Need help with handling VLANS and DHCP across multiple interfaces

Hey Kevin

I'm having trouble understanding your scenario. Walk me though it so I can try to help you.

Are you running Sophos UTM as a VM on this Hyper-V host? If so, A take it that:

Interface 1 is a virtual switch bound to a physical interface connected to your ISP modem. Let's call it virtual switch 1.

Interface 2 is a virtual switch bound to a physical interface connected to your Meraki switch. Let's call it virtual switch 2.

Interface 3: is this a virtual switch bound to a physical interface or is this an internal virtual switch? Let's call it virtual switch 3.

Assuming your Sophos UTM is a VM on this host, I take it you have three interfaces on it:

WAN, which is bound to virtual switch 1

LAN 1, which is bound to virtual switch 2 with an IP on subnet 192.168.1.0/24. 

LAN 2, which is bound to virtual switch 3 with an IP on subnet 192.168.2.0/24. 

Is this right so far?

Regards,

Giovani

Yes this is all correct.

Interface 3 is an internal virtual switch. It currently handles traffic from all of the VMs on the Hyper-V host.

OK, so this will never work. A internal virtual switch will never communicate with anything outside the hypervisor. My suggestion is:

- Bind your VMs to virtual switch 2 and tag it with VLAN 20, as the example below. The VLAN on the screenshot is different, but the concept is the same:

- Change the switch port on which interface 2 is connected to mode trunk, which would allow tagged and untagged traffic through, and allow tagged VLAN 20 traffic though this port.

- Change the switch port on which the other physical server is connected to untagged VLAN 20.

You don't need to tag the VLANs inside the VMs, as you are doing it on the hypervisor, so keep your UTM interface for LAN 192.168.2.0/24 as a default, non VLAN, interface.

That way your default VLAN would handle 192.168.1.0/24 and tagged VLAN 20 would handle 192.168.2.0/24. For any new devices you wish to add to your LAB subnet you just set it to use VLAN 20, either by tagging the VLAN on Hyper-V interface for virtual devices or on the switch port for physical devices.

Regards,

Giovani

since interface 3 on sophos is connected to the internal virtual switch I am able to route traffic to the 192.168.2.0/24 network. I currently have a policy that allows all traffic between the two interfaces and it is working.

Are you saying that there is no way to route a VLAN from the physical to the internal interface?

How does what you are suggesting affect bandwidth? my internal switch is 10G wouldn't binding to the 1G interface limit me to 1Gbps?

Would vm to vm traffic go across the interface and back instead of just staying inside the hyper-V host and never hitting a physical interface?

I attached some screenshots not sure if they help clarify anything.

Thanks for your help so far.

For what I understand what you are trying to achieve is have your virtual and physical servers on the same network. That's layer 2 and can only be achieved with all servers connecting to the same switch. As you already noticed, you can have your physical server on another network and be able to reach your virtual servers by routing the communication through UTM. But that puts extra burden on your UTM as it would have to do all the routing between your servers. Also, you cannot have DHCP packets traversing a router, so DHCP is a no-no under this scenario. Even if you were able to get DHCP working it would be useless for what you are trying to achieve, as the 192.168.2.0/24 is a isolated subnet since you are using an internal switch. AFAIK, the only way to achieve what you are asking is putting your server on the same VLAN through a physical interface, as I suggested.

To answer your questions:

"How does what you are suggesting affect bandwidth? my internal switch is 10G wouldn't binding to the 1G interface limit me to 1Gbps?"

No, the virtual interface should still report and use the full speed of the virtual switch. No traffic should leave the virtual switch for communications between VMs. 

"Would vm to vm traffic go across the interface and back instead of just staying inside the hyper-V host and never hitting a physical interface?"

No traffic should leave the virtual switch for communications between VMs. 

Regards,

Giovani

Thanks for the explanation. This helps a lot. I will try out what you suggested and see how it works.

I am trying to make this work and not sure if I know what you mean here: "so keep your UTM interface for LAN 192.168.2.0/24 as a default, non VLAN, interface."

Wouldn't I need to create a vlan interface so that i can have dhcp assign IP addresses in the 192.168.2.0/24 range to machines in VLAN 20?

Also what would I need to do to route traffic between the two VLANs? I have routes set up and a firewall rule in place, but I can't RDP from 192.168.1.0/24 to 192.168.2.0/24.

Thanks for the help.

"Wouldn't I need to create a vlan interface so that i can have dhcp assign IP addresses in the 192.168.2.0/24 range to machines in VLAN 20?"

Not if you are tagging the VLAN on the virtual network adapter at the hypervisor, as I suggested. When you do that all traffic passing in that virtual interface will be tagged. If you want to tag the VLAN inside the guest, you need to allow VLAN tags to pass though the virtual switch by using Set-VMNetworkAdapterVlan in Powershell. But it only makes sense if you plan on passing more than one VLAN from inside the guest. Here is some interesting reading on the subject.

"Also what would I need to do to route traffic between the two VLANs?  I have routes set up and a firewall rule in place, but I can't RDP from 192.168.1.0/24 to 192.168.2.0/24."

It changes nothing. You previously said that you had a policy allowing both subnets to communicate and it was working. It should still be working, as long as your UTM is able to communicate with your virtual and physical servers in VLAN 20. Check if your physical and virtual servers can reach the UTM first.

Regards,

Giovani