Routing DHCP IPs to a 2nd Vlan?

What you need to do is assign IP-helper address for the interface which your users will be connecting to.  As example, below I have a VLAN100 for my users and I have created a sub-interface for this vlan called GigabitEthernet0/0.100.  What I need is the IP-Help where below is the configuration for this interface where DHCP server address is 192.168.200.2:

interface GigabitEthernet0/0.100
description Users VLAN 100
encapsulation dot1Q 100
ip address 192.168.100.1 255.255.255.0
ip helper-address 192.168.200.2
ip flow ingres
ip flow egress

well i have a helper setup for the voice side of things (vlan20).  is this not enough?
The vlan01 (default) may be used for some machines and hasnt got a help.  Does it need it?

Ok, i have now created another dhcp scope on a 2nd dhcp server (10.0.0.10-254 on 255.255.255.0) and also configured another vlan to test:


HP-E2910al-48G-PoE(config)# show config

Startup configuration:

; J9148A Configuration Editor; Created on release #W.15.08.0012
; Ver #02:11.05:16
hostname "HP-E2910al-48G-PoE"
module 1 type j9148a
power-over-ethernet pre-std-detect
ip default-gateway 172.19.10.15
interface 1
   name "HP1910"
   no power-over-ethernet
   exit
interface 2
   no power-over-ethernet
   exit
interface 3
   no power-over-ethernet
   exit
interface 4
   no power-over-ethernet
   exit
interface 5
   no power-over-ethernet
   exit
interface 6
   no power-over-ethernet
   exit
interface 7
   name "Shoretel E1k"
   exit
interface 8
   name "Shoretel SG90"
   exit
interface 9
   name "Shoretel SG90Bri"
   exit
interface 48
   name "vlan20 to Firewall"
   exit
snmp-server community "public" unrestricted
snmp-server contact "IT" location ""
vlan 1
   name "DEFAULT_VLAN"
   no untagged 7-48
   untagged 1-6
   ip address 172.19.4.5 255.255.0.0
   exit
vlan 20
   name "Voice"
   untagged 7-19,23-48
   ip address 172.16.4.5 255.255.0.0
   ip helper-address 172.19.10.17
   exit
vlan 30
   name "Voice "
   untagged 20-22
   ip address 10.0.0.1 255.255.255.0
   ip helper-address 172.19.10.18
   exit
no autorun
password manager

HP-E2910al-48G-PoE(config)#

You do not have to use a second dhcp server. Creating a dhcp scope for vlan20 on the xisting dhcp server is enough.
Now connect any host that request IP config to one of the ports associated to one of your vlans and check if it is getting an IP address in the right scope.
Note that I do not know if having 2 lans with teh same name (Voide) is a good idea. You could use "Voice 20" and "Voice 30"

Its not getting an ip from the scope..
i have also removed the other voice vlan, but it wasnt working before this vlan30 created anyway.
does the dhcp bo have to be on the same switch as vlan01 and vlan20?

One DHCP server suffices and no, the DHCP does not need to be on the same VLAN (we are using DHCP at the Data Center for satellite sites).  All the configuration does is forward the client DHCP request to the DHCP server).

does it need to on the same switch?

Nope, it depends how the switches are configured and how your routing is done. What needs to be done is that the clients connected to vlan 20 must be able to send and receive packets from teh DHCP server.
Test:
Connect a client to a port belonging to vlan 20, set its IP address statically to the be an address legit for this vlan and try to ping/traceroute the dhcp server. It must work.
If not, resolve the routing issue first (make sure the dhcp server answers to pings)

okay, machine connected to port 11 on vlan20.
set static ip to 172.16.105.101 sub: 255.255.0.0 that meets the dhcp range of the ip helper 172.19.10.17, range of dhcp- 172.16.105.100-200.
no gateway...

could ping vlan20 ip of 172.16.4.5
unable to ping vlan01 ip which is 172.19.4.5
tried tracert back to 172.19.10.17 - failed transmit error code 1231

guess the switch config is wrong somewhere..?

stickign gw of the vlan20 ip of 172.16.4.5 enabled me to ping both the 172.19.4.5 & 172.16.4.5
unable to ping anything else outside of the switch...

You need to configure the gateway on Machine 1 to be the IP address on the vlan 20 interface: 172.16.4.5
You need to make sure that inter-vlan routing is enabled

Missing default gateway will do it.  Add the default gateway and you should be okay.

To enable IP routing:

ProCurve Switch 5406zl# configure 
ProCurve Switch 5406zl(config)# ip routing 
ProCurve Switch 5406zl(config)# spanning-tree 
ProCurve Switch 5406zl(config)# spanning-tree priority 1

Select allOpen in new window

(the last two lines are for spanning tree protocol. I'll check later if this is how "portfast" should be enabled, since this is certainly what you will want)

it is set to the vlan20 ip 172.16.4.5
believe this is enabled too...

config:
Running configuration:

; J9148A Configuration Editor; Created on release #W.15.08.0012
; Ver #02:11.05:16
hostname "HP-E2910al-48G-PoE"
module 1 type j9148a
power-over-ethernet pre-std-detect
ip default-gateway 172.19.4.5
ip routing
interface 1
   name "HP1910"
   no power-over-ethernet
   exit
interface 2
   no power-over-ethernet
   exit
interface 3
   no power-over-ethernet
   exit
interface 4
   no power-over-ethernet
   exit
interface 5
   no power-over-ethernet
   exit
interface 6
   no power-over-ethernet
   exit
interface 7
   name "Shoretel E1k"
   speed-duplex 100-full
   exit
interface 8
   name "Shoretel SG90"
   speed-duplex 100-full
   exit
interface 9
   name "Shoretel SG90Bri"
   speed-duplex 100-full
   exit
interface 48
   name "vlan20 to Firewall"
   exit
snmp-server community "public" unrestricted
snmp-server contact "IT"
vlan 1
   name "DEFAULT_VLAN"
   no untagged 7-48
   untagged 1-6
   ip address 172.19.4.5 255.255.0.0
   exit
vlan 20
   name "Voice"
   untagged 7-19,23-48
   ip address 172.16.4.5 255.255.0.0
   ip helper-address 172.19.10.17
   exit
vlan 30
   name "Voice2"
   untagged 20-22
   ip address 10.0.0.1 255.255.255.0
   ip helper-address 172.19.10.18
   exit
no autorun
password manager

The default gateway for our LAN overall should be 172.19.10.15 though..
Changed this and still not working.

Is spanning tree known as STP?  If so the comms provider says this should be disabled...

ip default gateway on your switch should NOT be changed.
It is on the client (Machine 1) that this must be (statically) set

STP=spanning tree protocol.
You should never disable it (but set it to portfast) unless you can be 100% certain there will never be loops in your wiring.

What should the GW be, genuine GW (firewall) or vlan01 or vlan20 ip??
Hmm, well the comms provider confirmed this should be disabled...

