This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

L3 switch routing instead of Sophos UTM

Hey Guys,

I bought my first L3 switch and was hoping to use it for vlan routing rather than Sophos UTM.

This's pretty much my network and what I'm trying to achive:

 

I have Sophos UTM in management vlan along with the L3 switch. Sophos UTM has 3 interfaces, 1 for WAN, 2 for LAN (management), 3 for DMZ

Both vlan 20 and vlan 30 are able to communicate to each other through the L3 switch however they are not able to go outside to Sophos UTM in management vlan or internet. Same any other device in managment or DMZ even can't reach these 2 vlans in L3 switch.

From the L3 switch I have a static route 0.0.0.0 0.0.0.0 192.168.7.254 (DMZ gateway). For some reason can't use 192.168.1.254 which's Sophos UTM IP in management. If I try to use 192.168.1.254 I get an error from the switch "The next hop ip address cannot be in the same subnet as the service/network port". I guess either the switch or Sophos have to be in a different subnet hence I'm using DMZ gateway IP just for testing. From the firewall I have set the any any deny to any any allow and put it on top just for testing.

I'm using a trunk port that Sophos is connected to. I tried creating a static route in Sophos to route vlan 10 as a gateway route as 192.168.10.0/24 > 192.168.10.254 but doesn't help.


Can someone please help with this one?


Cheers
Mo



This thread was automatically locked due to age.
Parents
  • Your first try is OK.

    The def. Gateway must be placed within the same L3-network (Subnet) as the client.

    So the L3-Switch need 192.168.1.254 as gateway within "tranfer-Subnet"

    Seems there is a configuration-problem at the l3-Switch.

    Which device do you use? can you post the L3-Switch Configuration?


    Dirk

    Systema Gesellschaft für angewandte Datentechnik mbH  // Sophos Platinum Partner
    Sophos Solution Partner since 2003
    If a post solves your question, click the 'Verify Answer' link at this post.

  • This is what I'm unable to do from my L3. If I try to set 192.168.1.254 as gateway to the switch I get an error hence I used DMZ IP as a gateway instead.

    I'm using a HPE 1920s siwtch which's managed through GUI only. Here's the current config I captured it from the startup config:

    !Current Configuration:
    !
    !System Description "HPE OfficeConnect Switch 1920S 8G PPoE+ (65W) JL383A, PD.02.11, Linux 3.6.5-375bd0e8, U-Boot 2012.10-00118-g3773021 (Oct 11 2016 - 15:39:54)"
    !System Software Version "PD.02.11"
    !System Up Time "0 days 3 hrs 46 mins 26 secs"
    !Additional Packages HPE QOS,HPE IPv6 Management,HPE Routing
    !Current SNTP Synchronized Time: Jan 4 16:39:02 2020 UTC
    !
    network protocol none
    network parms 192.168.1.253 255.255.255.0 192.168.1.254
    vlan database
    vlan 5-7
    vlan name 5 "Guest VLAN"
    vlan name 6 "CCTV VLAN"
    vlan name 7 "DMZ VLAN"
    vlan routing 6 1
    exit
    ip http session hard-timeout 168
    ip http session soft-timeout 60
    configure
    sntp client mode unicast
    sntp server "192.168.1.88"
    clock time-format 12
    !clock timezone 8 minutes 0
    clock timezone id 76
    time-range Schedule-1
    periodic weekdays 06:30 to 23:59
    periodic start 1 Jan 1970
    exit
    time-range Schedule-2
    exit
    ip routing
    no username guest
    line console
    exit
    line telnet
    exit
    line ssh
    exit
    snmp-server sysname "SUKAFUN-CORE"
    !
    snmp-server host 192.168.20.5 "public"
    interface 1
    description 'Uplink for SUKAFUN-SWITCH'
    green-mode energy-detect
    exit
    interface 2
    description 'SUKAFUN-AP'
    vlan participation include 5
    vlan tagging 5
    green-mode energy-detect
    exit
    interface 3
    description 'SUKAFUN-CAMERA3'
    green-mode energy-detect
    exit
    interface 4
    description 'SUKAFUN-CAMERA4'
    green-mode energy-detect
    exit
    interface 5
    description 'SUKAFUN-HYPERV'
    vlan participation include 5-7
    vlan tagging 5-7
    green-mode energy-detect
    exit
    interface 6
    description 'SUKAFUN-GATEWAY'
    green-mode energy-detect
    exit
    interface 7
    vlan participation include 6
    vlan tagging 6
    green-mode energy-detect
    exit
    interface 8
    vlan participation exclude 6
    green-mode energy-detect
    exit
    interface vlan 6
    bandwidth 10000
    routing
    ip address 192.168.6.254 255.255.255.0
    ip mtu 1500
    no ip unreachables
    no ip redirects
    exit
    ip default-gateway 192.168.7.254
    exit

  • I think your switch don't route if management and routing/next hop are within the same subnet.

    do you remember:

    "The next hop ip address cannot be in the same subnet as the service/network port"

    AND:

    "Sophos UTM is untagged on vlan10" .... within your picture sophos is not directly connected to VLAN10 !!!


