My name is arun . I have one issue. Please help me using your valuable advice. I have one Scenario .
We have two cisco switches sg 300 and two firewall Sophos UTM 230. One fire wall is master and other is slave for high availability. The firewall a dress is 126.96.36.199. Our all communication done through this firewall. Both switch are connected to firewall like that
Cisco switch 1 is connected with slave firewall E0 port
cisco switch 2 is connected with master firewall E0 port
both switch are cascaded.
Cisco switch 1: 188.8.131.52
Cisco switch 2: 184.108.40.206
previously we have no vlan in both switch and switch have default vlan named as vlan1
now we created two vlan in Cisco switch 1 named as VLAN 20 and VLAN 30.
Vlan 20 IP : 172.16.1.1
Vlan 30 IP : 220.127.116.11
Each Vlan are connected with host and their details are
172.16.1.3( VLAN 20 HOST)
18.104.22.168( VLAN 30 host)
Now we can communicate newly created vlan vice versa. But this vlan not communicate with default vlan or our firewall( firewall located on default vlan).that means we can't communicate with our internal lan. So kindly help me . both switch are L3 mode and inter vlan routing enabled.
You need to make changes on your network Based on what you said that you are originally a flat network(no vlan's) then I am guessing your default VLAN users have a default gateway going to the firewall.
The main problem is that your networks do not know each other, as well as your Sophos does not know those new networks and do NOT have a way to route to them.
You need to do the ff to make your network work: -PS: There are multiple ways, im presenting one
1. Allocate a maintenance/downtime window since your users will lose internet connection -Maintenance window depends on how fast you can configure the settings below:
2. Create an L3 IP address on the default VLAN (im guessing its te 22.214.171.124/24 network) on your Cisco Switch 1
So, at this point you have the ff. L3 VLANs on your Cisco switch 1/Network VLAN1: 126.96.36.199 VLAN20: 172.16.1.1 VLAN30: 188.8.131.52
2. Change the gateway setting on users on VLAN1(default VLAN) pointing to 184.108.40.206 -Once change, your VLAN1, VLAN20 and VLAN30 users will be able to communicate though they will not have internet access yet
REMINDER: -Please do not forget that your switch1 to and fro switch 2 connection is trunked -Make sure ip routing is enabled on your Cisco switch 1 since its handling routing
3. Configure routing on the Cisco Switch 1 (since this is your L3 switch) -Destination: 0.0.0.0/0 -Defines all addresses/internet -Next-Hop: 220.127.116.11 -IP of Sophos
-At this point AND if allowed by your FW policy, all your users will be able to Ping Sophos inside IP
4. Configure routing on your Sophos -Destination: 18.104.22.168/24 next-hop: 22.214.171.124 -Destination: 126.96.36.199/24 next-hop: 188.8.131.52 -Destination: 172.16.1.0/24 next-hop: 184.108.40.206
5. Configure appropriate policies of course to allow access to internet/other services in your Sophos firewall :))
RECOMMENDATION: -Please avoid using 192.167 since that's on a public address range, replace that with 192.168. :)) -You might encounter websites that have a public address of 192.167.X.X and unable to visit them since you are using it in your inside network
Thanks for your support. As per your query we created default route in switch and static route in firewall. But we created static route for VLAN 20 AND VLAN 30. Now we can ping or communicate from new vlan and default vlan . But now we cant access the internet from new vlan.similarly we cant join in our domain from new vlan. our AD located in default vlan . But we can ping from new vlan to domain. what was the issue.Kindly help me.
1. That is already on the Sophos side, you need to configure NAT/PAT on your Sophos in order for your new VLAN to get access to the internet
-Make sure the users on your NEW VLAN can reach the Sophos of course
2. f your user cannot join the domain, check your new users, their DNS should be the Active-Directory IP Address -You can verify this by instead of ping <IP of AD>, ping <domain> e.g., ping yourdomain.local, it should resolve the IP address and return pings
As per our discussion OUr vlan are communicate with each other.But in our scenario our firewall sync with AD and DNS. That means in our AD we have 3 group.
1. internet low restriction
2. internet medium restriction
3. internet high restriction
our all users are these group and our dns have a forwarder to firewall. As a result any one is not in these 3 group they cant access internet. our existing users in default vlan and they are the part of these 3 group and they can access internet.
But our issue is users in new vlan cant sync with AD and they cant access internet. We already make nat rule for Internet.But they can ping all website success fully. When we open any site ( for example google.com) one message is coming. Please check attachment. So kindly provide any additional settings need in firewall.
Sx550X, Sx350X, Sx250: PSE will Supply Power to Catalyst PSE Ports
May 31, 2016
June 5, 2017
Configure Remote Network Monitoring (RMON) Events Control Settings on a Switch through the Command Line Interface (CLI)
Remote Network Monitoring (RMON) was developed by the Internet Engineering Task Force (IETF) to support...