I'll enable now and test..

don't bother with STP for now
set the Machine1 GW to vlan20 interface

ok, disabled.
has been set.

can ping vlan20 and vlan01 IP's

is the 'no untagged 7-48' on the vlan01 an issue?

in the GUI i only have the option to enable or disable STP.
No option for port fast...

edit: for the above, i cant ping anything outside of the switch.  cant even ping the IP of the machine 2 on vlan01 on this switch (which is getting an ip from dhcp)..

Do i need trunks?

No, it is not.  All it means it that the anything for those vlans are not allowed.

i'm lost..

Status : Port-based
  Voice : No
  Jumbo : No

  Port Information Mode     Unknown VLAN Status
  ---------------- -------- ------------ ----------
  1                Untagged Learn        Up
  2                Untagged Learn        Down
  3                Untagged Learn        Down
  4                Untagged Learn        Down
  5                Untagged Learn        Up
  6                Untagged Learn        Down

  Overridden Port VLAN configuration

  Port Mode
  ---- ------------


HP-E2910al-48G-PoE(config)# show spanning-tree

 Multiple Spanning Tree (MST) Information

  STP Enabled   : No

HP-E2910al-48G-PoE(config)# show vlan 20

 Status and Counters - VLAN Information - VLAN 20

  VLAN ID : 20
  Name : Voice
  Status : Port-based
  Voice : No
  Jumbo : No

  Port Information Mode     Unknown VLAN Status
  ---------------- -------- ------------ ----------
  7                Untagged Learn        Down
  8                Untagged Learn        Down
  9                Untagged Learn        Down
  10               Untagged Learn        Down
  11               Untagged Learn        Down
  12               Untagged Learn        Down
  13               Untagged Learn        Down
  14               Untagged Learn        Down
  15               Untagged Learn        Down
  16               Untagged Learn        Down
  17               Untagged Learn        Down
  18               Untagged Learn        Down
  19               Untagged Learn        Down
  23               Untagged Learn        Down
  24               Untagged Learn        Down
  25               Untagged Learn        Down
  26               Untagged Learn        Down
  27               Untagged Learn        Down
  28               Untagged Learn        Down
  29               Untagged Learn        Down
  30               Untagged Learn        Down
  31               Untagged Learn        Down
  32               Untagged Learn        Down
  33               Untagged Learn        Down
  34               Untagged Learn        Down
  35               Untagged Learn        Up
  36               Untagged Learn        Down
  37               Untagged Learn        Down
  38               Untagged Learn        Down
  39               Untagged Learn        Down
  40               Untagged Learn        Down
  41               Untagged Learn        Down
  42               Untagged Learn        Down
  43               Untagged Learn        Down
  44               Untagged Learn        Down
  45               Untagged Learn        Down
  46               Untagged Learn        Down
  47               Untagged Learn        Down
  48               Untagged Learn        Down


HP-E2910al-48G-PoE(config)#

You don't need trunk
Keep untagged vlans, no problem
On the DHCP server for vlan 20, make sure that in the vlan 20 scope you have set the default gateway to the IP address of vlan 20 interface on the switch : 172.16.4.5. In this scope, make sure that the subnet mask is set to 255.255.0.0. Check that the DNS servers in this scope are OK too.
Now, on machine 1, set the IP configuration to be "automatic" (set by DHCP). Connect it to a port belonging to vlan 20. You should now get a valid TCP/IP config by DHCP on vlan 20.

the dhcp server has the router (firewall) listed under server options.  i cant seem to change the router ip under the scope option within the vlan20 scope...
do i need to remove the server router option from server options and specifically add to the scopes?

Ok, managed to change the IP to 172.16.4.5 in the vlan20 scope.  the scope range is 172.16.105.100-200.
The vlan20 scope is using the dns 006, wins 044, domain 015 settings of the 172.19 range..
subnet is 255.255.0.0

still no ip, well a 169...

Running configuration:

; J9148A Configuration Editor; Created on release #W.15.08.0012
; Ver #02:11.05:16
hostname "HP-E2910al-48G-PoE"
module 1 type j9148a
power-over-ethernet pre-std-detect
ip default-gateway 172.19.10.15
ip routing
interface 1
   name "HP1910"
   no power-over-ethernet
   exit
interface 2
   no power-over-ethernet
   exit
interface 3
   no power-over-ethernet
   exit
interface 4
   no power-over-ethernet
   exit
interface 5
   no power-over-ethernet
   exit
interface 6
   no power-over-ethernet
   exit
interface 7
   name "Shoretel E1k"
   speed-duplex 100-full
   exit
interface 8
   name "Shoretel SG90"
   speed-duplex 100-full
   exit
interface 9
   name "Shoretel SG90Bri"
   speed-duplex 100-full
   exit
interface 48
   name "vlan20 to Firewall"
   exit
snmp-server community "public" unrestricted
snmp-server contact "IT"
vlan 1
   name "DEFAULT_VLAN"
   no untagged 7-48
   untagged 1-6
   ip address 172.19.4.5 255.255.0.0
   exit
vlan 20
   name "Voice"
   untagged 7-19,23-48
   ip address 172.16.4.5 255.255.0.0
   ip helper-address 172.19.10.17
   exit
vlan 30
   name "Voice2"
   untagged 20-22
   ip address 10.0.0.1 255.255.255.0
   ip helper-address 172.19.10.18
   exit
no autorun
password manager

scope.jpg

Should the port on vlan01 connected to the port on the hp1910 switch be configured as tagged?

I have tried a different DHCP range of 172.19.4.100-200.  Still no joy.

Using untagged vlan is OK, as long as you have only one vlan per port on the switch.
Do you confirm that your DHCP server is bound to IP address 172.19.10.17 ?
Also do you confirm that you have the correct subnet masks for your networks?
They should be 255.255.0.0. Check the Scope properties on DHCP server.

Also, in your config, it seems that port 48 is assigned to vlan 20 and is named "vlan 20 to Firewall". You don't need an explicit connection to firewall from vlan 20, since your route should be the following:

vlan 20 <==> vlan 20gw <==> vlan 01 <==> vlan 01 gw <==> firewall.

Something else I had not seen before:
Can you explain why you have ports 7-48 as "no untagged" under vlan 01 and ports  7-19,23-48 untagged under vlan 20?
To make things easier for now, I suggest that you assign only one vlan per port on the switch.
As far as I can tell currently ports 7-19,23-48 are untagged for vlan 20 and tagged for vlan 01, which is kind of odd.

Anyway, if everything still fails, I recommend that you run a packet capture utility (MS Netmon or Wireshark) on the machine trying to do DHCP AND the DHCP server at the same time, filtering on UDP 67 and UDP 68, then post the results, along with the mac addresses on the dhcp server and the dhcp client. We should then understand better what is going on.

Hi

2910: vlan01 on ports 1-6, vlan20 on ports 7-48
Yes, the DHCP is on 172.19.10.17 - a VM, connected to another switch (hp 1910).
Yes, all subnets are 255.255.0.0 for 172.19 and 172.16 networks..

