 are both untagged in their respective VLANs.  Packet captures from other hosts getting pinged by this server successfully show everything functioning as normal.  Any ideas?
0
ChocolateRain
Asked:
ChocolateRain
  • 7
  • 5
  • 3
  • +5
1 Solution
 
GuruChiuCommented:
can other hosts in VLAN1 ping NSA 240?
0
 
atlas_shudderedSr. Network EngineerCommented:
If you have the procurve and the sonicwall linked via a layer 3 interface on the procurve, make sure that the following items are correct:
1.  The default gateway is set correctly on the server
2.  Routing is defined correctly on the procurve
3.  You don't have a rule on the sonicwall blocking traffic from the server and/or its subnet
0
 
pwindellCommented:
Nothing wrong with anything that I can see.

Firewalls, typically by default, cannot be "pinged" in order to defend agains ICMP based attacks.  Leave it alone.

If the Hosts on the LALN are able to get to the Internet via the Firewall then it is fine,...leave it alone.

BTW - Don't get carried away with Tagging.  Tagging is potentially a bad thing, not a good thing.  tagging means you are running multiple subnets over the same physical cable which flys in the face of the logic of dividing the LAN into segments in the first place to gain performance.  The benefit of mutiple segments is to breakup broadcast domains and reduce the traffic on a single cable,...tagging just puts it right back on the same cable again.
0
Keep up with what's happening at Experts Exchange!

Sign up to receive Decoded, a new monthly digest with product updates, feature release info, continuing education opportunities, and more.

 
Rick_O_ShayCommented:
With any firewall you need to have a route to the server's subnet and the rules to allow the traffic to/from it. If the FW can ping the server it sounds like you have the correct routing in place so it is most likely a sercurity setting on the FW. Either a rule someone added, an implied rule, or not allowing pings as mentioned above.
0
 
ChocolateRainAuthor Commented:
More info:  The Procurve has 2 VLANs each with their own subnet (VLAN 1 = 10.10.0.0/19 & VLAN 50 (VOIP) = 10.10.0.32/19) .  Each VLAN has an IP address on the Procurve (VLAN 1 = 10.10.0.1 & VLAN 50 = 10.10.32.1) .  Each of those IP addresses are the default gateways of all clients in that respective VLAN.  The Procurve's DG is the SonicWall NSA240 which is off of an untagged VLAN 1 port (there is no "TRUNK") between the NSA and the Procurve.  Question: if I setup a Trunk between the NSA and the Procurve will inter-VLAN routing occur on the NSA or the Procurve?  Because if it is the NSA that will not work as it will overload the NSA.  If it will occur on the Procurve that would work great and my problem should be as good as fixed as setting up a trunk should be easy.


GuruChiu asked: "can other hosts in VLAN1 ping NSA 240?"
-Yes all hosts on VLAN 1 can ping the LAN interface of the NSA240 and have access to the internet.

1.  The default gateway is set correctly on the server
-It is set to the ProCurve's IP address of VLAN 50.  This is pointing to the Procurve because I want inter-VLAN routing to take place on the Procurve 3500yl, it would overload the NSA if the routing was taking place on there.  It routes just fine from all devices on VLAN 50 to VLAN 1 EXCEPT for the LAN interface of the NSA240.

2.  Routing is defined correctly on the Procurve
-This is done with an "ip routing" command.  It was run on the switch, if this isn't done it wouldn't route between the VLANs.

3.  You don't have a rule on the SonicWall blocking traffic from the server and/or its subnet
-I wish I knew where a rule like this might be configured.  I've browsed around everywhere I can think of and I don't find anything blocking this traffic, although there is no LAN interface on the NSA that is setup in the same subnet as the VOIP subnet.  When the Procurve routes between VLAN 50 to VLAN 1 it simply changes the MAC address to the MAC address of its VLAN 1 and passes it along with the same IP address as any other router would.  I’m concerned that this subnet might have to be added to the NSA in some fashion but I don’t know where.
Ping is enabled on the LAN interface of the NSA.
We are using tagging on more interfaces than you normally would see due to the fact that we are running VOIP and the normal network traffic all over the same copper wiring.  It is an old building and running lines was too expensive so all the phones use Tagging as a way to stay on the same VLAN.

