VLAN issue

ARUN.A · ‎08-23-2016

Hai team,

My name is arun . I have one issue. Please help me using your valuable advice. I have one Scenario .

We have two cisco switches sg 300 and two firewall Sophos UTM 230. One fire wall is master and other is slave for high availability. The firewall a dress is 192.167.1.1. Our all communication done through this firewall. Both switch are connected to firewall like that

Cisco switch 1 is connected with slave firewall E0 port

cisco switch 2 is connected with master firewall E0 port

both switch are cascaded.

Cisco switch 1: 192.167.1.30

Cisco switch 2: 192.167.1.31

previously we have no vlan in both switch and switch have default vlan named as vlan1

now we created two vlan in Cisco switch 1 named as VLAN 20 and VLAN 30.

Vlan 20 IP : 172.16.1.1

Vlan 30 IP : 192.167.2.1

Each Vlan are connected with host and their details are

172.16.1.3( VLAN 20 HOST)

255.255.255.0

172.16.1.1

192.167.2.3( VLAN 30 host)

255.255.255.0

192.167.2.1

Now we can communicate newly created vlan vice versa. But this vlan not communicate with default vlan or our firewall( firewall located on default vlan).that means we can't communicate with our internal lan. So kindly help me . both switch are L3 mode and inter vlan routing enabled.

LJ Gabrillo · ‎08-24-2016

You need to make changes on your network
Based on what you said that you are originally a flat network(no vlan's) then I am guessing your default VLAN users have a default gateway going to the firewall.

The main problem is that your networks do not know each other, as well as your Sophos does not know those new networks and do NOT have a way to route to them.

You need to do the ff to make your network work:
-PS: There are multiple ways, im presenting one

1. Allocate a maintenance/downtime window since your users will lose internet connection
-Maintenance window depends on how fast you can configure the settings below:

2. Create an L3 IP address on the default VLAN (im guessing its te 192.167.1.0/24 network) on your Cisco Switch 1

-EX: 192.167.1.254

So, at this point you have the ff. L3 VLANs on your Cisco switch 1/Network
VLAN1: 192.167.1.254
VLAN20: 172.16.1.1
VLAN30: 192.167.2.1

2. Change the gateway setting on users on VLAN1(default VLAN) pointing to 192.167.1.254
-Once change, your VLAN1, VLAN20 and VLAN30 users will be able to communicate though they will not have internet access yet

REMINDER:
-Please do not forget that your switch1 to and fro switch 2 connection is trunked
-Make sure ip routing is enabled on your Cisco switch 1 since its handling routing

3. Configure routing on the Cisco Switch 1 (since this is your L3 switch)
-Destination: 0.0.0.0/0 -Defines all addresses/internet
-Next-Hop: 192.167.1.1 -IP of Sophos

-At this point AND if allowed by your FW policy, all your users will be able to Ping Sophos inside IP

4. Configure routing on your Sophos
-Destination: 192.167.1.0/24 next-hop: 192.167.1.254
-Destination: 192.167.2.0/24 next-hop: 192.167.1.254
-Destination: 172.16.1.0/24 next-hop: 192.167.1.254

5. Configure appropriate policies of course to allow access to internet/other services in your Sophos firewall :))

RECOMMENDATION:
-Please avoid using 192.167 since that's on a public address range, replace that with 192.168. :))
-You might encounter websites that have a public address of 192.167.X.X and unable to visit them since you are using it in your inside network

Don't forget to rate helpful post :)

ARUN.A · ‎08-24-2016

Dear sir,

Thanks for your support. As per your query we created default route in switch and static route in firewall. But we created static route for VLAN 20 AND VLAN 30. Now we can ping or communicate from new vlan and default vlan . But now we cant access the internet from new vlan.similarly we cant join in our domain from new vlan. our AD located in default vlan . But we can ping from new vlan to domain. what was the issue.Kindly help me.

LJ Gabrillo · ‎08-24-2016

1. That is already on the Sophos side, you need to configure NAT/PAT on your Sophos in order for your new VLAN to get access to the internet

-Make sure the users on your NEW VLAN can reach the Sophos of course

2. f your user cannot join the domain, check your new users, their DNS should be the Active-Directory IP Address
-You can verify this by instead of ping <IP of AD>, ping <domain> e.g., ping yourdomain.local, it should resolve the IP address and return pings

ARUN.A · ‎08-25-2016

Dear sir,

As per our discussion OUr vlan are communicate with each other.But in our scenario our firewall sync with AD and DNS. That means in our AD we have 3 group.

1. internet low restriction

2. internet medium restriction

3. internet high restriction

our all users are these group and our dns have a forwarder to firewall. As a result any one is not in these 3 group they cant access internet. our existing users in default vlan and they are the part of these 3 group and they can access internet.

But our issue is users in new vlan cant sync with AD and they cant access internet. We already make nat rule for Internet.But they can ping all website success fully. When we open any site ( for example google.com) one message is coming. Please check attachment. So kindly provide any additional settings need in firewall.

LJ Gabrillo · ‎08-25-2016

Dude, that's not the switch issue
That's a block message from your firewall

That's on the firewall side already, not the LAN side
LAN wise, your all set based on the behavior you just said

Sadly, we can't help you with the Sophos side, that's more on the web-filtering/application-control setting on your firewall
Get help on the Sophos side

If there's nothing else, we would appreciate you mark or rate post so that this thread will be closed

ARUN.A · ‎08-25-2016

Dear sir,

Thanks for your support.

LJ Gabrillo · ‎08-25-2016

I would suggest creating a temporary policy in your firewall just to allow internet access to those users