Re: flat switch

dave dave · ‎01-03-2014

hi! because of downsizing we are migrating from lease line to internet vpn, and there's possibilty of going for a flat network, because we do not want to mix the Network segment betwee the lease line/MPLS to the Internet VPN site to site IP range.

In order to have a progressive migration to move the existing equipments to the flat network, we will be using either a new or exising vlan to connect to the VPN box. The IP Address range used for the VPN is in a different IP/Network range from the lease line connection, and the Network range used in the HSRP configuration in the 2x interconnected L3 switch.

During the migration, both the VPN box and lease line will be running concurrently, so that we can coordinate to get the equipments IPs moved to the flat network slowly. My question would be, can i use my existing Mgt/VLAN in the L3 switch as the potential future flat network range by changing the IP for the mgt/IP in the HSRP gateway to the VPN IP range? With that change, i will also start with the IP renumbering for the L2 switches' managemnt IP & IP default-gateway in the L2 switches.

Do you think that would be a better option, or I start with a new VLAN for the new VPN network in the L3 switch, and subsequently change the native vlan trunking between all the switches?

Eventually, i will have 2 interconnected L3 switch running only single vlan with HSRP, with a default route through the VPN box. Do you think this will work?

Thanks.

dave dave · ‎01-05-2014

hi! Any advise on the questions above? Thanks.

dave dave · ‎01-06-2014

hi! Any advise on the question in my intial post?

In addition to that, i would also like to know that with the vpn network segment in the L3 switch. Does the existing default route or any static route(Not the dest of 192.168.x.x of the vpn segment) in the L3 switch has impact on the VPN network segment/vlan? (With the default route configured in the VPN FW to route the 192.168.1.1 vpn segment)

The ip default gateway command in the L2 switches is it just to enable management/connectivity to manage the port or it will impact connectivity of the other vlan connectivity with the L3 gw?

Thanks.

Jon Marshall · ‎01-06-2014

Do you think that would be a better option, or I start with a new VLAN for the new VPN network in the L3 switch, and subsequently change the native vlan trunking between all the switches?

I would use a new subnet for the VPN. I'm not sure why you want a flat network ie. the management vlan should not be the same vlan as the user/client vlan even in your new setup. Unless you really only need one vlan and do not want to setup inter vlan routing in which case you could use one vlan for all devices including management of the switches.

Do you not have any servers ? If you do it is recommended to put these in their own vlan as well.

In addition to that, i would also like to know that with the vpn network segment in the L3 switch. Does the existing default route or any static route(Not the dest of 192.168.x.x of the vpn segment) in the L3 switch has impact on the VPN network segment/vlan?

Yes if the L3 switch is doing inter vlan routing. But if you only have a default route pointing to the firewall then it makes no difference ie. you end up at the same device anyway.

The ip default gateway command in the L2 switches is it just to enable management/connectivity to manage the port or it will impact connectivity of the other vlan connectivity with the L3 gw?

On a L2 switch the ip default-gateway command is only relevant to the switch itself so you can access the switch for managing it from a remote subnet. It has no effect on client traffic.

Jon

dave dave · ‎01-06-2014

Hi! Yes, eventually it will be a flat network. Most of the svrs will be moved out. The reason of having the vpn n lease line at the same time is to allow slow migration to the simple vpn network which involved proprietary equipments, and eventually using only the vpn.

For the existing default route at the L3 switches. It's pointing to the lease line currently. If that's the case what is required here to allow the 192.168.1.× traffic to go through the vpn n the existing vlan to go through the lease line?

If i'm assigning the GW (FW internal LAN) to the client through DHCP instead of the HSRP GW in the L3 Switches. Will that resolve the issue?

Thanks.

Jon Marshall · ‎01-07-2014

Can you draw a quick topology diagram ie. how the network looks now and where the VPN box is going to be placed and connected up ?

Also what traffic is going to go down the VPN link ie source and destination IPs.

Jon

dave dave · ‎01-07-2014

hi! I've attached the drafted diagram at the bottom of the page. The vpn box will be connected to vlan 100 of a switch port in one of the L3 switch.

