RLComputing
asked on
HP Procurve J9310A - 3 VLAN's with Access List
Hi Experts,
I have an HP Procurve switch with 3 VLANS as follows
VLAN20 - 172.20.20.0/24 (Data)
VLAN21 - 172.20.21.0/24 (Voice)
VLAN192 - 192.168.3.248 - Fiber connection to a layer 2 switch on another network
All three vlans are trunked over the fiber connection. Our end devices in the network have a default gateway of 172.20.20.2 (Layer 3 Switch). However, when I do a tracert to 192.168.3.250 (device on other network) it gets stuck on the 172.20.20.2 device and times out.
I believe I need to make an access list on the HP Procurve. I would like to be able to tell the Procurve that any request for the 192.168.3.0/24 network needs to go out VLAN192. I am not familiar with HP Access Lists so I am unsure of the commands.
Thanks!
I have an HP Procurve switch with 3 VLANS as follows
VLAN20 - 172.20.20.0/24 (Data)
VLAN21 - 172.20.21.0/24 (Voice)
VLAN192 - 192.168.3.248 - Fiber connection to a layer 2 switch on another network
All three vlans are trunked over the fiber connection. Our end devices in the network have a default gateway of 172.20.20.2 (Layer 3 Switch). However, when I do a tracert to 192.168.3.250 (device on other network) it gets stuck on the 172.20.20.2 device and times out.
I believe I need to make an access list on the HP Procurve. I would like to be able to tell the Procurve that any request for the 192.168.3.0/24 network needs to go out VLAN192. I am not familiar with HP Access Lists so I am unsure of the commands.
Thanks!
ASKER
Here you go:
Layer 3 Switchhostname "Core-POE.2"
time timezone -300
time daylight-time-rule Continental-US-and-Canada
ip access-list extended "PLATE"
10 permit ip 172.20.20.0 0.0.1.255 172.20.20.0 0.0.1.255
20 permit ip 172.20.20.0 0.0.1.255 192.168.3.249 0.0.0.0
30 deny ip 172.20.20.0 0.0.1.255 10.0.0.0 0.255.255.255
40 deny ip 172.20.20.0 0.0.1.255 172.16.0.0 0.0.15.255
50 deny ip 172.20.20.0 0.0.1.255 192.168.0.0 0.0.255.255
60 permit ip 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255
exit
ip access-list extended "PRECISION"
10 permit ip 192.168.3.0 0.0.0.255 192.168.3.0 0.0.0.255
15 permit tcp 192.168.3.0 0.0.0.255 172.20.20.0 0.0.1.255 eq 139
20 deny ip 192.168.3.0 0.0.0.255 10.0.0.0 0.255.255.255
30 deny ip 192.168.3.0 0.0.0.255 172.16.0.0 0.0.15.255
40 permit ip 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255
exit
module 1 type J93xxA
stack commander "Switch-Stack"
stack member 1 mac-address B439D655BC00
stack member 2 mac-address B439D6558980
stack member 3 mac-address B439D65610C0
stack member 4 mac-address 0014C2F00880
stack member 5 mac-address 000E7F505D00
stack member 6 mac-address 9C8E99972FC0
interface 1
name "Internet Port to Sonicwall"
exit
interface 2
name "Mitel 3300 Phone Gear"
exit
interface 3
name "Cisco WAP"
exit
interface 5
name "PRE003DC1"
exit
interface 6
name "PRE003SQL1"
exit
interface 21
name "Copper Uplink to ServerRoom.11 Switch"
exit
interface 22
name "Copper Uplink to ServerRoom-POE Switch"
exit
interface 23
name "Fiber Uplink to Precision"
exit
interface 24
name "Fiber Uplink to Plant-POE Switch"
exit
ip routing
vlan 1
name "DEFAULT_VLAN"
no untagged 1-24
no ip address
exit
vlan 20
name "CorporateData"
untagged 3-20
ip address 172.20.20.2 255.255.255.0
tagged 21-24
exit
vlan 222
name "Mgmt"
no ip address
exit
vlan 21
name "CorporateVoice"
untagged 2
ip address 172.20.21.1 255.255.255.128
tagged 4,6-24
exit
vlan 23
