• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 705
  • Last Modified:

I just implemented a VLAN to segregate my users from the servers, using my HP Procurve Layer 3 switch. Ever since then, Servers in my DMZ cannot "see" the IP addresses of machines in that VLAN.

I just implemented a VLAN to segregate my users from the servers in my network, using my HP Procurve Layer 3 switch (running trunk lines to my Layer 2 switches).  Ever since then, Servers in my DMZ cannot "see" the IP addresses of machines in that reside in this new VLAN.  Furthermore, machines in this new VLAN seem to be having trouble accessing Active Directory; if I attempt to add a user's AD account into the local Administrators group of said machine, there is a very long delay.

With these symptoms, any idea what I missed in my VLAN configuration?
0
esphelpdesk
Asked:
esphelpdesk
2 Solutions
 
IronmannenCommented:
Hello
This could come from many reasons:
How is the network designed? Separated by firewalls?
Do you have a layer 3 interface for all vlans and are all hosts using the these as their default gateway?
Can you provide configs for the switches (layer 2 and 3)
Regards
0
 
atrevidoCommented:
please post your switch configs and maybe some info with IP addresses or a drawing
0
 
esphelpdeskAuthor Commented:
My core switch config is attached.  
0
Important Lessons on Recovering from Petya

In their most recent webinar, Skyport Systems explores ways to isolate and protect critical databases to keep the core of your company safe from harm.

 
esphelpdeskAuthor Commented:
Attachment got stripped.  I'll just paste text...

hostname "5406-01"
snmp-server contact "IT Helpdesk"
snmp-server location "Data Center"
time timezone -300
time daylight-time-rule Continental-US-and-Canada
no web-management
web-management ssl
no telnet-server
module 1 type J8702A
module 2 type J8705A
module 3 type J8702A
module 4 type J8702A
module 5 type J8702A
module 6 type J8702A
interface B21
   name "Uplink to First Floor Switch"
exit
interface B22
   name "Uplink to Basement"
exit
interface E21
   lacp Passive
exit
trunk E2 Trk2 Trunk
trunk E7 Trk3 Trunk
trunk E8 Trk4 Trunk
trunk E9 Trk5 Trunk
trunk E10 Trk6 Trunk
trunk E11 Trk7 Trunk
trunk E12 Trk8 Trunk
trunk E13 Trk9 Trunk
trunk E14 Trk10 Trunk
trunk E15 Trk11 Trunk
trunk E16 Trk12 Trunk
trunk E17 Trk13 Trunk
trunk E18 Trk14 Trunk
trunk E19 Trk15 Trunk
trunk E20 Trk16 Trunk
trunk B22 Trk36 Trunk
trunk B21 Trk35 Trunk
trunk B23 Trk37 Trunk
trunk B24 Trk38 Trunk
ip default-gateway 10.1.1.1
ip routing
timesync sntp
sntp unicast
sntp 600
snmp-server community "snmppublic" Operator
vlan 1
   name "10.1.1.x"
   untagged A1-A4,A6-A16,B1-B20,C1-C24,E1,E3-E6,E21-E24,F13-F20,Trk2-Trk16,Trk35-Trk38
   ip address 10.1.1.4 255.255.255.0
   no untagged A5,A17-A24,D1-D24,F1-F12,F21-F24
   exit
vlan 2
   name "10.1.2.x"
   untagged D1-D24
   tagged Trk2-Trk16
   no ip address
   exit
vlan 3
   name "10.1.3.x"
   ip helper-address 10.1.1.12
   ip address 10.1.3.1 255.255.255.0
   tagged Trk35-Trk38
   exit
vlan 4
   name "10.1.4.x"
   ip helper-address 10.1.1.12
   ip address 10.1.4.1 255.255.255.0
   exit
vlan 5
   name "192.168.254.x"
   untagged A5,A17-A24,F1-F12
   tagged Trk2-Trk16
   no ip address
   exit
vlan 6
   name "172.16.64.x"
   untagged F21-F24
   no ip address
   exit
vlan 7
   name "iSCSI"
   ip address 192.168.3.1 255.255.255.0
   tagged Trk2-Trk16
   exit
vlan 8
   name "vMotion"
   ip address 192.168.4.1 255.255.255.0
   tagged Trk2-Trk16
   exit
vlan 9
   name "FT"
   ip address 192.168.5.1 255.255.255.0
   tagged Trk2-Trk16
   exit
mirror 1 port B19
mirror 2 port D23
sntp server priority 1 10.1.1.27
ip route 0.0.0.0 0.0.0.0 10.1.1.1
ip route 10.254.0.0 255.255.255.0 10.1.1.1
ip route 172.8.0.0 255.255.248.0 10.1.1.1
ip route 172.16.0.0 255.255.248.0 10.1.1.1
ip route 192.168.254.0 255.255.255.0 10.1.1.1
spanning-tree
spanning-tree Trk2 priority 4
spanning-tree Trk3 priority 4
spanning-tree Trk4 priority 4
spanning-tree Trk5 priority 4
spanning-tree Trk6 priority 4
spanning-tree Trk7 priority 4
spanning-tree Trk8 priority 4
spanning-tree Trk9 priority 4
spanning-tree Trk10 priority 4
spanning-tree Trk11 priority 4
spanning-tree Trk12 priority 4
spanning-tree Trk13 priority 4
spanning-tree Trk14 priority 4
spanning-tree Trk15 priority 4
spanning-tree Trk16 priority 4
spanning-tree Trk35 priority 4
spanning-tree Trk36 priority 4
spanning-tree Trk37 priority 4
spanning-tree Trk38 priority 4
vlan 1
   monitor all Both mirror 1
   exit
vlan 2
   monitor all Both mirror 2
   exit
arp-protect
password manager
password operator
0
 
jburgaardCommented:
The routing:
I F    the routing between these vlans are ment to take place in this L3-switch, I would only have one IP ROUTE to dgw:
ip route 0.0.0.0 0.0.0.0 10.1.1.1
but
no ip route 10.254.0.0 255.255.255.0 10.1.1.1
no ip route 172.8.0.0 255.255.248.0 10.1.1.1
no ip route 172.16.0.0 255.255.248.0 10.1.1.1
no ip route 192.168.254.0 255.255.255.0 10.1.1.1

-however in 10.1.1.1 router there should be routes back to relevant networks
ip route 10.254.0.0 mask 255.255.255.0  gw  10.1.1.4
ip route 172.8.0.0 mask 255.255.248.0  gw 10.1.1.4
.. etc
and as mentioned by ironmannen each clients should have network setup matching vlan, with same netmask and IP of vlan as dgw.
I think routing is the main thing here.

For a particular link the tagging/untagging  of vlans should closely mach in both ends.

Mirror ports can be fine for temporary troubleshooting but is said to burden ordinary operation.

HTH
0
 
esphelpdeskAuthor Commented:
I was able to fix this issue... apparently my Firewall was NATing the traffic from this VLAN on its way to my DMZ, so I created an exclusion rule.  Thanks for your help!
0
 
esphelpdeskAuthor Commented:
Thank you for spending time on this.
0

Featured Post

New feature and membership benefit!

New feature! Upgrade and increase expert visibility of your issues with Priority Questions.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now