Understood.  This is setup for when we move our hardware to another site.  we plan to dedicate and connect this port to a lan interface (vlan20) on the firewall that can handle routing (apparently).

to confirm: vlan20 ------------- 172.16.4.5 -------------- vlan01 --------------- 172.19.4.5 -------- firewall 172.19.10.15).  My default-gateway on the switch is set to 172.19.10.15 though...
Can i configure GW ips for each vlan?  Can't do this in the GUI.

I think the no untagged configured itself after i setup the vlan20 and ports 7-48.. I'll try and remove this then..

http://h30499.www3.hp.com/t5/Switches-Hubs-Modems-Legacy-ITRC/no-untagged-confusion/td-p/4289949#.UjG_ldLZx14

OK, thanks for the link...
I can't see any issue with your config then, I'll double check taking control on a remote site where I have procurves, vlans and a single dhcp...
I would NOT configure any port as tagged, especially the ports for vlan 01 which is the management vlan and that usually should not be tagged.
If routing from VLAN 20 to anything else works ok, you should be able to get a DHCP config from your DHCP server with the config I see you have.

Ok, none are tagged.
According to the GUI none of the vlans are management vlans..

Just noticed that the vlan01 on the 2910 is primary vlan...

Yes, primary, management. That should be the same (I am more used to cisco switches and terms)

made no difference..

shall i scrap the similar 172 range and try a 192?

sorry, which should be primary?

Nope, I don't think this would change a damn thing.
Let me check my working config...

ok, locally on the switch in the GUI i can ping both vlan ips 172.19.4.5 and 172.16.4.5..
But a client on the vlan01 (2910) cannot ping the vlan20 when using dhcp..
Setting a static 172.19.105.201 on 255.255.0.0 and GW of vlan01 IP of 172.19.4.5 results in pings to 172.19.4.5 and 172.16.4.5, but nothing outside of this switch..
With both machines on vlan01 and vlan20 with statics is can ping from vlan01 to vl20 but not the other way...
No DNS setup.  Both using GW of vlan01 and vlan20 interface...

And in the GUI on the switch i can ping both client machines with the statics..

And i can ping the local gateway of our firewall and the dhcp server on from the GUI on the switch!!!!!!!!

ping.jpg

i can also ping the client machine with static 172.19.105.201 on the vlan01 from dhcp server 172.19.10.17..  but not the 172.16.105.210.

No i was just testign without the GW IP of 172.19.10.15 given by DHCP.  It picks up IP's ok.

and can ping everything on the vlan01, but just nothing on the vlan20, i assume becasue of the GW IP being in place...

nope. Because of your external gateway. You must configure somewhere a route that informs your clients on vlan 01 to use 172.19.4.5 as the gateway when they want to reach a node on vlan 20.
Maybe you can just set the default gateway for scope 172.19 to be 172.19.4.5.
Then, packets should be routed to default gateway from the switch and to vlan 20 from the switch too.

Ok, i get the picture better now.
My fault, I did not realize that nodes on vlan 01 used a default gw that was not your switch.
Just change the default gwon the dhcp server ip config to be 172.19.4.5. Check that it can now ping a host on vlan 20 that has a static ip. And that it can ping 8.8.8.8 too.
If that works, change default gateway for vlan 01 scope to be 172.19.4.5.

Another way around would be to add a static route to your current gateway so that when it receives a packet aimed at vlan 20, it knows it has to forward it to 172.19.4.5 for the switch to route it.

i cant see how this will work, and will stop users getting out of our lan...

I assume you mean change the GW on the 172.16 scope in dhcp not the 172.19 scope?

Not as simple as i was hoping.

Do you think this will work easier when we move sites and have a newly configured firewall with vlans01 and vlan20 configured on the lan ports on the firewall/

thanks

is the default ip of the switch 172.19.10.15 (our firewall) required or casuing the problem?

attached is my current test setup (issues we are having now) and the future setup, for our new site.

Really worried i could come across the same sorts of problems when we configure this...
Current--test--vs-New-Setups.jpg

You have to understand better how routing works.  Try to set the gw for vlan 01clients to be 172.19.4..5 and for vlan 20 to be 172.16.4.5. As long as the switch has 172.19.10.15 as its default gw, packets to the outside world will be correctly routed. Ans internal packets too.
The problem you have with dhcp and vlan 20 is that the dhcp server can't send dhcp replies to vlan 20 nodes because it sends all packets aimed at  vlan 20 to the default gw that does not know how to reach vlan 20...

ok, i can ping the client ip's and vlan ips between the clients fine.
i can also ping the true gw .15 from the statically ip'd machine on the 172.19 range.
but i cant ping the gw from the statically ip'd machine on the 172.16 range.

ideas?

Can you export the switch's routing table ?

config report?

do i need to configure an 'ip route'?
do i need to configure an 'ip-helper' for the default vlan01 (even though the client is picking up an ip from dhcp server)?

http://www.hp.com/rnd/support/config_examples/5300xl_dhcp_relay.pdf

No ip-helper for the vlan 01.
I can't remember right now the command to export the switch's routing table.
There are hidden commands:
http://evilrouters.net/2010/04/06/hidden-procurve-commands/
but I think it should not be hidden.
You may want to add a gateway for vlan 20, and this gateway would be vlan 01 interface IP address 172.19.4.5  
Something like:
vlan 20
   name "Voice"
   untagged 7-19,23-48
   ip address 172.16.4.5 255.255.0.0
   ip helper-address 172.19.10.17
   ip default gateway 172.19.4.5
   exit

( I am not 100% sure that this command will work, and I can't check it right now...)

If that still fails, can you run a traceroute from a client on vlan 20 to the default gw and to the DHCP server and see where it stops?

dhcp option 82?
page 3-49:
http://bizsupport2.austin.hp.com/bc/docs/support/SupportManual/c02564353/c02564353.pdf

tracert is stopping at the machine. not going anywhere.

I don't get it.
Let's say that you have client20 and c lient01 on vlan 20 and vlan 01
You said that you could ping client 01 from client 20 and vice versa, right?
If so, the routing between vlan 01 and vlan 20 seems to be ok.
Can you confirm?
If that's true, you should get a traceroute from client 20 to client 01 that shows
client 20
vlan 20 gw (172.16.4.5)
vlan 01 gw (172.19.4.5)
client 01
Do you confirm?

Then, if you run a traceroute from client 20 to 172.16.4.5 it should work. The same goes for 172.19.4.5. So as far as I ca imagine, a traceroute from client 20 to 172.19.10.17 and/or to 172.19.10.15 should at least reach 172.19.4.5

can you run a
route print
command on client 20 and paste it ?

I'll take a look at this dhcp option 82 and see if this could be useful

Sorry, trying to multitask..

So, by setting the 2x machines static IP's, the subnet and GW of the vlan switch, i can ping between the 2x clients and the IP of the vlans.

Tracert is fine also.

