pfry1713
asked on
Procurve 2620 Config Problem
I am a managed switch newby.
We have an HP ProCurve 2620 switch configured by a third party to support a new phone system in our office. We are testing the switch before fully implementing it. The switch has 4 VLANS only one of which is causing problems. 1 VLAN is connected to our router. The other 2 VLANS are connected to phone related equipment. The 4th VLAN hosts the phones and workstations plugged into the phones. I will call this VLAN TROUBLE. Any phone plugged into a TROUBLE port works fine. Any computer plugged directly into a TROUBLE port or into a phone which is plugged into a TROUBLE port can access the Internet without problem, but no device plugged into a TROUBLE port can see any other device plugged into a TROUBLE port.
In other words, a device plugged into TROUBLE can access anything it needs except another device on TROUBLE.
I checked for ACL's (show access-list) and Port Filters (show filters). There are none configured. All devices on TROUBLE are in the same IP subnet.
What could be preventing traffic between the TROUBLE ports.
I have a call into the 3rd party, but am running out of time for an adequate response before the switch must go into action. Any help is appreciated.
Thanks for your input.
We have an HP ProCurve 2620 switch configured by a third party to support a new phone system in our office. We are testing the switch before fully implementing it. The switch has 4 VLANS only one of which is causing problems. 1 VLAN is connected to our router. The other 2 VLANS are connected to phone related equipment. The 4th VLAN hosts the phones and workstations plugged into the phones. I will call this VLAN TROUBLE. Any phone plugged into a TROUBLE port works fine. Any computer plugged directly into a TROUBLE port or into a phone which is plugged into a TROUBLE port can access the Internet without problem, but no device plugged into a TROUBLE port can see any other device plugged into a TROUBLE port.
In other words, a device plugged into TROUBLE can access anything it needs except another device on TROUBLE.
I checked for ACL's (show access-list) and Port Filters (show filters). There are none configured. All devices on TROUBLE are in the same IP subnet.
What could be preventing traffic between the TROUBLE ports.
I have a call into the 3rd party, but am running out of time for an adequate response before the switch must go into action. Any help is appreciated.
Thanks for your input.
ASKER
Thanks for the info, but I don't understand your response.
The computers are all on the same VLAN, TROUBLE, which also happens to be the VLAN for the phones. Take the phones out of the equation for a moment. With or without phones plugged into the VLAN, the computers on TROUBLE can't access other devices, i.e. shared printers, other computer, etc., on TROUBLE.
BTW, the phones work fine sharing the VLAN with the computers. They are able to access the necessary phone devices (a proprietary phone device and a computer which works in conjunction with the phone device) which are in separate VLANS.
The computers are all on the same VLAN, TROUBLE, which also happens to be the VLAN for the phones. Take the phones out of the equation for a moment. With or without phones plugged into the VLAN, the computers on TROUBLE can't access other devices, i.e. shared printers, other computer, etc., on TROUBLE.
BTW, the phones work fine sharing the VLAN with the computers. They are able to access the necessary phone devices (a proprietary phone device and a computer which works in conjunction with the phone device) which are in separate VLANS.
VLAN 1 ---> Router (Internet and ?)
VLAN 2 ---> Phone equipment
VLAN 3 ---> Phone equipment
VLAN 4 ---> All Workstations/phones ---> AKA Trouble
What is the gateway on the workstations?
x.x.4.x
VLAN 2 ---> Phone equipment
VLAN 3 ---> Phone equipment
VLAN 4 ---> All Workstations/phones ---> AKA Trouble
What is the gateway on the workstations?
x.x.4.x
Typically, when using a phone that also has a port for PC's, the switch is configured pass the voice VLAN and the data VLAN.
So on the ports that have those phones, the config should look something like this:
Where VLAN 2 is the voice VLAN and VLAN 17 is the data VLAN. Port 13 is the port which has the phone connected to it.
So on the ports that have those phones, the config should look something like this:
vlan 2
name voice
tagged 13
vlan 17
name data
untagged 13
Where VLAN 2 is the voice VLAN and VLAN 17 is the data VLAN. Port 13 is the port which has the phone connected to it.
