Got 3 HP Procurve 2524 switches, all under the default vlan. I want to create a vlan with 1 port that only has internet access so that I can plug in a WIFI access point for guests to use. I understand that these switches are layer 2 devices. My problem is where and how do I do the routing, on my Sonicwall 2040 with standars software or do I need to go into my cisco 2600 router? Or both?
Tek-Tips is the largest IT community on the Internet today!
Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!
-
Congratulations SkipVought on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!
HP Procurve 2524 VLAN with Sonicwall firewall and Cisco router 1
- Thread starter cswift001
- Start date
Hey there,
I see nobody else has answered you question, I am not an expert in this but I share a similar network to yours! We have:
5 x Procurve switches (layer 2 and 3)
Sonicwall 2040
Cisco 1800 router
My advice would be to get a layer 3 switch for this. I don't think the Sonicwall 2040 even supports VLANs. Personally I would not get the router to do this, not sure why I just would not. FYI we our about to upgrade our 2040 to a NSA3500 (which does support VLANs and has some nice fancy features)
I see nobody else has answered you question, I am not an expert in this but I share a similar network to yours! We have:
5 x Procurve switches (layer 2 and 3)
Sonicwall 2040
Cisco 1800 router
My advice would be to get a layer 3 switch for this. I don't think the Sonicwall 2040 even supports VLANs. Personally I would not get the router to do this, not sure why I just would not. FYI we our about to upgrade our 2040 to a NSA3500 (which does support VLANs and has some nice fancy features)
- Thread starter
- #3
Sorry for the dalay in responding. I would love nothing more than to get a layer 3 switch but my company is a non-profit and I need to do with what I was given. I was wondering if creating a logical port on the cisco router was something that I needed to look into.
And you are correct, the sonicwall 2040 running standard OS does not seem to support VLANS so I was hoping that there was a workaround.
And you are correct, the sonicwall 2040 running standard OS does not seem to support VLANS so I was hoping that there was a workaround.
VinceWhirlwind
Technical User
How does your Cisco router fit into your network diagram?
- Thread starter
- #5
Well, excuse me if I sound sarcastic. I'm probably going to state the obvious but I just want to lay it out for you. T1 comes in to wan port on cisco 2600, ethernet port on cisco 2600 goes to sonicwall 2040 X0 port and the X1 port on the 2040 goes to port on HP procurve. Private IP is 192.168.0.1 255.255.255.0 (small company).
The router has a basic config. I didn't set it up so I haven't logged into it but since it appears that I can't do anything from either the sonicwall or hP switches (layer 2).
Hope this helps.
The router has a basic config. I didn't set it up so I haven't logged into it but since it appears that I can't do anything from either the sonicwall or hP switches (layer 2).
Hope this helps.
-
1
- #6
How many Ethernet ports are on your router. You did not provide the exact model, just the series, and some models only come with one ethernet interface.
If you had 2 FastEthernet interfaces (and had access to the router), then you could do what is termed "router on a stick" (google it for more info), where you create subinterfaces off the non internet connected interface that have the same ID as the VLANs you will or have created on the HPs, "trunk" (Cisco term) that down to a port on one of the 2524's where that port is tagged (HP's term for trunk) for the same created vlans you just created on your Cisco. Each sub-interface you created on the Cisco will get an IP address for that corresponding VLAN. Your next hop from your Cisco will be the Sonicwall's X1 IP address.
I have not done this in quite some time and I'm not sure about what caveats the standard version of the Sonicwall might cause as you will have to create routes on your Sonicwall defining the Cisco's IP address (which ever subinterface IP address is in the same subnet as your Sonicwall) to get to those other subnets. There also might be something to address with the Cisco's IOS version and well as ACLs needed to block traffic from one interface to the other.
I know you said you had to work with what you had, but there is a chance that it might not work. I have seen HP Procurve 2624 which will do light L3 routing online for around $200.00
Good Luck.