C:\Users\user>route print
===========================================================================
Interface List
 30...02 b0 7a e2 85 01 ......BlackBerry Virtual Private Network
 13...00 15 c5 03 3e 7f ......Broadcom NetXtreme 57xx Gigabit Controller
  1...........................Software Loopback Interface 1
 33...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter
 31...00 00 00 00 00 00 00 e0 Teredo Tunneling Pseudo-Interface
 32...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter #4
===========================================================================

IPv4 Route Table
===========================================================================
Active Routes:
Network Destination        Netmask          Gateway       Interface  Metric
          0.0.0.0          0.0.0.0       172.16.4.5   172.16.105.210    266
        127.0.0.0        255.0.0.0         On-link         127.0.0.1    306
        127.0.0.1  255.255.255.255         On-link         127.0.0.1    306
  127.255.255.255  255.255.255.255         On-link         127.0.0.1    306
      169.254.0.0      255.255.0.0         On-link   169.254.168.162    261
  169.254.168.162  255.255.255.255         On-link   169.254.168.162    261
  169.254.255.255  255.255.255.255         On-link   169.254.168.162    261
       172.16.0.0      255.255.0.0         On-link    172.16.105.210    266
   172.16.105.210  255.255.255.255         On-link    172.16.105.210    266
   172.16.255.255  255.255.255.255         On-link    172.16.105.210    266
        224.0.0.0        240.0.0.0         On-link         127.0.0.1    306
        224.0.0.0        240.0.0.0         On-link    172.16.105.210    266
        224.0.0.0        240.0.0.0         On-link   169.254.168.162    261
  255.255.255.255  255.255.255.255         On-link         127.0.0.1    306
  255.255.255.255  255.255.255.255         On-link    172.16.105.210    266
  255.255.255.255  255.255.255.255         On-link   169.254.168.162    261
===========================================================================
Persistent Routes:
  Network Address          Netmask  Gateway Address  Metric
          0.0.0.0          0.0.0.0       172.16.4.5  Default
===========================================================================

IPv6 Route Table
===========================================================================
Active Routes:
 If Metric Network Destination      Gateway
  1    306 ::1/128                  On-link
 30    261 fd00::/8                 On-link
 30    261 fd19:41ac:a5c4:9821::/64 On-link
 30    261 fd19:41ac:a5c4:9821:f71:3243:e877:fa88/128
                                    On-link
 13    266 fe80::/64                On-link
 30    261 fe80::/64                On-link
 30    261 fe80::3d6a:103:cb0d:a8a2/128
                                    On-link
 13    266 fe80::808c:d9ee:db62:326b/128
                                    On-link
  1    306 ff00::/8                 On-link
 13    266 ff00::/8                 On-link
 30    261 ff00::/8                 On-link
===========================================================================
Persistent Routes:
  None

C:\Users\user>

and when the clients are auto set on tcp ip (the vlan01 machine gets its ip from dhcp fine.
the vlan20 machine doesn't get its ip.

when pinging from the machine with vlan01 ip to the vlan20 machine i get reply from our external cisco 1841 router to say unreachable..

latest config:

HP-E2910al-48G-PoE# show running-config

Running configuration:

; J9148A Configuration Editor; Created on release #W.15.08.0012
; Ver #02:11.05:16
hostname "HP-E2910al-48G-PoE"
module 1 type j9148a
power-over-ethernet pre-std-detect
ip default-gateway 172.19.10.15
ip routing
interface 1
   name "HP1910"
   no power-over-ethernet
   exit
interface 2
   no power-over-ethernet
   exit
interface 3
   no power-over-ethernet
   exit
interface 4
   no power-over-ethernet
   exit
interface 5
   no power-over-ethernet
   exit
interface 6
   no power-over-ethernet
   exit
interface 7
   name "Shoretel E1k"
   speed-duplex 100-full
   exit
interface 8
   name "Shoretel SG90"
   speed-duplex 100-full
   exit
interface 9
   name "Shoretel SG90Bri"
   speed-duplex 100-full
   exit
interface 48
   name "vlan20 to Firewall"
   exit
snmp-server community "public" unrestricted
snmp-server contact "IT"
vlan 1
   name "DEFAULT_VLAN"
   no untagged 7-48
   untagged 1-6
   ip address 172.19.4.5 255.255.0.0
   exit
vlan 20
   name "Voice"
   untagged 7-48
   ip address 172.16.4.5 255.255.0.0
   ip helper-address 172.19.10.17
   exit
no autorun
password manager

Do i need ip route 0.0.0.0 0.0.0.0 172.19.10.15 set?

Not sure if aware, but the DHCP server isn't on this switch, but an hp 1910 on default vlan01...

Yep, I know that the dhcp server is on an other host.
I need to see the routing for a vlan 01 client when IP configured by DHCP.
Have you set the default GW (in DHCP config) to 172.19.4.5?
If not, have you set a static route on the default router (172.19.10.15) to allow requests to 172.16.0.0 network to be sent to 172.19.4.5 interface?

running dhcp-relay in the config area returned no errors but also doesn't show it on the show config command..
not sure how to find where is is in gui and status of it!?

2. so set the GW for the 172.16 range to the 172.19.4.5 GW?  If so, already done.

3.
HP-E2910al-48G-PoE(config)#
HP-E2910al-48G-PoE(config)#
HP-E2910al-48G-PoE(config)# show ip route

                                IP Route Entries

  Destination        Gateway         VLAN Type      Sub-Type   Metric     Dist.
  ------------------ --------------- ---- --------- ---------- ---------- -----
  127.0.0.0/8        reject               static               0          0
  127.0.0.1/32       lo0                  connected            1          0
  172.16.0.0/16      Voice           20   connected            1          0
  172.19.0.0/16      DEFAULT_VLAN    1    connected            1          0


HP-E2910al-48G-PoE(config)#

regarding the question about ip route 0.0.0.0 on the switch, it depends on the routing table for the switch. My understanding is that adding a default gw for that switch should set this route, but this has to be verified

GW for our clients on vlan01 is 172.19.10.15 - the firewall.

this will stop our machines going out onto the web..?

Will check the route on the firewall..

Regarding "2. so set the GW for the 172.16 range to the 172.19.4.5 GW?  If so, already done." this is not true (unless this is a typo).
GW for 172.16 range must be 172.16.4.5
GW for 172.19 range must be 172.19.4.5 OR 172.19.10.15 if a static routing to 172.16.0.0 network exists on 172.19.10.15

Regarding "GW for our clients on vlan01 is 172.19.10.15 - the firewall.

this will stop our machines going out onto the web..?

Will check the route on the firewall.. "

The answer is no !

Your vlan 01 client will sends their packets for "the web" to the switch (172.19.4.5) which will forward them to the firewall (172.19.10.15).

Your issues come from there ! your host on 172.19.0.0 must be able to reach hosts in 172.16.0.0 network. If you tell vlan 01 hosts that the "default gateway" is 172.19.10.15, then 172.19.10.15 must know how to reach vlan 20 hosts. If not, it will send the packets to the ISP (or discard them since 172.19 is not a public subnet). ANd this is particularly true for your dhcp server...
If you want to make a test, add a static route to 172.16.0.0 to your DHCP server routing table (route add 172.16.0.0 MASK 255.255.0.0 172.19.4.5 METRIC 2 IF <Interface Number>, but this is not a sustainable/clean solution.  Your network infrastructure must be aware of vlan 20 and how to route packets to it

Now that I saw the routing table on your switch, yes, you need to add the route to 0.0.0.0 0.0.0.0 172.19.10.15 using the interface DEFAULT_VLAN and a metric of 2
.

