This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

x620 routing

x620 routing

JohnC3
New Contributor II

‎10-19-2021 12:26 PM

We currently have three school locations with X440-48p switches connected to their own firewall and Internet service.  We recently ran fiber between the locations and purchased a X620-16x to act as an an aggregate switch.  Going forward we want to connect the three networks to the X620 and utilize one firewall and Internet service. I keep going around in circles with the routing commands on the X620 and changes needed on the existing switches.  Any help would be appreciated.

Existing networks on the X620
A: 172.16.0.1/21 port 3
B: 172.17.0.1/21 port 2
C: 172.19.0.1/21 port 4

Port 1 is connected to the firewall with 172.21.0.1/24
0 Kudos
2 REPLIES 2

FredrikB1
New Contributor

‎11-15-2021 11:12 AM

Do you need the X620 to route traffic between school locations? If no firewalling or even ACL protection is in place between them you make the network very vulnerable to lateral spread of viruses and the likes. I'd much rather have the client VLANs go to the firewall via the X620 just switched/bridged and not routed and then let the firewall decide what traffic to let through between the locations. Also, are there only clients on those VLANs? What about printers, servers, door lock systems, building control and so on? At the very least, put students in their own VLAN, staff in their own and "machines" in their own VLANs, one per location! It is not that difficult to setup firewall VLANs and policies to separate these groups. In your case that means 9 VLANs instead of 3.

Surely you can let the X620 route it all (it sure can handle it) but it wouldn't be very safe!

/Fredrik
0 Kudos

Gabriel_G
Extreme Employee

‎10-26-2021 10:01 AM

Hi John,

Of course I'm not aware of your existing setup, but to turn your EXOS switch into a router, you would do something similar to the following:

0) Assumptions I'm making:

(There are multiple ways of doing this)

-Each Site has its own subnet/VLAN tagged to the x620
-The x620 would be the default gateway for all networks
-The x620 would have a point-to-point VLAN between it and the firewall
-The x620 has a default route to the firewall (via the point to point VLAN)
-The firewall has return routes for each Site/Subnet pointing to the x620 (via the point to point VLAN)

1) Create and tag relevant VLANs to the x620. Also create and add the point to point VLAN towards your firewall.

create vlan <VLAN> tag <#>

configure vlan <VLAN> [add | delete] port <#> [tagged | untagged]

2) Set IPs on each VLAN on the x620. These IPs will likely be the default gateway of your clients depending on your setup

configure vlan <VLAN> ipaddress <IP/MASK>

3) Configure a default route that points to your firewall

confiure iproute add default <FW IP>

4) Enable routing for each VLAN that you want the switch to route, including the P2P vlan. When the switch is the default gateway for your client, it will receive client traffic and forward to the firewall based on the default route previously added.

enable ipforwarding vlan <VLAN>

5) On your firewall, you would need to create/configure the P2P vlan to the x620 and also add a 'return' route to each of the local subnets that points to the x620 on the P2P vlan. 

Essentially, 'enable ipforwarding' allows the switch to route traffic between VLANs when the switch is used as a gateway. Hopefully this helps!

​​
0 Kudos
GTM-P2G8KFN