If i'm assigning the GW (FW internal LAN) to the client through DHCP instead of the HSRP GW in the L3 Switches (probably hsrp interface for vla100 might not be required in this case?). Will that resolve the issue?

Here are the existing config extracted from the L3 switches (without the vlan 100 192.168.1.x/24 hsrp gw yet). Please advise. Thanks.

SiteA_Core1

----------------------------

interface GigabitEthernet6/1

no switchport

ip address 10.10.31.241 255.255.255.252

!

interface Vlan26

description VLAN 26 Management

ip address 10.10.26.2 255.255.255.0

standby 1 ip 10.10.26.1

standby 1 priority 120

standby 1 preempt

!

interface Vlan29

description VLAN 29 Data

ip address 10.10.29.2 255.255.255.0

standby 1 ip 10.10.29.1

standby 1 priority 120

standby 1 preempt

!

interface Vlan30

description VLAN 29 Data1

ip address 10.10.30.2 255.255.255.0

standby 1 ip 10.10.30.1

standby 1 priority 80

standby 1 preempt

!

interface Vlan31

description VLAN 311 svr

ip address 10.10.31.130 255.255.255.240

standby 1 ip 10.10.31.129

standby 1 priority 120

standby 1 preempt

!

interface Vlan32

description VLAN 312 security

ip address 10.10.31.226 255.255.255.240

standby 1 ip 10.10.31.225

standby 1 priority 80

standby 1 preempt

!

router ospf 100

log-adjacency-changes

redistribute static subnets

network 10.10.31.241 0.0.0.0 area 0

network 10.10.26.0 0.0.15.255 area 0

!

ip route 0.0.0.0 0.0.0.0 GigabitEthernet6/1 10.10.31.242

ip route 0.0.0.0 0.0.0.0 GigabitEthernet6/1 10.10.31.246 250

ip route 10.0.0.0 255.0.0.0 GigabitEthernet6/1 10.10.31.242 250

SiteA_Core2

------------------------------------

!

interface GigabitEthernet6/1

no switchport

ip address 10.10.31.245 255.255.255.252

!

interface Vlan26

description VLAN 26 Management

ip address 10.10.26.3 255.255.255.0

standby 1 ip 10.10.26.1

standby 1 priority 120

standby 1 preempt

!

interface Vlan29

description VLAN 29 Data

ip address 10.10.29.3 255.255.255.0

standby 1 ip 10.10.29.1

standby 1 priority 120

standby 1 preempt

!

interface Vlan30

description VLAN 30 Data1

ip address 10.10.30.3 255.255.255.0

standby 1 ip 10.10.30.1

standby 1 priority 120

standby 1 preempt

!

interface Vlan31

description VLAN 311 svr

ip address 10.10.31.131 255.255.255.240

ip helper-address 10.10.9.4

standby 1 ip 10.10.31.129

standby 1 priority 80

standby 1 preempt

!

interface Vlan32

description VLAN 312 security

ip address 10.10.31.227 255.255.255.240

ip helper-address 10.10.9.4

standby 1 ip 10.10.31.225

standby 1 priority 120

standby 1 preempt

!

router ospf 100

log-adjacency-changes

redistribute static subnets

network 10.10.31.245 0.0.0.0 area 0

network 10.10.26.0 0.0.15.255 area 0

!

ip route 0.0.0.0 0.0.0.0 GigabitEthernet6/1 10.10.31.242

ip route 0.0.0.0 0.0.0.0 GigabitEthernet6/1 10.10.31.246 250

ip route 10.0.0.0 255.0.0.0 GigabitEthernet6/1 10.10.31.246 250

SiteA_Router 1

----------------

!

interface FastEthernet0/1/0

description Connection to Core1

ip address 10.10.31.242 255.255.255.252

duplex auto

speed auto

!

interface FastEthernet0/1/1

description connection to core2

ip address 10.10.31.246 255.255.255.252

duplex auto

speed auto

!

interface FastEthernet0/0/0

description Connection to router1

ip address 10.10.25.122 255.255.255.252

duplex auto

speed auto

!

router ospf 8

network 10.10.25.122 0.0.0.0 area 0

network 10.10.31.242 0.0.0.0 area 0

network 10.10.31.246 0.0.0.0 area 0

!

ip route 0.0.0.0 0.0.0.0 10.10.25.121

Jon Marshall · ‎01-07-2014

I'm not entirely clear on what the leased line is used for ie. is it just to get to site B or is it for internet as well ?

