Solved

How to configure multiple vlans to go through a layer 3 firewall interface

Posted on 2014-09-04
10
1,433 Views
Last Modified: 2015-05-22
Hi there,
I am currently in the process of breaking one big corporate vlan into 3 smaller ones and am having issues with internet connectivity in my lab.

I am using an HP Layer 3 core that will support the 3 corporate vlans as follows:

vlan 10: Building 1 - vlan-interface10 -172.19.0.1/16 (current)
vlan 20: Building 2: vlan-interface20 -172.20.0.1/16 (future)
vlan 30: Building 3: vlan-interface30 - 172.30.0.1/16 (future)

The core has a Palo Alto firewall off of vlan 10 access port that all internet traffic currently passes through.
It's address is 172.19.0.10. The DHCP server is also on vlan 10 and has scopes for all 3 vlans (which are working).

All the LAN routing on the core is simple direct attach routes as everything comes back to the core's vlan-interfaces.

I can't seem to get vlan 20 or 30 to connect to the internet after adding a static 0.0.0.0/0 next-hop 172.19.0.10 route. VLAN 10 works fine.

If i am routing all internet traffic through 172.19.0.10 will it get NATed properly going through a VLAN 10 access port to the firewall's LAN (trust) interface?

Another thing is that i can ping the firewall LAN interface from vlan 10 but not the other vlans but i'm not sure if that is just a security rule.

I've read on using sub-interfaces or using a physical interface on the Palo alto for each vlan and put them all in the same security zone.

Any ideas of how i should do this?

Because
0
Comment
Question by:Graycon
  • 3
  • 2
  • 2
  • +3
10 Comments
 
LVL 10

Expert Comment

by:Schuyler Dorsey
ID: 40305200
So if you are wanting the layer 3 interface of a vlan to be the PAN instead of your core router then you need to do sub-interfaces on the PAN and tag the sub-interfaces for those vlans. This approach would separate your 3 vlans by the firewall so they would have to go through the firewall to get to each other.

Are you want to separate your 3 segments by the firewall or just have 3 separate vlans?

Also, do you have IP routing enabled on your core switch?
0
 

Author Comment

by:Graycon
ID: 40305208
Right now my 3 vlans can ping each other (and hosts) through layer 3 routing using vlan-interfaces. Basically I am just hanging the firewall off of one of the layer 2 VLAN 10 access ports. The firewall port itself has an ip address in the same subnet as the vlan 10 network.

I was hoping that by adding the static default route to the core that directs all internet traffic to the firewall IP, it would work. No luck. All addresses coming from that firewall port out the external wan port is supposed to be NATed but because the source IP is a different subnet than that firewall pots subnet, maybe it doesn't work.

I'd like to keep my core doing the routing between vlans, and i think the HP switches are enabled for routing already.
0
 
LVL 3

Accepted Solution

by:
MIRSYS earned 250 total points
ID: 40305366
You need to add routes to the firewall as well.
When the fw receives the 20 and 30 packets it doesn't know where to reply to.
0
 
LVL 3

Expert Comment

by:MIRSYS
ID: 40305367
Also you would need to tell the firewall that vlans 20 and 30 are trusted ranges as well.
And the ping not working is probably a security rule, or because the fw does not know where to route to reply.
0
 
LVL 10

Assisted Solution

by:Schuyler Dorsey
Schuyler Dorsey earned 250 total points
ID: 40305688
As MRSYS says.. try these things..

1. In the virtual router of the PAN, add two more static routes. Example
Destination 172.20.0.1/16 next hop *switch vlan 10 ip*

2. Create a security rule which allows a ping from the internal zone TO the internal zone (same zone as an explicit deny causes it to block intra-zone traffic).

3. If you want to ping the internal interface of the PAN, it needs a mgmt profile which allows ping attached to the internal interface.
0
Highfive + Dolby Voice = No More Audio Complaints!

Poor audio quality is one of the top reasons people don’t use video conferencing. Get the crispest, clearest audio powered by Dolby Voice in every meeting. Highfive and Dolby Voice deliver the best video conferencing and audio experience for every meeting and every room.

 

Author Comment

by:Graycon
ID: 40306058
Thanks guys, i'll give the static routes a try.
0
 
LVL 11

Expert Comment

by:Bryant Schaper
ID: 40306335
A diagram may help too, we use a PAN for our network, and behind it we have probably 100 subnets, we use static routes as well to get back and the internal router handles the next hop over learned BGP routes.
0
 
LVL 18

Expert Comment

by:Akinsd
ID: 40306649
Check that all the addresses are included in the translations.
Some engineers use object-network for NAT translations, some use the interface, some use access list (though uncommon). If you are using object-network, confirm that the 20 and 30 networks are included. Interface includes everything going through it.

Confirm return routes exists on the firewall as mentioned above (by MIRSYS)
a route to 172.0.0.0 0 through 172.19.0.1 should do the trick

Run a tracert from a pc to the internet eg 4.2.2.2 to determine if the path is routed as desired

Check NAT translations to confirm the addresses are translated correctly
0
 

Author Closing Comment

by:Graycon
ID: 40319692
thanks guys. the static routes on the PAN worked!
0
 

Expert Comment

by:SteveMartens
ID: 40792234
This just solved my problem as well, thanks for the solutions!
0

Featured Post

Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

Join & Write a Comment

Configuring network clients can be a chore, especially if there are a large number of them or a lot of itinerant users.  DHCP dynamically manages this process, much to the relief of users and administrators alike!
Microservice architecture adoption brings many advantages, but can add intricacy. Selecting the right orchestration tool is most important for business specific needs.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…

758 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now