ASKER
The workstations are all in the 10.1.2.x subnet. The VLAN is assigned the IP address of 10.1.2.1. That is also the gateway on TROUBLE. The switch itself has an IP address of 172.16.10.1. The router on VLAN 1 has an IP address of 192.168.1.1
ASKER
Dan Johnston. Thanks for the reply.
All of the ports in TROUBLE are untagged for TROUBLE and tagged for the phone VLAN. I think this is what your example shows.
Just to reiterate, the problem is that the devices in TROUBLE can not see each other.
All of the ports in TROUBLE are untagged for TROUBLE and tagged for the phone VLAN. I think this is what your example shows.
Just to reiterate, the problem is that the devices in TROUBLE can not see each other.
All of the ports in TROUBLE are untagged for TROUBLE and tagged for the phone VLAN. I think this is what your example shows.That is not correct. The "trouble" VLAN (since the switches only care about VLAN numbers, that is the preferred way to reference them) should be untagged on the switchport.
Is the netmask for 10.1.2.x everywhere = 255.255.255.0?
"..access anything it needs except another device.." , found by pinging IP or? (PC-firewall-status?)
Could you provide output from show running config?
"..access anything it needs except another device.." , found by pinging IP or? (PC-firewall-status?)
Could you provide output from show running config?
Make sure nothing is blocked on PC - firewalls, antivirus etc
ASKER
Thanks to all.
DanJohnston - All ports in the VLAN I am concerned with are untagged as you suggest.
jburgaard - As far as I know, netmask is 255.255.255.0, but I will check and get you an ipconfig printout. Computer IP's are handed out by DHCP.
fgasimzade - firewalls,etc aren't the issue. One of the devices which cannot be contacted is a digital printer/copier.
DanJohnston - All ports in the VLAN I am concerned with are untagged as you suggest.
jburgaard - As far as I know, netmask is 255.255.255.0, but I will check and get you an ipconfig printout. Computer IP's are handed out by DHCP.
fgasimzade - firewalls,etc aren't the issue. One of the devices which cannot be contacted is a digital printer/copier.
You're going to have to post the config of the switch.
ASKER
Here is the output for show VLAN commands. VLAN 1 attaches to the router. No problem getting to Internet. VLAN 2 (TROUBLE) is the problematic VLAN. VLAN 30 has phone equipment.
show vlan 1
Status and Counters - VLAN Information - VLAN 1
VLAN ID : 1
Name : Internet
Status : Port-based
Voice : No
Jumbo : No
Port Information Mode Unknown VLAN Status
---------------- -------- ------------ ----------
25 Untagged Learn Down
26 Untagged Learn Up
27 Untagged Learn Down
28 Untagged Learn Down
Overridden Port VLAN configuration
Port Mode
---- ------------
show vlan 2
Status and Counters - VLAN Information - VLAN 2
VLAN ID : 2
Name : TROUBLE
Status : Port-based
Voice : No
Jumbo : No
Port Information Mode Unknown VLAN Status
---------------- -------- ------------ ----------
1 Untagged Learn Up
2 Untagged Learn Up
3 Untagged Learn Up
4 Untagged Learn Up
6 Untagged Learn Up
7 Untagged Learn Up
8 Untagged Learn Down
9 Untagged Learn Down
10 Untagged Learn Down
11 Untagged Learn Down
12 Untagged Learn Down
13 Untagged Learn Down
14 Untagged Learn Down
15 Untagged Learn Down
16 Untagged Learn Down
17 Untagged Learn Down
18 Untagged Learn Down
19 Untagged Learn Down
20 Untagged Learn Down
21 Untagged Learn Down
show vlan 30
Status and Counters - VLAN Information - VLAN 30
VLAN ID : 30
Name : VLAN 30
Status : Port-based
Voice : Yes
Jumbo : No
Port Information Mode Unknown VLAN Status
---------------- -------- ------------ ----------
1 Tagged Learn Up
2 Tagged Learn Up
3 Tagged Learn Up
4 Tagged Learn Up
5 Tagged Learn Up
6 Tagged Learn Up
7 Tagged Learn Up
8 Tagged Learn Down
9 Tagged Learn Down
10 Tagged Learn Down
11 Tagged Learn Down
12 Tagged Learn Down
13 Tagged Learn Down
14 Tagged Learn Down
15 Tagged Learn Down
16 Tagged Learn Down
17 Tagged Learn Down
18 Tagged Learn Down
19 Tagged Learn Down
20 Tagged Learn Down
21 Tagged Learn Down
22 Untagged Learn Up
23 Untagged Learn Up
24 Untagged Learn Down
Once again, the problem is that devices on VLAN 2 cannot see each other.