Yes, i have set the GW ip in dhcop scope 172.19.0.0 to 172.16.4.5.
ok, will check out the route on the firewall.

You wrote:
"Yes, i have set the GW ip in dhcop scope 172.19.0.0 to 172.16.4.5."
This is not correct.
GW for 172.16 range must be 172.16.4.5
GW for 172.19 range must be 172.19.4.5 OR 172.19.10.15 if a static route to 172.16.0.0 network exists on 172.19.10.15

Sorry, my typo.
172.19.0.0 is GW 172.19.10.15
172.16.0.0 is GW 172.16.4.5

we have also disabled STP, ICMP redirects (as advised by the comms co)...

'In all cases, make sure that the switch has a default route to 172.19.10.15.'

So would the default GW i have in place on the switch 172.19.10.15 be sufficient?

What your saying is that i need to change the GW on the DHCP scope for 172.19.0.0 to 172.19.4.5?


With the present ASA setup we can only have one vlan due to the licences..

Scope options should set DGW to IP of vlan , If it cannot be on ASA then on L3 switch

L3 switch should have:
IP ROUTE 0.0.0.0  0.0.0.0  172.19.10.15

ASA should have routes back to L3 switch
as far as I remember some 'routing internal' statement

ok, i have ran the command for IP route 0.0.0.0 0.0.0.0 172.19.10.15 - but doesnt show me this when telnetting into it or on the config report..
We cant change/add any routes or vlans on the asa due to only having one licence apparently..

So you need to use your L3 switch as your main router for all your vlans.
This means that in DHCP scopes and on all nodes that have static IP config, the default GW must be one of the ip addresses of the switch (in their own vlan).
for 172.16.0.0 subnet/scope, default GW must be 172.16.4.5
for 172.19.0.0 subnet/scope, default GW must be 172.19.4.5
The default route for the switch must be configured this way:
ip route 0.0.0.0/0 172.19.10.15
You have to save the configuration after modifying it, so that the route show up when you enter the command
show ip route
on the switch, even after a reboot.
dhcp relay must also be enabled.

Does this mean then that the existing 1910 default switches that servers and machines are connected to are going to cause problems, or at least the vlan01 on the 2910 needs to be utilised/connected up for the clients/servers?

how can i confirm the ip route is configured correctly on the switch?

Not sure I get the question.
There should not be any problem if you change the default gateway for 172.19.x.x to be 172.19.4.5 on ALL nodes connected to 172.109.x.x network (except your firewall/router)

the command is
show ip route
and to make a test, then traceroute to 8.8.8.8 from a host on van01 and from a host on vlan20 (when the configuration is all set)

HP-E2910al-48G-PoE# show ip route

                                IP Route Entries

  Destination        Gateway         VLAN Type      Sub-Type   Metric     Dist.
  ------------------ --------------- ---- --------- ---------- ---------- -----
  0.0.0.0/0          172.19.10.15    1    static               1          1
  127.0.0.0/8        reject               static               0          0
  127.0.0.1/32       lo0                  connected            1          0
  172.19.0.0/16      DEFAULT_VLAN    1    connected            1          0


HP-E2910al-48G-PoE#

what is 8.8.8.8?

8.8.8.8 is a public DNS server provided by google

it is strange that the route to 172.16.0.0 is not shown. You should add it:

ip route 172.16.0.0/16 172.16.4.5

ok, will do.
Setting the static IP and GW of my client on vlan01 (Hp1910) to 172.19.4.5 allows me out onto the web still..

HP-E2910al-48G-PoE>
HP-E2910al-48G-PoE>
HP-E2910al-48G-PoE> enable
Username: admin
Password:
HP-E2910al-48G-PoE# ip route 172.16.0.0/16 172.16.4.5
Invalid input: ip
HP-E2910al-48G-PoE#

This?
ip route 0.0.0.0 0.0.0.0 172.16.4.5?

Or ip route 172.16.0.0 255.255.0.0 172.16.4.5

neither. The syntax is
ip route <network>/<SubnetMaskBits> <IPAddress>
You need:
ip route 172.16.0.0/16 172.16.4.5
You need to enter this command while in config context in the router

HP-E2910al-48G-PoE(config)# ip route 172.16.0.0/16 172.16.4.5
172.16.4.5 can not be switch IP address and route gateway at the same time.
HP-E2910al-48G-PoE(config)#

Right !
Normally, when adding a VLAN, with an interface and when routing is enabled, you don't have to add explicit routes. But I was surprised not to see a route to 172.16.0.0 in the routing table.

Let's do the following:

Without adding this route to 172.16.0.0, please check that vlan 20 clients can be pingued/tracertouted from (and can ping/traceroute to) 172.19.10.15, 172.19.10.17 (and to 8.8.8.8)
If that fails, the route to add is
172.16.0.0/16 172.19.4.5
Yet, one thing that worries me in your config, where you can't add a static route to your router/ASA, is that packets aimed at vlan 20 that comes "from the internet", thus via the router/ASA, will have no route to vlan 20...
One trick I can think of is to define on the ASA a gateway for subnet 172.16.0.0/12 (172.16.0.0 255.240.0.0), said gw being 172.19.4.5.
The IP config of the router should then be:
ip:172.19.10.15
subnet mask:255.240.0.0
gw: 172.19.4.5
I have to think a little more about this when I have some free brain cycles, since this is not a common situation for me (I usually use static routes on the router/firewall itself)

No i can't ping between vlan01 and vlan20 without setting static IPs and GW on the clients.

As mentioned, setting the static details on my machine (to 172.19.4.5) allows me to get out onto the web (i assume through 172.19.10.15 a tracert shows 172.19.4.5 only) and allows me to ping the vlan20 interface of 172.16.4.5

I will try and change the GW from 172.19.10.15 then to all my clients via the 172.19.0.0 scope on dhcp?

There may be a way to set the static route tp 176.16.0.0 on each node. This is not clean but it should work (and if the topology does not change often, this should not be a problem).
On vlan 01 nodes with Static IP configuration (such as the DHCP server) use
route add 172.16.0.0 MASK 255.255.0.0 172.19.4.5 METRIC 2 IF <Interface ID, listed when you do a route print command>
On vlan 01 nodes which address are ste by DHCP, use DHCP option 33 or 249.
On ASA node, this is the same issue as previously

Ok:

No DNS set.

HP 2910al:
Static client on vlan01 - 172.19.105.200 255.255.0.0 172.19.4.5
Static client on vlan20 - 172.16.105.200 255.255.0.0 172.16.4.5

HP 1910:
Static DHCP Server/Helper - 172.19.10.17 255.255.0.0 172.19.10.15, Scope 172.19.0.0 still on GW 172.19.10.15

I can ping fine between the clients and the vlan interfaces.  I can ping from vlan01 to devices/server on vlan01.  I CANNOT ping the DHCP server from the client on vlan20.

