Problems with VLAN Configuration between HP 2920-24G Switch and Firewall (1033 Views)
Occasional Contributor
Posts: 3
Registered: ‎12-19-2013
Message 1 of 3 (1,033 Views)

Problems with VLAN Configuration between HP 2920-24G Switch and Firewall

Hello there,


we've got some issues with the configuration of vlans between a HP 2920-24G switch and a WatchGuard XTM330 Firewall.

We have configured 2 VLANs on the Switch. VLAN-21 and VLAN-24.

VLAN-21 Ports 3-12 untagged

VLAN-24 Ports 13-22 untagged


We enabled Routing and configured DHCP-Helper IP for DHCP-Server which is in VLAN-21 to work also in VLAN-24.


The Interface on the Firewall which is connected to Port1 of the Switch has the IP

In The Firewall Configuration this Interface is configured as TAGGED with VLAN-21 and VLAN-24.


Also Port1 (2, 23/24) on the Switch is TAGGED with both VLANs (VLAN-21 and VLAN-24).


If we now plug in a client in  VLAN-21 or VLAN-24 Port we cannot reach/ping the Firewall (

But clients/devices can communicate with each other from VLAN-21 to VLAN-24 and vice versa, that works.

And also the DHCP-Server in VLAN-21 can provide IP-Adresses to clients in the VLAN-24.


We did test several things but do not know why we cannot communicate with the firewall from the VLAN-21 or VLAN-24 on the Switch Side.

Even if we plug the firewall directy to a VLAN-21 or VLAN-24 Port communication is not possibly.


Did we miss something elementary? 

Would be great if you could provide us some input what we can do to solve this problem.


Here's the Config of the Switch:


; J9726A Configuration Editor; Created on release #WB.15.12.0010
; Ver #04:01.ff.35.0d:c2

hostname "HP-2920-24G"
module 1 type j9726a
ip default-gateway
ip routing
snmp-server community "public" unrestricted
snmp-server contact "XXX" location "YYY"
vlan 1
   name "VLAN_21"
   no untagged 13-22
   untagged 3-12,A1-A2,B1-B2
   tagged 1-2,23-24
   ip address
vlan 2
   name "VLAN_24"
   untagged 13-22
   tagged 1,23-24
   ip address
   ip helper-address
no autorun
no dhcp config-file-update
no dhcp image-file-update
password manager



Basically we want to achieve, that the Switch does the internal LAN routing, so that the Firewall Load isn't additionally getting stressed by doing LAN routing. Firewall should only do "WAN-Stuff". One Interface from the Firewall should be connected to Switch. And via this Interface both VLANs should exchange their Traffic.

Perhaps there's a better way or other approach to accomplish that!?


Any Ideas and inout is appreciated...

Please use plain text.
Esteemed Contributor
Ian Vaughan
Posts: 293
Registered: ‎07-24-2000
Message 2 of 3 (976 Views)

Re: Problems with VLAN Configuration between HP 2920-24G Switch and Firewall

Firstly fix the names of your VLANs to match their VLAN numbering to avoid confusion :-)
We could have a simple VLAN1 & VLAN2 for clients as and make the switch IP 192.168.x.1 in each subnet with a mask.
Or use .2 and .4 it really doesn't matter but tr yand keep it as simple as possible.
Secondly your IP helper address in vlan 2 is pointing to the switch IP in vlan 1? It should be the IP of the DHCP serving server in 192.168.1.x not the switch L3 interface.
Create a third VLAN (say VLAN 99) and put the uplink port of the switch (to the firewall) in vlan99 as an untagged port.
You only need 2 IP addresses in this subnet but lets have some wriggle room just in case we need to do something else with it one day - with on the switch and on the firewall.
Create a static route
This sends any unknown traffic out towards the firewall / internet.

You should then be routing between VLANs 1& 2 and routing via VLAN99 whenever you need to go elsewhere (via the firewall).

You don't need "tagged" ports in this design as you are routing between all your VLANs which are connected on the same switch.
What's yellow and dangerous - shark infested custard
Please use plain text.
Occasional Contributor
Posts: 3
Registered: ‎12-19-2013
Message 3 of 3 (903 Views)

Re: Problems with VLAN Configuration between HP 2920-24G Switch and Firewall

We found the problem.

It was a missmatch of the vlan name.

I did the switch configuration and my workmate did the firewall configuration.

For me it would be obvious to name the vlans identical on both sides (firewall and switch)

but my workmate thought only vlan id had to be identical.


So this problem is fixed.




Please use plain text.
The opinions expressed above are the personal opinions of the authors, not of HP. By using this site, you accept the Terms of Use and Rules of Participation