name "Guest"
untagged 1
ip helper-address 172.20.23.1
ip address 172.20.23.1 255.255.255.128
tagged 3,21-24
exit
vlan 223
name "Internet"
tagged 21-24
no ip address
exit
vlan 192
name "PRECISION"
ip address 192.168.3.248 255.255.255.0
tagged 23
exit
fault-finder bad-driver sensitivity high
fault-finder bad-transceiver sensitivity high
fault-finder bad-cable sensitivity high
fault-finder too-long-cable sensitivity high
fault-finder over-bandwidth sensitivity high
fault-finder broadcast-storm sensitivity high
fault-finder loss-of-link sensitivity high
fault-finder duplex-mismatch-hdx sensitivity high
fault-finder duplex-mismatch-fdx sensitivity high
fault-finder link-flap sensitivity high
sntp server priority 1 172.20.20.32
ip route 0.0.0.0 0.0.0.0 172.20.20.1
snmp-server community "snmpadmin" operator unrestricted
snmp-server contact "Bill Bundy" location "Server Room"
spanning-tree
spanning-tree force-version rstp-operation
primary-vlan 20
no autorun
no dhcp config-file-update
no dhcp image-file-update
password manager
Tracert from device 172.20.20.32 [default gateway of 172.20.20.2]
D:\Program Files\Support Tools>tracert 192.168.3.250
Tracing route to 192.168.3.250 over a maximum of 30 hops
1 1 ms 1 ms 1 ms core-poe.pre003.preciouspl
2 * * * Request timed out.
3 * * * Request timed out.
4 * * * Request timed out.
5 ^C
The other end of the fiber is connected to a Layer 2 switch. All three VLAN's (VLAN20, VLAN20, VLAN192) are trunked on the fiber uplink.
It's a weird situation here. I am the IT Vendor on the 192.168.3.0 network. The fiber connection runs from my building underground to the building next door [172.20.20.0 and 172.20.21.0 network]
From my network, I can ping and tracert everything on the network next door after I made the proper routing changes on our Cisco ASA device.
The Layer3 switch is managed by another IT vendor. They are also the ones with the tracert failing. I finally got them to send me the config for the Layer3 switch. They keep telling me it's my problem that packets sent from their network are reaching my network :)
Layer 3 Switchhostname "Core-POE.2"
time timezone -300
time daylight-time-rule Continental-US-and-Canada
ip access-list extended "PLATE"
10 permit ip 172.20.20.0 0.0.1.255 172.20.20.0 0.0.1.255
20 permit ip 172.20.20.0 0.0.1.255 192.168.3.249 0.0.0.0
30 deny ip 172.20.20.0 0.0.1.255 10.0.0.0 0.255.255.255
40 deny ip 172.20.20.0 0.0.1.255 172.16.0.0 0.0.15.255
50 deny ip 172.20.20.0 0.0.1.255 192.168.0.0 0.0.255.255
60 permit ip 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255
exit
ip access-list extended "PRECISION"
10 permit ip 192.168.3.0 0.0.0.255 192.168.3.0 0.0.0.255
15 permit tcp 192.168.3.0 0.0.0.255 172.20.20.0 0.0.1.255 eq 139
20 deny ip 192.168.3.0 0.0.0.255 10.0.0.0 0.255.255.255
30 deny ip 192.168.3.0 0.0.0.255 172.16.0.0 0.0.15.255
40 permit ip 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255
exit
module 1 type J93xxA
stack commander "Switch-Stack"
stack member 1 mac-address B439D655BC00
stack member 2 mac-address B439D6558980
stack member 3 mac-address B439D65610C0
stack member 4 mac-address 0014C2F00880
stack member 5 mac-address 000E7F505D00
stack member 6 mac-address 9C8E99972FC0
interface 1
name "Internet Port to Sonicwall"
exit
interface 2
name "Mitel 3300 Phone Gear"
exit
interface 3
name "Cisco WAP"
exit
interface 5
name "PRE003DC1"
exit
interface 6
name "PRE003SQL1"
exit
interface 21