I'm unable to get the ASA vlan20/172.16.0.0 added because of the licence issue.  I too found out the base licence should cover this.  This is why we are moving away from this ISP..

I assume until the firewall is sorted then we wont be able to route?

Thanks

add a permanent route on the DHCP server to 172.16:

route add 172.16.0.0 MASK 255.255.0.0 172.19.4.5 METRIC 2 IF <DHCPServerLAN_Interface_Number> -p

Select allOpen in new window

then vlan 20 and DHCP server should work OK together (ping/tracert between DHCP server and vlan 20 and thus DHCP Server should be able to assigne IP addresses to vlan 20 too)
But while your ASA can't route packets to vlan 20, the nodes on vlan 20 will not be able to "got to the internet".

Is this a best practice?

If we change the scope 172.19.0.0 on the dHCP server to GW 172.19.4.5 then it should work though, as my client machine with static can ping both 172.16 172.19 and firewall and get on the web..

Can a NODE (client) in vlan 20 ping the DHCP server?
Pinging the Switch's interfaces is not enough to validate your routing scheme.
Can a node in vlan 20 ping the firewall?
Can it ping 8.8.8.8?

Sorry no it cant.  
No to the firewall.
No to 8.8.8.8

Can it ping the DHCP server?
Can it ping 172.19.4.5?

the client on 172.19.4.5 interface, vlan20 can only ping locally i.e. the 172.16.*.* addresses.

Sorry, the Vlan01 interface 172.19.4.5 can be pinged by the statically IP'd client, but nothing else on 172.16.0.0.

Is IP routing enabled on the switch?
Is the routing table still:
  Destination        Gateway         VLAN Type      Sub-Type   Metric     Dist.
  ------------------ --------------- ---- --------- ---------- ---------- -----
  0.0.0.0/0          172.19.10.15    1    static               1          1
  127.0.0.0/8        reject               static               0          0
  127.0.0.1/32       lo0                  connected            1          0
  172.19.0.0/16      DEFAULT_VLAN    1    connected            1          0

?

If so, try to add the route to 172.16 this way:
 ip route 172.16.0.0/16 Voice

Your routing table was once this one:
  Destination        Gateway         VLAN Type      Sub-Type   Metric     Dist.
  ------------------ --------------- ---- --------- ---------- ---------- -----
  127.0.0.0/8        reject               static               0          0
  127.0.0.1/32       lo0                  connected            1          0
  172.16.0.0/16      Voice           20   connected            1          0
  172.19.0.0/16      DEFAULT_VLAN    1    connected            1          0

This is what you should have (and I don't understand how this route can have been deleted)...

HP-E2910al-48G-PoE(config)# show ip route

                                IP Route Entries

  Destination        Gateway         VLAN Type      Sub-Type   Metric     Dist.
  ------------------ --------------- ---- --------- ---------- ---------- -----
  0.0.0.0/0          172.19.10.15    1    static               1          1
  127.0.0.0/8        reject               static               0          0
  127.0.0.1/32       lo0                  connected            1          0
  172.16.0.0/16      Voice           20   connected            1          0
  172.19.0.0/16      DEFAULT_VLAN    1    connected            1          0


HP-E2910al-48G-PoE(config)#

odd eh?!

Check if ip routing is enabled

Check that the node on Vlan 20 has 172.16.4.5 as its gateway

HP-E2910al-48G-PoE(config)# show config

Startup configuration:

; J9148A Configuration Editor; Created on release #W.15.08.0012
; Ver #02:11.05:16
hostname "HP-E2910al-48G-PoE"
module 1 type j9148a
power-over-ethernet pre-std-detect
ip default-gateway 172.19.10.15
no ip icmp redirects
ip routing
interface 1
   name "to HP1910"
   no power-over-ethernet
   exit
interface 2
   no power-over-ethernet
   exit
interface 3
   no power-over-ethernet
   exit
interface 4
   no power-over-ethernet
   exit
interface 5
   no power-over-ethernet
   exit
interface 6
   no power-over-ethernet
   exit
interface 7
   name "Shoretel E1k"
   speed-duplex 100-full
   exit
interface 8
   name "Shoretel SG90"
   speed-duplex 100-full
   exit
interface 9
   name "Shoretel SG90Bri"
   speed-duplex 100-full
   exit
interface 10
   name "Oaisys Port Mirror"
   exit
interface 48
   name "vlan20 to Firewall"
   exit
snmp-server community "public" unrestricted
snmp-server contact "IT"
vlan 1
   name "DEFAULT_VLAN"
   no untagged 7-48
   untagged 1-6
   ip address 172.19.4.5 255.255.0.0
   exit
vlan 20
   name "Voice"
   untagged 7-48
   ip address 172.16.4.5 255.255.0.0
   ip helper-address 172.19.10.17
   exit
no autorun
password manager

HP-E2910al-48G-PoE(config)#

should the subnets be changed to 255.240.0.0.

bottom of page 8-8 http://bizsupport2.austin.hp.com/bc/docs/support/SupportManual/c02564351/c02564351.pdf
SHows different subnetting...

no, ignore, its multinetting.

does it need a trunk to the other switch/?

HP-E2910al-48G-PoE(vlan-20)# show run

Running configuration:

; J9148A Configuration Editor; Created on release #W.15.08.0012
; Ver #02:11.05:16
hostname "HP-E2910al-48G-PoE"
module 1 type j9148a
power-over-ethernet pre-std-detect
ip default-gateway 172.19.10.15
no ip icmp redirects
ip route 0.0.0.0 0.0.0.0 172.19.10.15
ip routing
interface 1
   name "to HP1910"
   no power-over-ethernet
   exit
interface 2
   no power-over-ethernet
   exit
interface 3
   no power-over-ethernet
   exit
interface 4
   no power-over-ethernet
   exit
interface 5
   no power-over-ethernet
   exit
interface 6
   no power-over-ethernet
   exit
interface 7
   name "Shoretel E1k"
   speed-duplex 100-full
   exit
interface 8
   name "Shoretel SG90"
   speed-duplex 100-full
   exit
interface 9
   name "Shoretel SG90Bri"
   speed-duplex 100-full
   exit
interface 10
   name "Oaisys Port Mirror"
   exit
interface 48
   name "vlan20 to Firewall"
   exit
snmp-server community "public" unrestricted
snmp-server contact "IT"
vlan 1
   name "DEFAULT_VLAN"
   no untagged 7-48
   untagged 1-6
   ip address 172.19.4.5 255.255.0.0
   exit
vlan 20
   name "Voice"
   untagged 7-48
   ip address 172.16.4.5 255.255.0.0
   ip helper-address 172.19.10.17
   exit
no autorun
password manager

HP-E2910al-48G-PoE(vlan-20)#

All seems OK to me.
What is the gateway for your client on vlan 20 ?