If you had 2 FastEthernet interfaces (and had access to the router), then you could do what is termed "router on a stick" (google it for more info), where you create subinterfaces off the non internet connected interface that have the same ID as the VLANs you will or have created on the HPs, "trunk" (Cisco term) that down to a port on one of the 2524's where that port is tagged (HP's term for trunk) for the same created vlans you just created on your Cisco. Each sub-interface you created on the Cisco will get an IP address for that corresponding VLAN. Your next hop from your Cisco will be the Sonicwall's X1 IP address.
I have not done this in quite some time and I'm not sure about what caveats the standard version of the Sonicwall might cause as you will have to create routes on your Sonicwall defining the Cisco's IP address (which ever subinterface IP address is in the same subnet as your Sonicwall) to get to those other subnets. There also might be something to address with the Cisco's IOS version and well as ACLs needed to block traffic from one interface to the other.
I know you said you had to work with what you had, but there is a chance that it might not work. I have seen HP Procurve 2624 which will do light L3 routing online for around $200.00
Good Luck.
- Thread starter
- #7
cajuntank, I greatly appreciate your response. Unfortunately for me, my Cisco 2600 is one with only one ethernet port. I tell ya, we are CHEAP. I could have sworn that I read something along the lines of a "logical" port that I could have created on the one and only port that the cisco router has. Ill try to find that article and hopefully post here to see if any of ya can help me out with it.
Again, thanks @cajuntank for your info. You get a STAR.
Again, thanks @cajuntank for your info. You get a STAR.
- Thread starter
- #8
I found an article of something that might help me out.
That article was what router on a stick config is done on the router side. I thought about it a little more and even though you have the one interface, you probably could do the same what I was talking about with just the one interface on the router. Creating multiple sub interfaces to match vlan Ids on your switch and using one of those vlans as your "Internet" vlan. Again, there's going to be some ACLs involved and there might be some issue I'm not thinking of right now...we are talking about looping traffic around on one interface,but it might be worth a try.
VinceWhirlwind
Technical User
Yeah, but the problem with that is that the router is the other side of the firewall to the multiple VLANs, so this would only work if the firewall can trunk VLANs, and if it wasn't terminating the LAN subnets.
What my thoughts were was to create subinterfaces on that router port and say have a ID of 10 (Your Internet side VLAN). Then create a corresponding VLAN on the switch with ID of 10. The connection from the router to the switch would of course be tagged/trunked to allow the multiple VLAN ID tags to pass. Then create an untagged port, say right next to it for VLAN 10. Plug the Sonicwall's X0 into that port. The port next to that would be for one of your "internal" VLANs and then you plug your Sonicwall's X1 port into it. These "internal" VLANs would of course match sub-interfaces created on that Cisco FastEthernet interface so the VLANs could route between each other. Now here's the tricky part... you have inter-vlan routing going on so those "internal" VLANs will by default be able to talk to the "Internet" VLAN without going through the Sonciwall, so there will have to be some ACL(s) created to block that traffic unless is comes from the Sonicwall's X0 ip address range. The Cisco will have a default route to the Sonicwall. The Sonicwall will have to be able to create back routes to the router via the X1 interface if there are more than one internal VLAN subnet defined. Again, what I'm discussing sounds good in theory, but there might be caveats in practice.
VinceWhirlwind
Technical User
There are two problems with that:
1. The router will have a default route to the internet, OR to the firewall - it can't have both.
The traffic going from the LAN is
dest: *.*.*.*
and you want it going to the firewall, so you have
ip route *.*.*.* --> FW
The firewall will route it back to the router.
Now, if your firewall is NATing (which I guess it will) then your 2600 router can route based on *source* address to overcome this problem.
Which brings me to the second problem: how complex is this solution and who is going to support it?
1. The router will have a default route to the internet, OR to the firewall - it can't have both.
The traffic going from the LAN is
dest: *.*.*.*
and you want it going to the firewall, so you have
ip route *.*.*.* --> FW
The firewall will route it back to the router.
Now, if your firewall is NATing (which I guess it will) then your 2600 router can route based on *source* address to overcome this problem.
Which brings me to the second problem: how complex is this solution and who is going to support it?
- Status
Similar threads
- Locked
- Question