name "Copper Uplink to ServerRoom.11 Switch"
exit
interface 22
name "Copper Uplink to ServerRoom-POE Switch"
exit
interface 23
name "Fiber Uplink to Precision"
exit
interface 24
name "Fiber Uplink to Plant-POE Switch"
exit
ip routing
vlan 1
name "DEFAULT_VLAN"
no untagged 1-24
no ip address
exit
vlan 20
name "CorporateData"
untagged 3-20
ip address 172.20.20.2 255.255.255.0
tagged 21-24
exit
vlan 222
name "Mgmt"
no ip address
exit
vlan 21
name "CorporateVoice"
untagged 2
ip address 172.20.21.1 255.255.255.128
tagged 4,6-24
exit
vlan 23
name "Guest"
untagged 1
ip helper-address 172.20.23.1
ip address 172.20.23.1 255.255.255.128
tagged 3,21-24
exit
vlan 223
name "Internet"
tagged 21-24
no ip address
exit
vlan 192
name "PRECISION"
ip address 192.168.3.248 255.255.255.0
tagged 23
exit
fault-finder bad-driver sensitivity high
fault-finder bad-transceiver sensitivity high
fault-finder bad-cable sensitivity high
fault-finder too-long-cable sensitivity high
fault-finder over-bandwidth sensitivity high
fault-finder broadcast-storm sensitivity high
fault-finder loss-of-link sensitivity high
fault-finder duplex-mismatch-hdx sensitivity high
fault-finder duplex-mismatch-fdx sensitivity high
fault-finder link-flap sensitivity high
sntp server priority 1 172.20.20.32
ip route 0.0.0.0 0.0.0.0 172.20.20.1
snmp-server community "snmpadmin" operator unrestricted
snmp-server contact "Bill Bundy" location "Server Room"
spanning-tree
spanning-tree force-version rstp-operation
primary-vlan 20
no autorun
no dhcp config-file-update
no dhcp image-file-update
password manager
Tracert from device 172.20.20.32 [default gateway of 172.20.20.2]
D:\Program Files\Support Tools>tracert 192.168.3.250
Tracing route to 192.168.3.250 over a maximum of 30 hops
1 1 ms 1 ms 1 ms core-poe.pre003.preciouspl
2 * * * Request timed out.
3 * * * Request timed out.
4 * * * Request timed out.
5 ^C
The other end of the fiber is connected to a Layer 2 switch. All three VLAN's (VLAN20, VLAN20, VLAN192) are trunked on the fiber uplink.
It's a weird situation here. I am the IT Vendor on the 192.168.3.0 network. The fiber connection runs from my building underground to the building next door [172.20.20.0 and 172.20.21.0 network]
From my network, I can ping and tracert everything on the network next door after I made the proper routing changes on our Cisco ASA device.
The Layer3 switch is managed by another IT vendor. They are also the ones with the tracert failing. I finally got them to send me the config for the Layer3 switch. They keep telling me it's my problem that packets sent from their network are reaching my network :)
ASKER
Judging by the Layer3 switch config, here is the routes I believe needed to be added:
ip route 192.168.3.0 255.255.255.0 192.168.3.248
Any help/recommendations on setup is appreciated!
ip route 192.168.3.0 255.255.255.0 192.168.3.248
Any help/recommendations on setup is appreciated!
>Our end devices in the network have a default gateway of 172.20.20.2 (Layer 3 Switch)<
If you are on 192.168.3.0 network, then you should have 192.168.3.248 (IP of vlan) as dgw
If you are on 192.168.3.0 network, then you should have 192.168.3.248 (IP of vlan) as dgw
ASKER
the route command would not be accepted
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
The problem turned out to be something different the config on the HP Switch
Can you post the config of the l3 and the switch on the other end of the fiber?