0
 
nociSoftware EngineerCommented:
Some things to verify:
The server is in VLAN 50, and the default gateway of the server is pointing to VLAN50 address of the ProCurve switch?
What does a traceroute tell you (it should first return the default gwy of your own vlan)...
Even if PING doesn't work you can try to ping it and then check the ARP table if there is a MAC address. That would be the ma address of the switch.
Have you tried pinging to google f.e.?
ping 66.102.13.147



Note: Tagging is not a "bad" thing as it has been suggested before.
Please check the specs of IEEE 802.1q on that.
Every network frame gets 4 bytes extra to allow it to carry a VLAN number.
On interfaces where you WANT multiple vlans to go into a machine that supports DOT1q (802.1q) and handles traffic for multiple VLANs natively
it's perfectly safe to allow the right  VLANS to that port. (Filter mechanism do exist to limit the traffic).
If  doesn't support DOT1q tagging then you cant sent it traffic as all ethernet frames are badly formatted for such a port (as violate length assumptions as well because of the four bytes extra when the packet exceeds 1500 bytes.)

It is a technical measure for a purpose, it should be taken with the design of the network, not used randomly. Otherwise it would be to he same extend as trying to force a token ring equipment onto an ethernet infrastructure just because you want it like that... (it really doesn't work out, physics do win).
0
 
nociSoftware EngineerCommented:
Ah forgot one:
or traceroute to google?
0
 
Syed Mutahir AliTechnology ConsultantCommented:
Can you create a separate vlan named internet and connect your firewall - trusted interface to that switch port which is the member of vlan internet.

setup a route on your hp procurve ip route 0.0.0.0 > LAN interface of your firewall ? or make the switch default gateway the ip address of that interface.

Question: if I setup a Trunk between the NSA and the Procurve will  inter-VLAN routing occur on the NSA or the Procurve?  Because if it is  the NSA that will not work as it will overload the NSA.  If it will  occur on the Procurve that would work great and my problem should be as  good as fixed as setting up a trunk should be easy

Yes if you setup a trunk and your firewall supprots vlan 802.1q etc then your firewall will do the intervlan routing.

I would suggest : create a vlan (for internet), members would be the firewall lan port and one of your switch port, make the switch default gateway as this internet vlan ip and setup a static route too, .

Hope this helps
0
 
mikecrCommented:
I see a lot of good information going around but I don't completely understand what your trying to accomplish. Are you just trying to get the VoIP server to have access to the internet?
0
 
ChocolateRainAuthor Commented:
Yes, I just want to clarify that all I'm trying to do it to have the VOIP server have access to the internet but still have all the interVLAN routing occur on the switch.  That's it.

So I tried a few things on this thread.  I tried to setup this port on another VLAN (different VLAN from either the default VLAN or the VOIP VLAN but that just made it so it didn't have access to either the VOIP VLAN or the default and neither VLAN could get internet.   So that didn't work.

Btw, I setup multiple default gateways one-per-VLAN on the Procurve and that only caused routing problems where i had to undo that configuration.

0
 
pwindellCommented:
We've just been through VoIP Hell here (and are still there).

You're making it way to over complicated.

The VoIP Server has a WAN Port and a LAN Port (neither of which are the same port that the actual Voice Phone Line comes into).  Plug the LAN Port into whatever VLAN it is supposed to be in.  Plug the WAN Port directly into the Internet with it's own Public IP#.  If you have to purchase a cheap dedicated Internet Account just for it then do it,...but if you have muliple Public IP#s then go with that..

