• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 4223
  • Last Modified:

routing issues across vlans on HP procurve switches

we are installing a new wireless system, and we are at the same time setting up the VLAN.

we have a HP procurve 5412zl, and HP procurve 2810-48G on the edges.

so for each 2810, we have a seperate vlan created.
now the wireless AP's will be on a wireless vlan of their own, spread across al the switches, they then assign one vlan for access, another for guests and another for BYO.

i have setup:
5412zl as the core: 192.168.10.79
2810 is an outlying switch: 192.168.10.25

vlan 1: default
vlan 7: outlying switch vlan for physical desktops etc/
vlan 11 wireless infrastructure
vlan 12 wifi access

so we want the 10.25 to be on the default vlan 1, wifi AP's on the vlan 11, etc.

there is a untagged port for vlan 1 on both switches, then the same port is tagged for vlan 7,11,12 etc.

then the ports for the AP's are untagged to vlan 11 and tagged to vlan 1,12


i hope this makes sense, soory if not.

our issue is a test machine on the vlan 11, gets a DHCP address from the DHCP in the right range, but cannot directly access our firewall 10.1
the switch 10.25 and 10.79 can both ping the firewall as they are on the same vlan.

im not sure why the test machine cannot ping the firewall directly.
the switch 10.25 has a default gatway of 10.79, the 10.79 has a IP route 0.0.0.0/0 192.168.10.1

basically our AP's need access to the net directly to communicate back to a central management system.
so at the moment, the AP's are turning up in the DHCP, and have an address which is pingable, but they do not have internet access to talk back to the management.

below is the config (trimmed a bit) from the 5412zl
HP-E5412zl# show config

Startup configuration: 2

; J8698A Configuration Editor; Created on release #K.15.06.0006
; Ver #01:0d:0c

hostname "HP-E5412zl"
no qos dscp-map 000000
no qos dscp-map 001000
no qos dscp-map 010000
no qos dscp-map 011000
no qos dscp-map 100000
no qos dscp-map 101000
no qos dscp-map 110000
no qos dscp-map 111000
module 1 type J8702A
module 2 type J8705A
module 3 type J8702A
module 4 type J8705A
module 5 type J8702A
module 6 type J8705A
module 7 type J8702A
module 8 type J8705A
module 9 type J8702A
module 10 type J8705A
module 11 type J8702A
module 12 type J8702A
ip routing
ip directed-broadcast
ip arp-age 1
ip udp-bcast-forward
vlan 1
   name "DEFAULT_VLAN"
   untagged A13-A24,B1-B24,C1-C3,C7-C12,D1-D24,E1-E12,F1-F24,G1-G12,H1,H4-H24,I1-I12,K1-K24
   ip address 192.168.10.79 255.255.254.0
   tagged C4-C6,C13-C24,E13-E24,G13-G24,H2-H3,I13-I24,J1-J24,L1-L24
   no untagged A1-A12
   ip local-proxy-arp
   exit
vlan 11
   name "vlan11_WL_IN"
   untagged H2-H3
   ip helper-address 192.168.10.3
   ip helper-address 192.168.10.4
   ip helper-address 192.168.10.6
   ip helper-address 192.168.10.108
   ip helper-address 192.168.10.2
   ip helper-address 192.168.10.7
   ip helper-address 192.168.10.98
   ip helper-address 192.168.10.60
   ip address 192.168.110.1 255.255.254.0
   tagged C4-C6,H1,H17-H20,K12
   ip proxy-arp
   exit
no dhcp-relay hop-count-increment
fault-finder bad-driver sensitivity high
fault-finder bad-transceiver sensitivity high
fault-finder bad-cable sensitivity high
fault-finder too-long-cable sensitivity high
fault-finder over-bandwidth sensitivity high
fault-finder broadcast-storm sensitivity high
fault-finder loss-of-link sensitivity high
fault-finder duplex-mismatch-hdx sensitivity high
fault-finder duplex-mismatch-fdx sensitivity high
power-over-ethernet pre-std-detect
ip route 0.0.0.0 0.0.0.0 192.168.10.1

HP-E5412zl# show ip

 Internet (IP) Service

  IP Routing : Enabled


  Default TTL     : 64
  Arp Age         : 1
  Domain Suffix   :
  DNS server      :

                       |                                            Proxy ARP
  VLAN                 | IP Config  IP Address      Subnet Mask     Std  Local
  -------------------- + ---------- --------------- --------------- ----------
  DEFAULT_VLAN         | Manual     192.168.10.79   255.255.254.0    No   Yes
  vlan2_infra          | Manual     192.168.20.1    255.255.254.0    No    No
  vlan7_infant         | Manual     192.168.70.1    255.255.254.0    No    No
  vlan11_WL_IN         | Manual     192.168.110.1   255.255.254.0   Yes    No
  vlan12_WL_GU         | Manual     192.168.120.1   255.255.254.0    No    No
  vlan13_WL_AC         | Manual     192.168.130.1   255.255.254.0    No    No
  vlan14_WL_BY         | Manual     192.168.140.1   255.255.254.0    No    No

Open in new window


config for the outlying 2810-48G
show config

Startup configuration:

; J9022A Configuration Editor; Created on release #N.11.25

hostname "HP 2810-48G J9022A"

max-vlans 10
time timezone 600
ip default-gateway 192.168.10.79
vlan 1
   name "DEFAULT_VLAN"
   untagged 2-4,6-11,13-48
   ip address 192.168.10.25 255.255.254.0
   tagged 1,5,12
   ip proxy-arp
   exit
vlan 2
   name "vlan2_infra"
   ip address 192.168.20.1 255.255.254.0
   tagged 47
   exit
vlan 7
   name "vlan7_"
   ip address 192.168.70.1 255.255.254.0
   tagged 1,5,47
   exit
vlan 11
   name "vlan11_WL_IN"
   untagged 1,5,12
   ip address 192.168.110.1 255.255.254.0
   tagged 47
   ip proxy-arp
   exit
vlan 12
   name "vlan12_WL_GU"
   ip address 192.168.120.1 255.255.254.0
   tagged 1,5,12,47
   exit
vlan 13
   name "vlan13_WL_AC"
   ip address 192.168.130.1 255.255.254.0
   tagged 1,5,12,47
   exit
vlan 14
   name "vlan14_WL_BY"
   ip address 192.168.140.1 255.255.254.0
   tagged 1,5,12,47
   exit
spanning-tree

Infants HP 2810-48G J9022A# show ip

 Internet (IP) Service


  Default Gateway : 192.168.10.79
  Default TTL     : 64
  Arp Age         : 20

  VLAN         | IP Config  IP Address      Subnet Mask     Proxy ARP
  ------------ + ---------- --------------- --------------- ---------
  DEFAULT_VLAN | Manual     192.168.10.25   255.255.254.0   Yes
  vlan2_infra  | Manual     192.168.20.1    255.255.254.0   No
  vlan7	       | Manual     192.168.70.1    255.255.254.0   No
  vlan11_WL_IN | Manual     192.168.110.1   255.255.254.0   Yes
  vlan12_WL_GU | Manual     192.168.120.1   255.255.254.0   No
  vlan13_WL_AC | Manual     192.168.130.1   255.255.254.0   No
  vlan14_WL_BY | Manual     192.168.140.1   255.255.254.0   No

Open in new window


any ideas?
0
jcmurphy777
Asked:
jcmurphy777
  • 9
  • 3
  • 2
4 Solutions
 
schapsCommented:
it's late and a lot to look through, but right off the bat I'd disable the proxy arp. That may be messing this up. It can be tricky, and I don't think it should be necessary in your setup. Anyway, that's easy to try, and see if the problem resolves.
0
 
jcmurphy777Author Commented:
thanks all the same, i appreciate the post.

no change.

the test machine has an network settings of:
IP: 192.168.110.42
sub: 255.255.254.0
GW: 192.168.110.1
(all set through DHCP)

i can ping 10.79 (5412zl)
but not     10.1 (firewall)

from the outlying switch, 10.25 i can ping the 10.79 and 10.1
cannot however ping the test machine 110.42
0
 
jcmurphy777Author Commented:
sorry, please note the 5412zl is a layer 3, and the 2810-48G is layer 2.
0
Building an Effective Phishing Protection Program

Join Director of Product Management Todd OBoyle on April 26th as he covers the key elements of a phishing protection program. Whether you’re an old hat at phishing education or considering starting a program -- we'll discuss critical components that should be in any program.

 
jcmurphy777Author Commented:
oh, i also tried to add the firewall onto the 5412zl as a ip helper-address
0
 
jcmurphy777Author Commented:
ok, i am thinking i made a mistake in assigning the vlan on 10.25 an ip address.

i have removed the ip of 192.168.110.1 off 10.25 and left it on the 10.79. (bit obvious when looking back)

i can now ping the test machine from the outlying switch, where i couldnt before.
0
 
schapsCommented:
I admit I am a little over my head here, or at least up to my ears, but can you run "show ip route" on the  5412zl? I really think this is a routing issue at the core.
0
 
schapsCommented:
nevermind, I neglected to check whether you'd posted an update before posting mine. Glad you got it figured out. I hadn't even gone through the 10.25 config closely yet.
0
 
jcmurphy777Author Commented:
hey,

no havnt got it sorted out....
i still have no connection to the firewall through the vlan.
i just sorted out the fact i couldnt ping the test machine from the 5412zl.

so i have still got to get the test machine to access the internet straight through the firewall at 10.1

if i route it through the proxy server, then all works fine, because the test machine is using the proxy as a... proxy....

i am wondering if its to do with the firewall not having a default gateway as the 5412zl.
every other machine and switch has a gateway of 10.79, then the 5412zl has a ip route which points to 10.1.

so in theory the machines should work.... but i know iv missed something...obviously because it doesnt work...
0
 
greg wardSystems EngineerCommented:
vlan 11 has the sam ip on both devices 192.168.110.1  
i would change one to .2

Greg
0
 
jcmurphy777Author Commented:
hey depdraw.

please note i already found that and just disabled the vlan 11 ip address on the outlying switch.

or do i need an ip assigned to that as well?

everything else is working fine with the ip address disabled...

just still cannot ping 10.1 or have internet access.
0
 
greg wardSystems EngineerCommented:
Where is the natting to vlan12 to the internet.
is there a router in the picture too?

Greg
0
 
jcmurphy777Author Commented:
the main core switch, the 5412zl does all the routing.
there is a firewall attached to the system, which connects direct to the adsl router.
0
 
jcmurphy777Author Commented:
sorry greg,

the natting is done at the firewall.

i have sorted it out.
it seems the firewall needed a setting changed inside to allow the other vlans through.

i spoke to our firewall software mob and it seems the manual is a little bit out, and i needed to define the vlan subnets on the firewall as well.

thankyou both for your time though!!!
0
 
jcmurphy777Author Commented:
hi guys, thanks for your input.

i have divided the points for your time and efforts.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

NEW Internet Security Report Now Available!

WatchGuard’s Threat Lab is a group of dedicated threat researchers committed to helping you stay ahead of the bad guys by providing in-depth analysis of the top security threats to your network.  Check out this quarters report on the threats that shook the industry in Q4 2017.

  • 9
  • 3
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now