Ran into routing problems setting up VLANs today
I'm hoping that someone can help me figure out what I did wrong today when I was trying to move our VLAN routing from a Cisco switch to a Firebox.
Old setup: Mix of Cisco and Adtran switches. Catalyst 2960s (172.16.1.1) handling our VLAN routing. About 10 different VLANs on the network. All of the switches have 172.16.1.1 as their default gateway. Firebox M470 (172.16.1.5) handling firewall and VPN duties and is connected to the LAN on int 2.
Today I decided to move our VLAN routing to the Firebox. I changed the interface type for int 5 to VLAN, created the VLANS, set up DHCP relay on each to point to our MS DHCP server, unplugged the Catalyst 2960s from the network, and changed the IP of the LAN interface on the Firebox to 172.16.1.1.
Nothing was working as I'd expected. I couldn't ping 172.16.1.1 from the other VLANs and had no internet access. So, I moved the LAN cable from int 2 to 5 and then I was able to hit gateway for each VLAN and get to the internet. I still couldn't ping 172.16.1.1 from other devices on the same VLAN (our other switches are 172.16.1.10-172.16.1.43) so I changed the IP of int 2 and then created VLAN 1 and assigned it 172.16.1.1. That didn't work either. Internet access was also super slow so I think I had multiple issues going on.
I finally just put the previous config back on the Firebox, moved the cable from int 5 to int 2, and plugged the 2960s back in. Can anyone tell me where I went wrong? I was confused as to whether I needed to plug the LAN into the interface configured as VLAN or leave it in the interface configured as LAN.
Comments
The default gateways for each VLAN device needs to change from 172.16.1.1 to 172.16.1.5 for this to work since you want the firewall to do the routing now.
Sorry - ignore my prior post.
What type have you set for the uplink from your switch stack to the firewall?
Normally these should be tagged VLANs, and the link should be Trunk.
Many devices will not pick up the fact that a new device has the IP addr that a previous device had - that the MAC addr has changed for that IP addr.
Often one needs to do for a Windows device a "arp -d" in a CMD box, or a reboot for this change to be noticed by the device.
For Windows, an "arp -a" should show the MAC addr of the gateway device.
The uplink from the switch to the firewall is trunked. I didn't clear the arp cache. Good suggestion, I'll try that next time.
How about the question about which port to use to connect the switch to the firewall. Do I connect to the port that I designate as VLAN or the one that is designated as LAN?
Yes you do need to connect to the VLAN interface on the firewall.
Also, have you added Network -> Routes for the VLAN subnets behind the Catalyst 2960s?
If so, then these need to be removed when you try the switch over.
I did have routes for each of the Catalyst 2960s VLANs. Initially, I left them in place but then I deleted them for VLANs 1 and 5, the two that I was testing.