These VoIP Servers are perfectly capable of being the own Firewall,...they don't need to be behind a "firewall."
0
 
ChocolateRainAuthor Commented:
To clarify, we have a ShoreTel server and a bunch of ShoreGear switches.  This "VOIP Server" I'm talking about is the ShoreTel server that hosts voicemail, the web-interface and a few other things.  This server has no WAN port and shouldn't have firewall-free access to the Internet.
0
 
pwindellCommented:
Ok,..well then I guess it is not as capable as the others that are out there.
0
 
ChocolateRainAuthor Commented:
The server connects to the other appliances that actually do the interfacing with the PSTN.  We have 2 T1 switches, and 2 120/20s, but there isn't any problem with their operation at the moment as they only interface with the VOIP VLAN and the PSTN, not the internet.
0
 
mikecrCommented:
Is the VoIP server on a different Vlan than the clients on your network, and if so, do you have that subnet natted on your firewall to get to the internet?
0
 
ChocolateRainAuthor Commented:
Yes our VOIP server is on a different VLAN and subnet than the clients on our network.  We do not have it natted because the L3 switch is routing the packets between VLANs.  If you were to watch the process in a packet capture it would be changing the MAC address as it routes the frame to the destination (just like a router does) and leaves the source and destination IPs untouched; it can route between any device on the VOIP VLAN to the Default VLAN EXCEPT the LAN port of the firewall.

I've attached a Visio drawing of a summary of how our network looks.

VLAN-setup.vsd
0
 
nociSoftware EngineerCommented:
I don't have Visio so.....
from your description:

VLAN 50 Domain       Vlan 1 domain
                     +-------+
----------------+          |
                     |  Pro   |                +-----------+
                     |  Cur   +------------|  Firewall |-----------Internet..
                     |  ve    |                +-----------+
----------------+          |
                     +-------+

The procurve switch + router routes packets from VLAN 50 -> Vlan 1. (and back).

The ports in VLAN 50 are all part of VLAN 50 as an untagged port.
The firewall is in VLAN 1 on an untagged port. (Tagging is not used on any of those ports).

OK so far?
0
 
nociSoftware EngineerCommented:
You would need a route from the firewall pointing to VLAN 50 handing off traffic to the procurve's address in VLAN 1

Does something along the lines of: "route add 10.10.32.0/19 gw 10.10.0.1" (linux syntax). might need netmask 255.255.224.0 instead of /19 exist on your firewall?

Is your server in VLAN 50 the only one that CANNOT ping/traceroute to the internet?



0
 
ChocolateRainAuthor Commented:
http://www.microsoft.com/downloads/details.aspx?FamilyID=3fb3bd5c-fed1-46cf-bd53-da23635ab2df&displaylang=en

That is the link for the Visio 2003 viewer.  When you say "The Procurve switch + router routes packets from VLAN 50 -> Vlan 1. (and back)." I'm not exactly sure we are on the same page as the Procurve itself is performing all the interVLAN routing, there is no external router performing this function.  That means if a

The ports in VLAN 50 are all part of VLAN 50 as an untagged port.
-All ports in question are untagged either in the VLAN 1 or VLAN 50 ports.  The server in question is untagged in VLAN 50 and the port to the firewall LAN interface is untagged in VLAN 1.

The firewall is in VLAN 1 on an untagged port. (Tagging is not used on any of those ports).

You would need a route from the firewall pointing to VLAN 50 handing off traffic to the procurve's address in VLAN 1
-  This sounds like it might work.  I'll try this tonight after our business is closed.

Is your server in VLAN 50 the only one that CANNOT ping/traceroute to the internet?
-No, all other devices in VLAN 50 CANNOT ping the LAN interface of the firewall.  Making me think it is the firewall and not the Procurve.

I'll try your suggestion tonight and get back to you.
0
 
nociSoftware EngineerCommented:
It is sleightly worse w.r.t. visio, I have a linux system... no windows nearby (except for the ones of glass in wooden frames ;).
0
 
ChocolateRainAuthor Commented:
Thanks very much, this did it!
0

Featured Post

[Webinar] Improve your customer journey

A positive customer journey is important in attracting and retaining business. To improve this experience, you can use Google Maps APIs to increase checkout conversions, boost user engagement, and optimize order fulfillment. Learn how in this webinar presented by Dito.

  • 7
  • 5
  • 3
  • +5
Tackle projects and never again get stuck behind a technical roadblock.
Join Now