    Dirk

    Systema Gesellschaft für angewandte Datentechnik mbH  // Sophos Platinum Partner
    Sophos Solution Partner since 2003
    If a post solves your question, click the 'Verify Answer' link at this post.

  • My native management vlan is vlan1 with subnet 192.168.1.0. The switch and Sophos are directly connected in this subnet.


    Vlan10 is routing through my switch and I want it to talk to other vlans I have routing though Sophos like 192.168.7.0.

    So what you are saying is I should use different vlan for managment in order for this to work?

  • ... or a different VLAN/Subnet as transfer network.


    Dirk

    Systema Gesellschaft für angewandte Datentechnik mbH  // Sophos Platinum Partner
    Sophos Solution Partner since 2003
    If a post solves your question, click the 'Verify Answer' link at this post.

  • I spent all day working on this and relieazed that there's no way I can enable routing on a vlan on the switch and put the switch in same subnet.

    For example if I have vlan 10 which's subnet 192.168.10.0/24 and if I enable routing on this vlan and use 192.168.10.254 as SVI. I'm then unable to re IP the switch to be in this subnet. It comes up with conflict with subnet error. My only choice is to not enable routing in the vlan/subnet which switch and Sophos conntected to.

  • ... how about putting the switch-management outside the routing VLAN?

    - Connect 2 VLAN's to sophos SG

    - use one as def. GW

    - use one with management-IP


    Dirk

    Systema Gesellschaft für angewandte Datentechnik mbH  // Sophos Platinum Partner
    Sophos Solution Partner since 2003
    If a post solves your question, click the 'Verify Answer' link at this post.

  • I have already tired putting switch management on a different vlan but it doesn't make any difference.

     

    I'll try the below tomorrow can you please correct it if wrong:

    I'll create a new vlan 99 to be subnet 192.168.99.0/24

    Tag Sophos UTM to vlan 99 and change its current IP to 192.168.99.254

    Change switch IP to 192.168.99.5 and set 192.168.99.254 as its GW

    Enable routing for vlan 10 & vlan 20 in the L3 switch

    Create default static route on the switch to be 0.0.0.0 0.0.0.0 192.168.99.254 and a static route for 192.168.7.0 255.255.255.0 192.168.99.254

    From Sophos UTM create static route 192.168.10.0 255.255.255.0 192.168.99.5 and 192.168.20.0 255.255.255.0 192.168.99.5

     

    Correct?

  • looks ok, but you don't need:

    "default static route on the switch to be 0.0.0.0 0.0.0.0 192.168.99.254 and a static route for 192.168.7.0 255.255.255.0 192.168.99.254"

    as you configure the default gateway/default route already:

    "Change switch IP to 192.168.99.5 and set 192.168.99.254 as its GW"

    BTW: I hope you mean the switch ip for VLAN 99 but not the switch-management-IP here: "Change switch IP to 192.168.99.5" !!!

     


    Dirk

    Systema Gesellschaft für angewandte Datentechnik mbH  // Sophos Platinum Partner
    Sophos Solution Partner since 2003
    If a post solves your question, click the 'Verify Answer' link at this post.

  • Awesome!!

    I was actually using the management IP rather than the SVI. 

     

    My routing now from UTM and L3 working together. What doesn't work is subnets on the switch are not getting to the internet. For example subnet 192.168.10.0 which has gateway (SVI) of 192.168.10.254 can reach Sophos and can reach the other subnet which's routing on Sophos but not the internet. 

    With the default static route on the switch 0.0.0.0 0.0.0.0 192.168.99.253 (Sophos) it's taking traffic from the switch to Sophos on the LAN interface that is directly connected to the switch. This interface has masquerading to WAN so it should get to internet then?

     

    Appreciate your help again. I'm sure other people viewing this post have benfited as well.

  • I think here is your current problem ...

    "This interface has masquerading to WAN so it should get to internet then?"

    There is no Option to select "coming from a specific interface"

    I think you configure "interface network" but this mean "the subnet connected to the interface (192.168.1.0/24) ... not "subnets behind this subnet"

    I would try "Masq ANY as WAN" ... so all packets allowed to the internet are masqueraded  as WAN.

     


    Dirk

    Systema Gesellschaft für angewandte Datentechnik mbH  // Sophos Platinum Partner
    Sophos Solution Partner since 2003
    If a post solves your question, click the 'Verify Answer' link at this post.

  • Now I'm in the game of L3/core switching :)

     

    Thanks dirkkotte for your help and explanation!

Reply Children
No Data