You don't need a trunk to "the other switch", but what is this "other switch" ? A switch connected to your port #1? If so, and if all the ports of this switch are untagged, this other switch will be set on vlan 1 (all the nodes attached to it will belong to vlan 1)

GW for the client is 172.16.4.5

The other switch is a hp 1910 on default vlan01.  Connected to another HP 1910 which is connected to the 2910al.
All ports untagged.

So are you saying that the other 1910s on vlan01 is the cause?

The cisco managed team are looking at creating an additional vlan20 interface on the asa...

Can you ping a host connected to one of the vlan 01 ports on the  2910al (with static IP config)?
What is the GW IP address of the host in vlan 01 that you tried to ping from the host in vlan 20?

okay, they can create another vlan20 which can forward traffic out onto the web.  They will create a static GW on the asa 172.16.10.15.  
I assume the 2910al will connect directly into this port.  The issue on the asa is still licensing and currently the vlan10 and vlan20 on the asa won't be able to route.

Still, our 2910al should be able to route between vlan01 and 20 regardless of the firewall?

no. i can only ping the interface on vlan01 from a machine on vlan20.
172.16.4.5

you DON'T need another vlan on the ASA, just a static route

CLient on vlan01 (static):

Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation.  All rights reserved.

C:\Users\>ipconfig /all

Windows IP Configuration

   Host Name . . . . . . . . . . . . :
   Primary Dns Suffix  . . . . . . . : .local
   Node Type . . . . . . . . . . . . : Hybrid
   IP Routing Enabled. . . . . . . . : No
   WINS Proxy Enabled. . . . . . . . : No
   DNS Suffix Search List. . . . . . : .local

Ethernet adapter Local Area Connection:

   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Broadcom NetXtreme 57xx Gigabit Controlle
r
   Physical Address. . . . . . . . . : 00-12-3F-CC-62-3F
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes
   Link-local IPv6 Address . . . . . : fe80::441b:556:e976:66c5%15(Preferred)
   IPv4 Address. . . . . . . . . . . : 172.19.105.200(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.0.0
   Default Gateway . . . . . . . . . : 172.19.4.5
   DHCPv6 IAID . . . . . . . . . . . : 301994559
   DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-0C-46-62-04-00-12-3F-CC-62-3F

   DNS Servers . . . . . . . . . . . : 172.19.10.17
                                       172.19.10.18
   NetBIOS over Tcpip. . . . . . . . : Enabled

Tunnel adapter isatap.{B6434B7A-F04D-4159-9C7B-0BAE4D63F35C}:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Microsoft ISATAP Adapter
   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes

Tunnel adapter Local Area Connection* 18:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Microsoft Teredo Tunneling Adapter
   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes


Client 2 on vlan20 (static):

C:\Users\>ipconfig /all

Windows IP Configuration

   Host Name . . . . . . . . . . . . :
   Primary Dns Suffix  . . . . . . . : .local
   Node Type . . . . . . . . . . . . : Hybrid
   IP Routing Enabled. . . . . . . . : No
   WINS Proxy Enabled. . . . . . . . : No
   DNS Suffix Search List. . . . . . : .local

Ethernet adapter Local Area Connection:

   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Broadcom NetXtreme 57xx Gigabit Controlle
r
   Physical Address. . . . . . . . . : 00-15-C5-03-3E-7F
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes
   Link-local IPv6 Address . . . . . : fe80::808c:d9ee:db62:326b%13(Preferred)
   IPv4 Address. . . . . . . . . . . : 172.16.105.200(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.0.0
   Default Gateway . . . . . . . . . : 172.16.4.5
   DHCPv6 IAID . . . . . . . . . . . : 402658757
   DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-16-40-87-3A-00-15-C5-03-3E-7F

   DNS Servers . . . . . . . . . . . : 172.19.10.17
                                       172.19.10.18
   NetBIOS over Tcpip. . . . . . . . : Enabled

Tunnel adapter isatap.{D6E142AC-5389-4CF0-8513-26909EDB65D8}:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Microsoft ISATAP Adapter
   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes

Tunnel adapter Teredo Tunneling Pseudo-Interface:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Teredo Tunneling Pseudo-Interface
   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes

What is the GW IP address of the host in vlan 01 that you tried to ping from the host in vlan 20?

172.19.4.5 which is the interface of vlan01 on the switch..

Have you enabled ICMP echo in Windows Firewall of clients on vlan 01 and vlan 20 so that they answer to pings and traceroute ?
http://technet.microsoft.com/en-us/library/cc749323%28v=ws.10%29.aspx

I have a comment to vivigatt paradox in https://www.experts-exchange.com/questions/28235451/Routing-DHCP-IPs-to-a-2nd-Vlan.html?anchorAnswerId=39509243#a39509243
My guess based on experiment with similar routing on a 2910al :
when no active host is connected to vlan20, the IP-interface does not come up and no routing takes place -not even to the switch's own vlan20-IP-address, I have seen this sort of behavior on CISCO's before (but I do not think my old Procurve5308 acted that way).

jburgaard, this seems not to be the case here since vlan 20 IP can be pingued

Hi, sorry i'm on a training course this week (ccna) :), so can test further.  Maybe i should have bought a cisco!

Is it a subnet or class issue?  Should i use a 10. for vlan20 or use 255.0.0.0?

nope, your setting SHOULD work fine as long as you have the 2910al set as the router for vlan 01 and vlan 20 clients. Just check that your hosts do respond to ping (firewall config). Also please use ping -4 in order to use IP v4 only, since we have not done anything for routing ipv6 (you may even disable ipv6 on the hosts for now)
We may use packet traces to find out what is going on, if the routing issue is confirmed.

I'm back.

The trainer believes we need a trun between the 1910 and 2910 switches in order to send the DHCP traffic between the switches?

This is not true.
A trunk is a way for several VLANs (with maximum one untagged VLAN) to share a single port. This is not needed when you use the DHCP Relay feature that is implemented by ip-helper command.
Check that your hosts answer to pings in their own VLAN and tell us if this is the case

So how can i route or allow the DHCP traffic to travel across the 1910 switch to the 2910 switch on vlan20?

vlan1 on the 2910 works fine (with the 1910 and 2910 daisy chained via cat5 straight through cable) and picks up the IPs from DHCP on the 1910 switch.

Again, statics route fine between vlans.  DHCP clients cant..

Your DHCP-server is at 172.19.10.17
does it have L3-switch as DGW and same netmask as the vlan ?

To add to the above, i cant ping the 172.16.4.5 IP on vlan 20 when using DHCP on the client.

But i can talk to vlan 20 when setting the GW on the client to the vlan20 IP.  Is this the correct way?

