topic Re: Migrating to new firewall with VLANs in ExtremeSwitching (EXOS/Switch Engine)

Migrating to new firewall with VLANs

RayR — Mon, 21 Sep 2020 22:18:54 GMT

Good Morning everyone,

We are running Extreme X690’s for our core. This currently does our VLAN routing for us, with a default gateway to an old firewall that is not configured for VLANs (its being sent untagged packets).

We have a new firewall I am installing and it is now required to have the new firewall be passed the VLANs so we can handle any firewalling/routing between those VLANs. I have configured the new firewall with appropriate VLAN interfaces, and trunked the appropriate VLANs to it from the core with TAGs. Each VLAN interface on the firewall has its own IP (for example 10.165.8.254, 10.165.18.254, 10.165.22.84, etc). In testing I can ping these IPs from the respective VLANS, so that looks OK from what I can tell. So far, so good I hope.

Here comes the part where I admit I am NOT an network engineer. 🙂 How do I change the core so that each VLAN will report to its own gateway IP? Currently the default gateway of the switches reports to 10.165.8.254, which I do not believe will work if we need to firewall between these VLANs. Shouldn’t each VLAN report to its own gateway on the subnet?

Any help is appreciated. Hopefully I’m on the right track. The new firewall is not live yet, but I am hoping to figure this out ahead of time to save me a weekend of debugging trying to get this live in October.

Thanks in advance!

Ray

Re: Migrating to new firewall with VLANs

Stefan_K_ — Mon, 21 Sep 2020 22:49:03 GMT

Hello,

the things you said make sense, so I don’t really understand what your problems are.

the firewall has the same IP-Addresses on its VLAN-interfaces as the X690? Then you just have to unconfigure the IP-Addresses from the X690. The X690 will switch the tagged packets to firewall. The firewall will be the new gateway for the vlans and handle all the traffic/routing.

You only might need to configure a new IP-Interface on the X690 for the management of the switch itself (after you have unconfigured all IP-addresses.)

Simple example:
You have VLANs 10,20,30. VLAN30 is used for Switch/Network-Mgmt.
Firewall is connected to Port 1 of the X690, Edge-Switches are connected to Port 2-9.
You tag VLAN 10,20 and 30 on Port 1 to 9.
Firewall has 1 physical interfaces (connected to Port 1 of the X690) which has 3 VLAN interfaces: VLAN10, 20 and 30. The IP-Addresses of these VLANs are the old IP-Addresses of the X690 (so you don’t have to change DHCP-Settings or static configurations on some devices)
You unconfigure all IP-Addresses of the X690.
The firewall-interfaces are now reachable from the VLANs.
Configure a new IP-Address on VLAN30 on the X690. Default Gateway of the X690 is the IP-Address of the firewall (on VLAN30). X690 is now manageable again.

I hope my text is not too confusing… If you have any questions, feel free to ask.

Best regards
Stefan

Re: Migrating to new firewall with VLANs

RayR — Tue, 22 Sep 2020 00:17:59 GMT

Stefan,

Thanks, that makes perfect sense! I was starting to look at using static routes to get me there.

I’m looking in the config of the core switches, and see this on 2 of them for one of our VLANs I need to change. Others are the same with IPs respective to their net… so Im assuming the same solution for all involved VLANs.

configure vrrp vlan CLIENTS vrid 118 add 10.165.18.1

This looks like its assigning an IP to a virtual router correct? So, would I just be removing this IP and assigning the IP 10.165.18.1 on the firewall interface? If so, would I just configure vrrp vlan CLIENTS vrid 118 delete 10.165.18.1?

If not, then maybe it didn’t make perfect sense to me after all!

Thank you!

Ray

Re: Migrating to new firewall with VLANs

Stefan_K_ — Tue, 22 Sep 2020 02:11:52 GMT

Yes, VRRP is in use because your Core-Switches are two standalone switches (and no stack/chassis/vsb...). The two X690 share the virtual ip address 10.165.18.1 - one of the two switches has a higher priority and is the Master. The Backup will become the master if the Master fails.

And yes, in your Case you can disable vrrp since your Core-Switches won’t route any more.

configure vrrp vlan CLIENTS vrid 118 delete 10.165.18.1

is the command to delete the virtual ip address. You can look up the current vrrp config by issuing

show configuration vrrp

To completely remove it, use these commands:

configure vrrp vlan CLIENTS vrid 118 delete 10.165.18.1
delete vrrp vlan CLIENTS vrid 118
disable vrrp

(deleting the vrrp might be enough, but I’m currently unsure if you can delete a vrrp on a vlan if there is still a virtual ip configured)

to remove the ip address and disable ip-forwarding:

unconfigure vlan CLIENTS ipaddress
disable ipforwarding vlan CLIENTS

If your new firewall is also a cluster it will most likely also use vrrp, although you probably won’t have to configure it. 🙂

Re: Migrating to new firewall with VLANs

RayR — Tue, 22 Sep 2020 02:35:33 GMT

It sounds like I had better plan a good revert strategy for this one in case it goes poorly!

Thank you very much for your help! I will let you know how the project went when it is complete. And, if you are ever in the Heilbronn area, I will have Markus in our Heilbronn office buy you some bier!

Best regards Stefan!

Ray

Re: Migrating to new firewall with VLANs

Stefan_K_ — Tue, 22 Sep 2020 03:39:42 GMT

In the past I was monthly in Heilbronn. I don’t know about the future though, but I appreciate your offer! 🙂