show vlan 1
Status and Counters - VLAN Information - VLAN 1
VLAN ID : 1
Name : Internet
Status : Port-based
Voice : No
Jumbo : No
Port Information Mode Unknown VLAN Status
---------------- -------- ------------ ----------
25 Untagged Learn Down
26 Untagged Learn Up
27 Untagged Learn Down
28 Untagged Learn Down
Overridden Port VLAN configuration
Port Mode
---- ------------
show vlan 2
Status and Counters - VLAN Information - VLAN 2
VLAN ID : 2
Name : TROUBLE
Status : Port-based
Voice : No
Jumbo : No
Port Information Mode Unknown VLAN Status
---------------- -------- ------------ ----------
1 Untagged Learn Up
2 Untagged Learn Up
3 Untagged Learn Up
4 Untagged Learn Up
6 Untagged Learn Up
7 Untagged Learn Up
8 Untagged Learn Down
9 Untagged Learn Down
10 Untagged Learn Down
11 Untagged Learn Down
12 Untagged Learn Down
13 Untagged Learn Down
14 Untagged Learn Down
15 Untagged Learn Down
16 Untagged Learn Down
17 Untagged Learn Down
18 Untagged Learn Down
19 Untagged Learn Down
20 Untagged Learn Down
21 Untagged Learn Down
show vlan 30
Status and Counters - VLAN Information - VLAN 30
VLAN ID : 30
Name : VLAN 30
Status : Port-based
Voice : Yes
Jumbo : No
Port Information Mode Unknown VLAN Status
---------------- -------- ------------ ----------
1 Tagged Learn Up
2 Tagged Learn Up
3 Tagged Learn Up
4 Tagged Learn Up
5 Tagged Learn Up
6 Tagged Learn Up
7 Tagged Learn Up
8 Tagged Learn Down
9 Tagged Learn Down
10 Tagged Learn Down
11 Tagged Learn Down
12 Tagged Learn Down
13 Tagged Learn Down
14 Tagged Learn Down
15 Tagged Learn Down
16 Tagged Learn Down
17 Tagged Learn Down
18 Tagged Learn Down
19 Tagged Learn Down
20 Tagged Learn Down
21 Tagged Learn Down
22 Untagged Learn Up
23 Untagged Learn Up
24 Untagged Learn Down
Once again, the problem is that devices on VLAN 2 cannot see each other.
Output looks right for phone that have host ports. I'm assuming the phones are connected to ports 1-7?
What manufacture/model phones are these?
What manufacture/model phones are these?
ASKER
Right now phones are only attached to 6 ports. Port 7 has a digital printer/copier/scanner attached. I will have to go onsite to get the phone model number.
The problem is that with or without phones devices on VLAN 2 can not see each other. Every port on VLAN 2 seems to be isolated from every other port.
The problem is that with or without phones devices on VLAN 2 can not see each other. Every port on VLAN 2 seems to be isolated from every other port.
Try this:
make a couple ports members of VLAN2 only. Then see if they can communicate.
Also, as been requested before, it would really help if you would post the config of the switch.
make a couple ports members of VLAN2 only. Then see if they can communicate.
Also, as been requested before, it would really help if you would post the config of the switch.
ASKER
I will do what you suggest.
I do not no how to get the entire switch configuration. Is there a show command I can use to get all of the info you want?
I do not no how to get the entire switch configuration. Is there a show command I can use to get all of the info you want?
show run
ASKER
danjohnston,
Thanks so much for your help. The show run command made it obvious. A partial printout of the command is below. VLAN 2, aka TROUBLE, has addresses in the 10.1.2.x range. As you can see, the Bsic-ACL prevents access to VLAN 2 ports. I think if I fix Basic-ACL, all will be well.
