Keith Smith - My Blog

Procurve inter-vlan routing with cisco asa firewall's

Wednesday, July 9, 2014 - by Keith A. Smith

Long-winded network post ahead! You have been warned. 

As part of my network overhaul, I wanted to transform our current semi-flat network in to a multi-teared, access controlled, dynamic network that could grow with the company. Our existing network has been plagued with broadcast storms caused by the rouge engineering DHCP server being accidentily connected to the office network. To do this I purchased new switch gear that supports L3 routing and VLANs. This new gear allows me to seperate our large broadcase domain in to smaller, department based broadast domains using VLANs and Inter-vlan routing. The existing network gear, while functional, lacked the capability of Inter-vlan routing and strugged under our daily office load with only two VLANs. I can't say I will miss the old Netgear switches, but they were barely able to support the traffic when we were a 30 person company and are unstable with the 70+ now.

Wanting to keep a fairly tight budget, I ended up choosing HP Procurve 2510 and 2520 POE switches for distribution and a 5406zl loaded with 1Gb modules for my core. The 2510/2520 are layer 2 gigabit switches and the 5406 is layer 3. If I had a larger budget, EDU discount, or was purchasing a huge lot of gear, I would probably have gone Cisco 3750G/2960G. The HP gear is very competitive, offering a lifetime warranty, lifetime support, and the cheapest 10G-baseT I could find. I have worked with HP in the past and have found it very simmilar to manage. The menu based cmd line interface makes it a breeze for the novice, but I still prefer the straight old cmd line.

My firewalls were a tough choice. I wanted something that could support 250+ VPN SSL vpn connections, a Gigabit Metro-E line, a 100Mb EDI line, and have enough throughoput to handle all of this. After looking at Forigate, Juniper, and Cisco, I ended up choosing four Cisco ASA 5515-x's. Each site will have two, setup in Active/Active serving up a maximum of 500 SSL VPN connections per site. I sacrificed the ability to load balance across two or more internet connections, but our EDI line makes up for that. These, at least for now should be able to handle everything we throw at them.

In the last few weeks, I setup all of the HP switch gear in a test enviroment, along with a ESXi host with multiple quad port nics. I wanted to simmulate having multiple machines across multiple switches to ensure my configs would work. Starting out, I got everything up and working. I could ping between Vlans, but I did not have a DHCP server to test ip helper-addresses or a internet connection. This week I added a Server 2008 R2 box and setup DHCP/AD/DNS and connected a spare Cisco ASA 5505 running 8.4. After a few hours of research through somewhat helpful posts, I came up with the following basics to using Inter-vlan routing on HP Procure switches with a Cisco ASA.

Helpful tips:
1) Your core must be a Layer 3 switch. In my lab it is the hp2910al-24g. It is not possible to do this without a L3 switch.
2) On the core, there should be no default gateway. I have seen this far to often as the problem in my research.
3) Enable ip routing on the core switch.
hp2910al-24g:# ip routing

4) Once you create additional VLAN's, only use the default VLAN for switch management if possible.
               hp2910al-24g:# config
               hp2910al-24g:# vlan 10
               hp2910al-24g:(Vlan 10)#

5) Assign IP addresses to each VLAN- only on the core!
               hp2910al-24g:(Vlan 10)# ip address 10.1.0.1/24

6) Assign a ip helper-address for your DHCP server to each VLAN on the core switch (except the one it natively lives on) and add each scope to the DHCP server.
               hp2910al-24g:(Vlan 20)# ip helper-address 10.1.0.2
              
              
7) Be sure to TAG (tagged) the VLANS on your trunks (trk 1-24) to the distribution switches, and on the distribution back to the core. Otherwise only local traffic on the untagged ports will flow on the core.
                hp2910al-24g:(Vlan 10)# tagged Trk1

8) Set a static route to your routers IP, (Replacing 10.1.0.1 with your routers IP.)
                hp2910al-24g:#ip route 0.0.0.0 0.0.0.0 10.1.0.1

9) Set a static route on the ASA back to your core switch: (Where 10.0.0.0 255.0.0.0 is your inside subnet and 10.1.0.254 is the core switch. My router is plugged in to VLAN 10, which is 10.1.0.0- this must match! Your routers interal IP must be on the same subnet as the core switches VLAN IP.)
                ciscoasa5505:#route Inside 10.0.0.0 255.0.0.0 10.1.0.254

10) ALWAYS use the IP of the VLAN as the DHCP default gateway- otherwise nothing will work!
                Example: Vlan 20- IP 10.1.1.254
                                 xptestbox:# ipconfig -a
                                                     IP:10.1.1.100
                                                     Subnet: 255.255.255.0
                                                     Gateway: 10.1.1.254
                                                     DNS:10.1.0.2
11) Restart everything once the configs are made and SAVED.
                 hp2910al-24g:#wr mem
12) Enjoy your working network!

Example configs:

2910al-24g:

; J9145A Configuration Editor; Created on release #W.15.08.0012
; Ver #02:11.05:16
hostname "HP-E2910al-24G"
module 1 type j9145a
trunk 23-24 trk1 trunk
ip route 0.0.0.0 0.0.0.0 10.1.0.1
ip routing
snmp-server community "public" unrestricted
spanning-tree Trk1 priority 4
vlan 1
   name "DEFAULT_VLAN"
   no untagged 1-22
   tagged Trk1
   ip address 10.0.0.254 255.255.255.0
   exit
vlan 10
   name "VLAN10"
   untagged 1-10
   tagged Trk1
   ip address 10.1.0.254 255.255.255.0
   exit
vlan 20
   name "VLAN20"
   untagged 11-20
   tagged Trk1
   ip address 10.1.1.254 255.255.255.0
   ip helper-address 10.1.0.2
   exit
vlan 30
   name "Vlan30"
   tagged Trk1
   ip address 10.20.30.254 255.255.255.0
   ip helper-address 10.1.0.2
   exit
vlan 99
   name "VLAN99"
   untagged 21-22
   tagged Trk1
   ip address 10.1.99.254 255.255.255.0
   ip helper-address 10.1.0.2
   exit

2510G-24:
hostname "00005- 2510-24g"
trunk 23-24 Trk1 Trunk
ip default-gateway 10.0.0.254
snmp-server community "public" Unrestricted
vlan 1
   name "DEFAULT_VLAN"
   ip address 10.0.0.253 255.255.255.0
   tagged Trk1
   no untagged 1-22
   exit
vlan 10
   name "VLAN 10"
   tagged Trk1
   exit
vlan 20
   name "VLAN 20"
   tagged Trk1
   exit
vlan 99
   name "Vlan 99"
   tagged Trk1
   exit
vlan 30
   name "VLAN 30"
   untagged 1-22
   tagged Trk1
   exit
spanning-tree Trk1 priority 4

Cisco ASA 5505:

route 10.0.0.0 255.0.0.0 10.1.0.254
  Share Post   

View Comments Comments


Leave a Comment