jfreckeltom
asked on
Routing issue with VLANs on Procurve 2650
I am trying to implement VLANs using an HP Procurve 2650 but cannot get the default route working properly. My test setup is as follows:
2650 with VLAN 2(primary), VLAN3 & VLAN4.
v2 IP 192.168.11.254
v3 IP 192.168.6.254
v4 IP 192.168.7.254
DEFAULT VLAN not used and IP is disabled for that VLAN.
IP routing is enabled. GVRP disabled.
I have added the Default Route 0.0.0.0 0.0.0.0 192.168.11.1 (interface of the Sonicwall 4060 firewall to which the switch is connected, which is also configured with VLAN support (virtual interfaces v2: 192.168.11.1, v3:192.168.6.1 & v4: 192.168.7.1).
2650 is connected to SW port with single CAT5, port in trunk LACP mode and tagged for all VLANs.
I can get all clients happily talking across the VLANs by setting their D/Gs as the IP of the switch on the respective VLAN (e.g. 192.168.6.254 for a client on an untagged port in VLAN3 with an IP of 192.168.6.100). However with this setup, the clients cannot see the firewall or anything beyond it, despite the default route pointing to the firewall primary interface. But I can ping the firewall from the switch CLI okay. I can also ping the clients and all VLAN IPs from the Sonicwall.
If I then change the D/G of each client to be the Sonicwall virtual interface IP (e.g. 192.168.6.1 in the example from the previous paragraph) then the client can ping all VLAN clients (so long as their D/Gs also point to the Sonicwall) and can ping everything external okay. BUT this is not workable in a production environment because all inter-VLAN traffic is now going via the Sonicwall's miserly 100MB port and no longer via the 2650's backplane with built-in rouiting which is obviously much faster.
I plan to implement 3x HP 2650s with an HP 4104 core all linked with GB trunks (as the production system is now, albiet with just the default VLAN working as a standard switch) so there is no way I can leave all traffic passing through a 100mb port, the network would just collapse.
Everything I have read states that the VLAN clients MUST have their D/G as the respective VLAN IP on the switch, which makes sense as it then utilises the internal routing capabilities. But no matter what I try I cannot get that setup to route to the firewall or beyond ......
I must be missing a basic step but I cannot work out what it is?
Please help, it's driving me mad!! Thanks.
2650 with VLAN 2(primary), VLAN3 & VLAN4.
v2 IP 192.168.11.254
v3 IP 192.168.6.254
v4 IP 192.168.7.254
DEFAULT VLAN not used and IP is disabled for that VLAN.
IP routing is enabled. GVRP disabled.
I have added the Default Route 0.0.0.0 0.0.0.0 192.168.11.1 (interface of the Sonicwall 4060 firewall to which the switch is connected, which is also configured with VLAN support (virtual interfaces v2: 192.168.11.1, v3:192.168.6.1 & v4: 192.168.7.1).
2650 is connected to SW port with single CAT5, port in trunk LACP mode and tagged for all VLANs.
I can get all clients happily talking across the VLANs by setting their D/Gs as the IP of the switch on the respective VLAN (e.g. 192.168.6.254 for a client on an untagged port in VLAN3 with an IP of 192.168.6.100). However with this setup, the clients cannot see the firewall or anything beyond it, despite the default route pointing to the firewall primary interface. But I can ping the firewall from the switch CLI okay. I can also ping the clients and all VLAN IPs from the Sonicwall.
If I then change the D/G of each client to be the Sonicwall virtual interface IP (e.g. 192.168.6.1 in the example from the previous paragraph) then the client can ping all VLAN clients (so long as their D/Gs also point to the Sonicwall) and can ping everything external okay. BUT this is not workable in a production environment because all inter-VLAN traffic is now going via the Sonicwall's miserly 100MB port and no longer via the 2650's backplane with built-in rouiting which is obviously much faster.
I plan to implement 3x HP 2650s with an HP 4104 core all linked with GB trunks (as the production system is now, albiet with just the default VLAN working as a standard switch) so there is no way I can leave all traffic passing through a 100mb port, the network would just collapse.
Everything I have read states that the VLAN clients MUST have their D/G as the respective VLAN IP on the switch, which makes sense as it then utilises the internal routing capabilities. But no matter what I try I cannot get that setup to route to the firewall or beyond ......
I must be missing a basic step but I cannot work out what it is?
Please help, it's driving me mad!! Thanks.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thanks Mike.
I opted for the second solution. I had stupidly followed a Sonicwall technote that said it would work!! I have now dropped the VLAN settings on the SW and instead created address objects for each VLAN subnet and created routes to those via the SW trunked port using the primary IP of the switch as the gateway. Now works perfectly!!!
Thank you so much, you're a life saver!! :-)
I opted for the second solution. I had stupidly followed a Sonicwall technote that said it would work!! I have now dropped the VLAN settings on the SW and instead created address objects for each VLAN subnet and created routes to those via the SW trunked port using the primary IP of the switch as the gateway. Now works perfectly!!!
Thank you so much, you're a life saver!! :-)
ASKER
Thank you so much, you're a life saver!! :-)