cancel
Showing results for 
Search instead for 
Did you mean: 

Migrating to new firewall with VLANs

Migrating to new firewall with VLANs

RayR
New Contributor

Good Morning everyone,

 

We are running Extreme X690’s for our core.  This currently does our VLAN routing for us, with a default gateway to an old firewall that is not configured for VLANs (its being sent untagged packets).

 

We have a new firewall I am installing and it is now required to have the new firewall be passed the VLANs so we can handle any firewalling/routing between those VLANs.  I have configured the new firewall with appropriate VLAN interfaces, and trunked the appropriate VLANs to it from the core with TAGs.  Each VLAN interface on the firewall has its own IP (for example 10.165.8.254, 10.165.18.254, 10.165.22.84, etc).  In testing I can ping these IPs from the respective VLANS, so that looks OK from what I can tell.  So far, so good I hope.

 

Here comes the part where I admit I am NOT an network engineer.  🙂  How do I change the core so that each VLAN will report to its own gateway IP?  Currently the default gateway of the switches reports to 10.165.8.254, which I do not believe will work if we need to firewall between these VLANs.  Shouldn’t each VLAN report to its own gateway on the subnet?

 

Any help is appreciated.  Hopefully I’m on the right track.  The new firewall is not live yet, but I am hoping to figure this out ahead of time to save me a weekend of debugging trying to get this live in October.

Thanks in advance!

Ray

 

 

 

1 ACCEPTED SOLUTION

Stefan_K_
Valued Contributor

Yes, VRRP is in use because your Core-Switches are two standalone switches (and no stack/chassis/vsb...). The two X690 share the virtual ip address 10.165.18.1 - one of the two switches has a higher priority and is the Master. The Backup will become the master if the Master fails.

And yes, in your Case you can disable vrrp since your Core-Switches won’t route any more.

configure vrrp vlan CLIENTS vrid 118 delete 10.165.18.1

is the command to delete the virtual ip address. You can look up the current vrrp config by issuing

show configuration vrrp

To completely remove it, use these commands:

configure vrrp vlan CLIENTS vrid 118 delete 10.165.18.1
delete vrrp vlan CLIENTS vrid 118
disable vrrp

(deleting the vrrp might be enough, but I’m currently unsure if you can delete a vrrp on a vlan if there is still a virtual ip configured)

to remove the ip address and disable ip-forwarding:

unconfigure vlan CLIENTS ipaddress
disable ipforwarding vlan CLIENTS

If your new firewall is also a cluster it will most likely also use vrrp, although you probably won’t have to configure it. 🙂

View solution in original post

5 REPLIES 5

Stefan_K_
Valued Contributor

In the past I was monthly in Heilbronn. I don’t know about the future though, but I appreciate your offer! 🙂 

RayR
New Contributor

It sounds like I had better plan a good revert strategy for this one in case it goes poorly!  1e69b9cee527401b80157acbe3b7f960_1f600.png   

Thank you very much for your help!  I will let you know how the project went when it is complete.  And, if you are ever in the Heilbronn area, I will have Markus in our Heilbronn office buy you some bier!

Best regards Stefan!

Ray

Stefan_K_
Valued Contributor

Yes, VRRP is in use because your Core-Switches are two standalone switches (and no stack/chassis/vsb...). The two X690 share the virtual ip address 10.165.18.1 - one of the two switches has a higher priority and is the Master. The Backup will become the master if the Master fails.

And yes, in your Case you can disable vrrp since your Core-Switches won’t route any more.

configure vrrp vlan CLIENTS vrid 118 delete 10.165.18.1

is the command to delete the virtual ip address. You can look up the current vrrp config by issuing

show configuration vrrp

To completely remove it, use these commands:

configure vrrp vlan CLIENTS vrid 118 delete 10.165.18.1
delete vrrp vlan CLIENTS vrid 118
disable vrrp

(deleting the vrrp might be enough, but I’m currently unsure if you can delete a vrrp on a vlan if there is still a virtual ip configured)

to remove the ip address and disable ip-forwarding:

unconfigure vlan CLIENTS ipaddress
disable ipforwarding vlan CLIENTS

If your new firewall is also a cluster it will most likely also use vrrp, although you probably won’t have to configure it. 🙂

RayR
New Contributor

Stefan,

Thanks, that makes perfect sense!  I was starting to look at using static routes to get me there.

I’m looking in the config of the core switches, and see this on 2 of them for one of our VLANs I need to change.  Others are the same with IPs respective to their net… so Im assuming the same solution for all involved VLANs.

configure vrrp vlan CLIENTS vrid 118 add 10.165.18.1

This looks like its assigning an IP to a virtual router correct?  So, would I just be removing this IP and assigning the IP 10.165.18.1 on the firewall interface?  If so, would I just configure vrrp vlan CLIENTS vrid 118 delete 10.165.18.1?

If not, then maybe it didn’t make perfect sense to me after all!  e28474442316430f8aed3bbbe2259395_1f602.png

Thank you!

Ray

 

GTM-P2G8KFN