Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 18 replies
  • Subscribers 5 subscribers
  • Views 7794 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

L3 switch routing instead of Sophos UTM

Mohamed Hassan

Hey Guys,

I bought my first L3 switch and was hoping to use it for vlan routing rather than Sophos UTM.

This's pretty much my network and what I'm trying to achive:

 

I have Sophos UTM in management vlan along with the L3 switch. Sophos UTM has 3 interfaces, 1 for WAN, 2 for LAN (management), 3 for DMZ

Both vlan 20 and vlan 30 are able to communicate to each other through the L3 switch however they are not able to go outside to Sophos UTM in management vlan or internet. Same any other device in managment or DMZ even can't reach these 2 vlans in L3 switch.

From the L3 switch I have a static route 0.0.0.0 0.0.0.0 192.168.7.254 (DMZ gateway). For some reason can't use 192.168.1.254 which's Sophos UTM IP in management. If I try to use 192.168.1.254 I get an error from the switch "The next hop ip address cannot be in the same subnet as the service/network port". I guess either the switch or Sophos have to be in a different subnet hence I'm using DMZ gateway IP just for testing. From the firewall I have set the any any deny to any any allow and put it on top just for testing.

I'm using a trunk port that Sophos is connected to. I tried creating a static route in Sophos to route vlan 10 as a gateway route as 192.168.10.0/24 > 192.168.10.254 but doesn't help.


Can someone please help with this one?


Cheers
Mo



This thread was automatically locked due to age.
  • 0

    Your first try is OK.

    The def. Gateway must be placed within the same L3-network (Subnet) as the client.

    So the L3-Switch need 192.168.1.254 as gateway within "tranfer-Subnet"

    Seems there is a configuration-problem at the l3-Switch.

    Which device do you use? can you post the L3-Switch Configuration?


    Dirk

    Systema Gesellschaft für angewandte Datentechnik mbH  // Sophos Platinum Partner
    Sophos Solution Partner since 2003
    If a post solves your question, click the 'Verify Answer' link at this post.

  • 0 in reply to dirkkotte

    This is what I'm unable to do from my L3. If I try to set 192.168.1.254 as gateway to the switch I get an error hence I used DMZ IP as a gateway instead.

    I'm using a HPE 1920s siwtch which's managed through GUI only. Here's the current config I captured it from the startup config:

    !Current Configuration:
    !
    !System Description "HPE OfficeConnect Switch 1920S 8G PPoE+ (65W) JL383A, PD.02.11, Linux 3.6.5-375bd0e8, U-Boot 2012.10-00118-g3773021 (Oct 11 2016 - 15:39:54)"
    !System Software Version "PD.02.11"
    !System Up Time "0 days 3 hrs 46 mins 26 secs"
    !Additional Packages HPE QOS,HPE IPv6 Management,HPE Routing
    !Current SNTP Synchronized Time: Jan 4 16:39:02 2020 UTC
    !
    network protocol none
    network parms 192.168.1.253 255.255.255.0 192.168.1.254
    vlan database
    vlan 5-7
    vlan name 5 "Guest VLAN"
    vlan name 6 "CCTV VLAN"
    vlan name 7 "DMZ VLAN"
    vlan routing 6 1
    exit
    ip http session hard-timeout 168
    ip http session soft-timeout 60
    configure
    sntp client mode unicast
    sntp server "192.168.1.88"
    clock time-format 12
    !clock timezone 8 minutes 0
    clock timezone id 76
    time-range Schedule-1
    periodic weekdays 06:30 to 23:59
    periodic start 1 Jan 1970
    exit
    time-range Schedule-2
    exit
    ip routing
    no username guest
    line console
    exit
    line telnet
    exit
    line ssh
    exit
    snmp-server sysname "SUKAFUN-CORE"
    !
    snmp-server host 192.168.20.5 "public"
    interface 1
    description 'Uplink for SUKAFUN-SWITCH'
    green-mode energy-detect
    exit
    interface 2
    description 'SUKAFUN-AP'
    vlan participation include 5
    vlan tagging 5
    green-mode energy-detect
    exit
    interface 3
    description 'SUKAFUN-CAMERA3'
    green-mode energy-detect
    exit
    interface 4
    description 'SUKAFUN-CAMERA4'
    green-mode energy-detect
    exit
    interface 5
    description 'SUKAFUN-HYPERV'
    vlan participation include 5-7
    vlan tagging 5-7
    green-mode energy-detect
    exit
    interface 6
    description 'SUKAFUN-GATEWAY'
    green-mode energy-detect
    exit
    interface 7
    vlan participation include 6
    vlan tagging 6
    green-mode energy-detect
    exit
    interface 8
    vlan participation exclude 6
    green-mode energy-detect
    exit
    interface vlan 6
    bandwidth 10000
    routing
    ip address 192.168.6.254 255.255.255.0
    ip mtu 1500
    no ip unreachables
    no ip redirects
    exit
    ip default-gateway 192.168.7.254
    exit