Can you answer the following -

1) the vlans on the L3 switches (not vlan 100) - do they still need to get to site B via the leased line ?

2) does vlan 100 needs to communicate with the other vlans on the L3 switches ?

3) is the VPN box only going to be used for site A to site B traffic for vlan 100 ?

4) where is general internet access ie. which device and does vlan 100 need to use this as well as the VPN box ?

Jon

dave dave · ‎01-07-2014

hi! The lease line is to connect site A to site B (which has MPLS connection to HQ). The lease line is used for both internet (eventually exit thru site B) and enterprise network.

Here are the answers to your questions

1) Yes, until we move all the equipments to vlan 100 (used for VPN and the only vlan used eventually).

2) Good to have. The equipments should all moved to VLAN 100 within a week. What would be the difference in config if that's not required.

3) The VPN box will connect to HQ directly, the traffic will no longer required to go through site B to go to HQ.

4) This VPN box is used for site to site VPN. Thus the internet traffic will go through HQ.

Jon Marshall · ‎01-07-2014

2) Basically the config becomes more complicated if you need vlan 100 to talk to the other vlans. If you didn't need this then the easiest solution is, as you say, assign the VPN box internal IP as the default gateway for vlan 100.

If vlan 100 needs to talk to other vlans on the L3 switch we would have to use PBR (Policy Based Routing) for vlan 100 traffic so when it wants to go to site B it goes via the VPN box.

Jon

dave dave · ‎01-07-2014

hi! So in short, there's no need to create the HSRP gateway for vlan 100. I just need to make sure that the FW internal GW is used as the GW when i issued out IP address thru the DHCP. The existing default route will have no impact on vlan100.

and In order to enable vlan 100's traffic to use one default route and another one for the existing L3 vlans, i will need to configure 2 default route in the L3 routing table with policy based routing.

I can use vlan 100 eventually (without HSRP gateway) with the FW internal interface IP address as the GW for the ip default gateway command(in all the switches, AP) + vlan 100 has to be changed as a native vlan.

Is my understanding above correct?

Thanks.

Jon Marshall · ‎01-07-2014

and In order to enable vlan 100's traffic to use one default route and another one for the existing L3 vlans, i will need to configure 2 default route in the L3 routing table with policy based routing.

That's not exactly what i meant.

If you want vlan 100 to be able to talk to the other vlans then you would configure HSRP for vlan 100, use the HSRP virtual IP as the default gateway and then use PBR for traffic from vlan 100 to the HQ subnets to send that traffic to the VPN box.

The alternative is to make the VPN box the defautl gateway and then bounce traffic back to the L3 switch for the other vlans but firewalls don't generally like doing this. It depends on the firewall in use.

The native vlan has nothing to do with any of this. You can leave it alone or you can change it to vlan 100 in the end, it's up to you.

When you keep referring to the firewall i'm assuming you mean the VPN box, is that correct ?

Jon

dave dave · ‎01-07-2014

hi! we are using checkpoint edge, so i would have the L3 Vlans summary address as the destination from the FW through vlan100? do i need to add vlan100 into the L3 OSPF? Just for my info, dont think we are going to do that.

we would just have vlan 100 created + DHCP to assign the GW (FW internal interface).

I think i should change the native vlan and the managment IP of the switches right? Otherwise, once the lease line is removed, i will not be able to manage it through the existing IP address.....or i can just use a loopback address of 192.168.x.x in the L2 switches for managemnent purpose, whithout changing the existng mgt IP or default-gateway in those L2 device.

Yes the FW, i'm referring to the vpn box.

Thx.