Solved: It took me some time to find - Page 2

DAVIDsTEA_Inc · ‎05-19-2016

Hi Guys,

I'm having an issue figuring out how to plug a physical device in a virtual design. I'm trying to plug a webfilter inline between my switch and firewall so it can filter traffic transparently. The problem is that my firewall is virtual running on a vmware infrastructure with multiple hosts so I can't simply put it in between. Here is an example of my physical/virtual design:

http://i.imgur.com/4rFQj7E.jpg

I was thinking about creating an untagged port on my VLAN 666 and assigning the VLAN 666 IP to another port and plugging the webfilter in between but I don't think the traffic would actually flow though the cable.

Anyone have an idea?

Thanks.

DAVIDsTEA_Inc · ‎05-24-2016

This sounds like an interesting idea Paul. I have a bit of difficulty understanding how the two VLANs will act as one since I've never heard of anything like this before but I'll give it a shot. I'll see if I can get this running sometime this week in a "test setup" with a cloned firewall.

Paul Chapman · ‎05-24-2016

Hi -

At the risk of sounding old, this is the methodology that was used to set up the Cisco 4200 IPS sensors in VLAN Pair mode. See here.

You really need to understand that 802.1q VLAN tagging at L2 has nothing to do with IP at L3 and you need to disconnect those ideas in your head.

In this case we are merging (2) L2 networks for the purposes of enforcing a particular traffic flow for L3. To get from Point A (SVI) to Point B (FW) we can only get there via the link we provide.

PSC

DAVIDsTEA_Inc · ‎05-27-2016

Hi Paul,

So I'm in the process of trying this out but I'm stuck so perhaps you can help?

I haven't plugged the Barracuda device in yet because I want to try the VLAN bridging before I do.

I'm in a test environment with the following:

vlan 222

vlan 333

int vlan 222

ip address 192.168.254.2 255.255.255.248

int range gi1/0/10 - 14

name ESXi hosts

switch mode trunk

I plugged a test FIREWALL(FW) LAN facing port into VLAN 333 and it has the IP address of 192.168.254.1 255.255.255.248. The FW and Switch cannot ping each other and if I do a "sh arp" on my switch, the FW IP doesn't show up. Is it possible that it needs something physically plugged into the VLANs for this to occur or am I missing something?

Paul Chapman · ‎05-27-2016

Hi -

Yes. You need a physical connection to bridge the VLANs, which is what the Barracuda is going to do. Here a sample view:

Assuming this is the physical connections, the switch-side configuration follows as:

int vlan 222
 ip address 192.168.254.2 255.255.255.248
int range gi1/0/1, gi1/0/3
 desc ESXi Host
 switch mode trunk
 switch trunk allow vlan remove 222
 spanning-tree portfast trunk
int gi1/0/10
 desc To Barracuda Inside (or self on Gi1/0/16)
 switch mode access
 switch access vlan 222
 spanning-tree bpdufilter enable
int gi1/0/16
 desc To Barracuda Outside (or self on Gi1/0/10)
 switch mode access
 switch acc vlan 333
 spanning-tree bpdufilter enable

The firewall gets attached to VLAN 133 in ESX.

PSC

DAVIDsTEA_Inc · ‎05-27-2016

That's what I had just figured out but I can't actually plug the barracuda yet so I basically looped a cable from a switch port to another. So here is what I have but I still don't see the FW appearing in the switches ARP or the switch appearing in the FW ARP.

FYI, my tests are being done on a HP 5500 switch not Cisco -The final configuration will be on a Cisco but I don't think it should make a difference? Here's my actual configuration:

vlan 222
name "WEBFILTER BRIDGE TEST 222"
#
vlan 333
name "WEBFILTER BRIDGE TEST 333"
#

interface Vlan-interface222
ip address 192.168.254.2 255.255.255.248
arp send-gratuitous-arp interval 2000
#
interface Vlan-interface333
arp send-gratuitous-arp interval 2000
#

interface range Gi1/0/10 to Gi1/0/14
port link-mode bridge
description ESXi HOSTS
port link-type hybrid
port hybrid vlan 333 tagged
port hybrid vlan 1 untagged
#

interface GigabitEthernet2/0/17
port link-mode bridge
port access vlan 222
#
interface GigabitEthernet2/0/18
port link-mode bridge
port access vlan 333
#

I tested my VLAN's are working by plugging my Laptop into an access port 222 then 333 with the IP of 192.168.254.3 and it's able to communicate with the switch and FW while within the respective vlan but not both.

Maybe it's a HP thing?

Paul Chapman · ‎05-27-2016

Hi -

The key to the configuration I presented is BPDU Filtering. Allowing BPDUs across the VLAN bridge link is likely to cause the port(s) to go into STP blocking due to inconsistent VLANs on both sides.

You will need to apply the equivalent for the HP switch.

PSC

DAVIDsTEA_Inc · ‎05-27-2016

Makes sense. Port 2/0/18 shows as discarding...

0 GigabitEthernet2/0/17 DESI FORWARDING NONE
0 GigabitEthernet2/0/18 BACK DISCARDING NONE

These HP/3COM switches are so complicated vs Cisco - I'm not quite sure how to get the BPDU filter working.

Guess I'll rifle through google.

DAVIDsTEA_Inc · ‎06-08-2016

Thanks a million Paul. This bridge worked perfectly and we're running with our Physical Device in-line right now!

The 3Com OS commands were hard to find because in Cisco it's an enable and 3Com drop:

bpdu-drop any

:)

Hope this thread helps others in the same situation.

DAVIDsTEA_Inc · ‎05-27-2016

It took me some time to find the comment which is ...

bpdu-drop any

Now ports are no longer discarding and I can see the devices in the ARP Tables.

I'll give the barracuda a try soon.

You're a superstar Paul! :)

Adding a physical device in a virtual design?