  • 0 in reply to Mohamed Hassan

    OK, i think i understand ...

    the HP uses an internal "Management-IP". Here you bound IP and gateway FOR MANAGEMENT ONLY "network parms 192.168.1.253 255.255.255.0 192.168.1.254"

    If you try to use the "management-default-gateway" for routing, you get a message meaning you can not use the same IP/Gateway for routing as the management-function:

    "The next hop ip address cannot be in the same subnet as the service/network port"

    I think you have to configure a separate routing-transfer-Vlan with different IP-Range and using this as def.GW.


    Dirk

    Systema Gesellschaft für angewandte Datentechnik mbH  // Sophos Platinum Partner
    Sophos Solution Partner since 2003
    If a post solves your question, click the 'Verify Answer' link at this post.

  • 0 in reply to dirkkotte

    I agree too that I can't use 192.168.1.254 as default GW as it's on the same subnet as the switch. But why then it doesn't work when I use 192.168.7.254 as default GW for the switch?

    192.168.7.254 is being another interface for Sophos that I use for DMZ network and currently my firewall rules allowing any any.

  • 0 in reply to Mohamed Hassan

    To reach the def. GW, it must exist within one directly connected subnet from switch.

    An IP device must "see" the next Hop directly ... it can't exist behind the next corner.


    Dirk

    Systema Gesellschaft für angewandte Datentechnik mbH  // Sophos Platinum Partner
    Sophos Solution Partner since 2003
    If a post solves your question, click the 'Verify Answer' link at this post.

  • 0 in reply to dirkkotte

    OK. Turns out there's a bug in the GUI in this series of HPes switches. However, I managed find a way to create the default gw on the same subnet. Current default static route 0.0.0.0 0.0.0.0 192.168.1.254.

    And from Sophos I created

    But still can't reach anything from 192.168.10.0 network to other networks routing through Sophos. Same for other network on Sophos can't reach the 192.168.10.0 network.

    What's wrong?

  • 0 in reply to Mohamed Hassan

    your gateway to reach 192.168.10.0/24 is 192.168.1.253

    (The Router ..here the sophos firewall... must see the next hop gateway directly)


    Dirk

    Systema Gesellschaft für angewandte Datentechnik mbH  // Sophos Platinum Partner
    Sophos Solution Partner since 2003
    If a post solves your question, click the 'Verify Answer' link at this post.

  • 0 in reply to dirkkotte
    Thanks Disk for your help so far, it started to make sense to me now. I configured it as you said, the two devices connected in the same network, for L3 switch using default static route routing to Sophos. And for UTM using static routes to route any networks routing through L3 switch to point to L3 IP address.
    However, still isn't working for me no idea why :/
    I'm using Sophos UTM as a VM which shouldn't really matter. Sophos UTM is untagged on vlan10
     
    And as I said before, I've configured my firewall policy to allow any any.
     
    I also tried one thing which didn't work either. I've configured routing on vlan 1 and give it IP address of 192.168.1.254 and changed my Sophos IP to 192.168.1.253. Since all my devices have default gateway of 192.168.1.254 it's easier this way. I then configured static routes as above but still can't reach other vlans or internet now.
  • 0 in reply to Mohamed Hassan

    I think your switch don't route if management and routing/next hop are within the same subnet.

    do you remember:

    "The next hop ip address cannot be in the same subnet as the service/network port"

    AND:

    "Sophos UTM is untagged on vlan10" .... within your picture sophos is not directly connected to VLAN10 !!!


    Dirk

    Systema Gesellschaft für angewandte Datentechnik mbH  // Sophos Platinum Partner
    Sophos Solution Partner since 2003
    If a post solves your question, click the 'Verify Answer' link at this post.

  • 0 in reply to dirkkotte

    My native management vlan is vlan1 with subnet 192.168.1.0. The switch and Sophos are directly connected in this subnet.


    Vlan10 is routing through my switch and I want it to talk to other vlans I have routing though Sophos like 192.168.7.0.

    So what you are saying is I should use different vlan for managment in order for this to work?

Unfiltered HTML