Config:

Running configuration:

; J9148A Configuration Editor; Created on release #W.15.08.0012
; Ver #02:11.05:16
hostname "HP-E2910al-48G-PoE"
module 1 type j9148a
power-over-ethernet pre-std-detect
ip default-gateway 172.19.10.15
no ip icmp redirects
ip route 0.0.0.0 0.0.0.0 172.19.10.15
ip routing
interface 1
   name "to HP1910"
   no power-over-ethernet
   exit
interface 2
   no power-over-ethernet
   exit
interface 3
   no power-over-ethernet
   exit
interface 4
   no power-over-ethernet
   exit
interface 5
   no power-over-ethernet
   exit
interface 6
   no power-over-ethernet
   exit
interface 7
   name "Shoretel E1k"
   speed-duplex 100-full
   exit
interface 8
   name "Shoretel SG90"
   speed-duplex 100-full
   exit
interface 9
   name "Shoretel SG90Bri"
   speed-duplex 100-full
   exit
interface 10
   name "Oaisys Port Mirror"
   exit
interface 48
   name "vlan20 to Firewall"
   exit
snmp-server community "public" unrestricted
snmp-server contact "IT"
vlan 1
   name "DEFAULT_VLAN"
   no untagged 7-48
   untagged 1-6
   ip address 172.19.4.5 255.255.0.0
   exit
vlan 20
   name "Voice"
   untagged 7-48
   ip address 172.16.4.5 255.255.0.0
   ip helper-address 172.19.10.17
   exit
no autorun
password manager

Correct, its 172.19.10.17

No.  Its physically connected into the 1910 switch.  The GW on the DHCP box is the firewall (172.19.10.15) on vlan1 at present for the local VM NIC/TcpIP and the DHCP scope.

I think we are not making any progress because things are confused!
I asked you to make some tests WITHOUT USING DHCP!
So WITHOUT USING DHCP, with one client on vlan 1 set to use static IP and a GW of 172.19.4.5, and WITHOUT USING DHCP, with a client on vlan 20 using static IP address using a GW of 172.16.4.5, can both clients be pingued?
In the same config, can the client in vlan 20 ping the DHCP server?
Can the DHCP server ping the client in vlan 20?

Of course, you must first make sure that nodes do answer to ping in their own vlan (firewall config).

I asked you several time to set the DHCP server GW to 172.19.4.5 OR to set a static route on 172.19.10.15 for subnet 172.16.0.0 making it aware of using 172.19.4.5 as the gateway to 172.16 network OR to add a static route on the DHCP server so that it is aware that 172.16 subnet must be reached using 172.19.4.5 GW...

But first thing first:
Can the hosts in vlan 1 (including dhcp server) ping a host in vlan 20, when the host in vlan 1 uses a GW of 172.19.4.5?

Yes, with statics of the vlan interfaces as the clients DGW, the vlan1 and 20 routes fine between the 2x clients.
No, cant ping the DHCP server from Client on vlan20 and from server to client.

Think to do with firewall on vlan01 only..

OK, I realized that you never set your DHCP server to be in an environment where it knows how to route packets to vlan 20.
As mentioned several times earlier, you can do it 3 ways:
OR
OR

Can the hosts in vlan 1 (including dhcp server) ping a host in vlan 20, when the host in vlan 1 uses a GW of 172.19.4.5?

Static IP in vlan1 on 2910 = Yes
DHCP Client on vlan1 on 1910 = no, unable to ping vlan20 interface.

Check my previous comment. Your hosts in vlan 1 INCLUDING THE DHCP SERVER must be able to reach vlan 20 through 2910, so they MUST use one of the techniques I described.
Note that I have made a typo in bullet 2:

(Cleaner) - Create a static route to 172.16 on your router (the one on 172.19.10.15) so that packets to 172.16 subnet are sent to 172.19.4.5 (the 2910, which knows how to route packets to 172.16)

ok, as much as id like to get this working, i suspect that this config will need to change again soon.
we plan to use a new firewall and route the traffic between the local interfaces on the firewall.

OK, so I suggest that you add a route to your DHCP server to 172.16 subnet using 172.19.4.5 as the GW to 172.16, connect a host to vlan 20 (172.16 subnet), set this host to use DHCP addressing, and verify that it now gets an IP address from DHCP and works OK. Then close this question accepting one of my answers.
Thanks.

What is this bit:
<Interface Number> -P

and what is the command to remove it, should this not work?

route add 172.16.0.0 MASK 255.255.0.0 172.19.4.5 METRIC 2 IF (ip address of shcp server?) -P
?

The Interface Number is the one next to the corresponding interface when you run route print command:

route print
===========================================================================
Interface List
 25...10 0b a9 ee ff cf ......Intel(R) Centrino(R) Advanced-N 6205 #2
 11...e4 11 5b ff 69 42 ......Intel(R) 82579LM Gigabit Network Connection
 
In that case, the interface number for Intel(R) 82579LM Gigabit Network Connection is 11

The command to delete a route is
route delete

if you want to remove the route to 172.16.0.0, it would be:

route delete 172.16.0.0

Nope.
If the NIC interface for your DHCP server is 11, then :
route add 172.16.0.0 MASK 255.255.0.0 172.19.4.5 METRIC 2 IF 11 -P

C:\Users\.>route print
===========================================================================
Interface List
 11...00 0c 29 b3 37 7c ......vmxnet3 Ethernet Adapter
  1...........................Software Loopback Interface 1
 12...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter
 13...00 00 00 00 00 00 00 e0 Teredo Tunneling Pseudo-Interface
===========================================================================

IPv4 Route Table
===========================================================================
Active Routes:
Network Destination        Netmask          Gateway       Interface  Metric
          0.0.0.0          0.0.0.0     172.19.10.15     172.19.10.17    261
        127.0.0.0        255.0.0.0         On-link         127.0.0.1    306
        127.0.0.1  255.255.255.255         On-link         127.0.0.1    306
  127.255.255.255  255.255.255.255         On-link         127.0.0.1    306
       172.19.0.0      255.255.0.0         On-link      172.19.10.17    261
     172.19.10.17  255.255.255.255         On-link      172.19.10.17    261
   172.19.255.255  255.255.255.255         On-link      172.19.10.17    261
        224.0.0.0        240.0.0.0         On-link         127.0.0.1    306
        224.0.0.0        240.0.0.0         On-link      172.19.10.17    261
  255.255.255.255  255.255.255.255         On-link         127.0.0.1    306
  255.255.255.255  255.255.255.255         On-link      172.19.10.17    261
===========================================================================
Persistent Routes:
  Network Address          Netmask  Gateway Address  Metric
          0.0.0.0          0.0.0.0     172.19.10.15  Default
===========================================================================

IPv6 Route Table
===========================================================================
Active Routes:
 If Metric Network Destination      Gateway
  1    306 ::1/128                  On-link
 11    261 fe80::/64                On-link
 11    261 fe80::fc34:9b9f:c5e8:572c/128
                                    On-link
  1    306 ff00::/8                 On-link
 11    261 ff00::/8                 On-link
===========================================================================
Persistent Routes:
  None

C:\Users\.>


Ok, thanks so:

route add 172.16.0.0 MASK 255.255.0.0 172.19.4.5 METRIC 2 IF 11 -P

Yes, that's right.
Now your DHCP server should be able to route packets to vlan 20...

Ok, perfect, you know your stuff.  I can now get an ip address to my client machine connected into vlan20 on 172.16.105.100 from dhcp server on vlan01...

Ok, but i can only ping the dhcp server, nothing else on 172.19.0.0....

I suspect I'll be logging more calls nearer the time we go live!