; J9624A Configuration Editor; Created on release #RA.15.05.0006
; Ver #01:01:00
hostname "HP1"
time timezone -420
time daylight-time-rule Continental-US-and-Canada
ip access-list extended "Basic-ACL"
10 permit ip 0.0.0.0 255.255.255.255 172.16.10.10 0.0.0.0 log
20 deny ip 0.0.0.0 255.255.255.255 10.1.0.0 0.0.255.255 log
30 deny ip 0.0.0.0 255.255.255.255 192.168.1.0 0.0.0.255 log
40 permit ip 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255
exit
interface 1
ip access-group "Basic-ACL" in
exit
interface 2
ip access-group "Basic-ACL" in
exit
interface 3
ip access-group "Basic-ACL" in
exit
interface 4
ip access-group "Basic-ACL" in
exit
interface 5
ip access-group "Basic-ACL" in
exit
interface 6
ip access-group "Basic-ACL" in
exit
interface 7
ip access-group "Basic-ACL" in
exit
interface 8
ip access-group "Basic-ACL" in
exit
Thanks so much for your help. The show run command made it obvious. A partial printout of the command is below. VLAN 2, aka TROUBLE, has addresses in the 10.1.2.x range. As you can see, the Bsic-ACL prevents access to VLAN 2 ports. I think if I fix Basic-ACL, all will be well.
; J9624A Configuration Editor; Created on release #RA.15.05.0006
; Ver #01:01:00
hostname "HP1"
time timezone -420
time daylight-time-rule Continental-US-and-Canada
ip access-list extended "Basic-ACL"
10 permit ip 0.0.0.0 255.255.255.255 172.16.10.10 0.0.0.0 log
20 deny ip 0.0.0.0 255.255.255.255 10.1.0.0 0.0.255.255 log
30 deny ip 0.0.0.0 255.255.255.255 192.168.1.0 0.0.0.255 log
40 permit ip 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255
exit
interface 1
ip access-group "Basic-ACL" in
exit
interface 2
ip access-group "Basic-ACL" in
exit
interface 3
ip access-group "Basic-ACL" in
exit
interface 4
ip access-group "Basic-ACL" in
exit
interface 5
ip access-group "Basic-ACL" in
exit
interface 6
ip access-group "Basic-ACL" in
exit
interface 7
ip access-group "Basic-ACL" in
exit
interface 8
ip access-group "Basic-ACL" in
exit
@donjohnston
In looking at this ACL wouldn't it be better to be coded like this:
This would permit any ip traffic to the 172.16.10.10 address, any traffic to any 10.1.x.x device and block all other traffic?
In looking at this ACL wouldn't it be better to be coded like this:
ip access-list extended "Basic-ACL"
10 permit ip 0.0.0.0 255.255.255.255 172.16.10.10 0.0.0.0 log
20 permit ip 0.0.0.0 255.255.255.255 10.1.0.0 0.0.255.255 log
30 deny ip any any log
This would permit any ip traffic to the 172.16.10.10 address, any traffic to any 10.1.x.x device and block all other traffic?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thanks (is it Dan or Don?) I agree at least in part, but it wasn't my call. The original configuration was done by the guys who provided the phone system whom I was finally able to contact today. I had thought they had configured the switch so that anything on VLAN 2 would be accessible from any other VLAN, i.e. a shared device VLAN, so I was surprised when even computers on VLAN 2 could not see other computers and devices on VLAN 2. One operational parameter which I didn't provide above was that this is in an executive office suite where each user needs to be isolated from every other user. The ACL certainly does that. Unfortunately, the ACL also prevented the sharing of common devices.
We are going to continue using the same ACL with a modification for a separate VLAN accessible to all other VLANS. VLAN 2 will continue to be the VLAN most clients are using. That way we don't have to configure a new VLAN for each client.
BTW, I wasn't aware of the ACL until I issued the show run command so thanks for that, too.
We are going to continue using the same ACL with a modification for a separate VLAN accessible to all other VLANS. VLAN 2 will continue to be the VLAN most clients are using. That way we don't have to configure a new VLAN for each client.
BTW, I wasn't aware of the ACL until I issued the show run command so thanks for that, too.
ASKER
Thanks also pony10us. I thought your comment was from danjohnston.
pfry1713: printer (and every other "common device" you have) is no different from any user. switch basically has no way to distinguish between them. so, you either must move your common devices to a separate vlan (and allow others to cointact it), or allow inter-node communication in your vlan. it seems a design error here - either you have not told those guys, that you have some common devices, or they ignored that info. :) and, from my POV, ACLs and fat smartswitch are a bit of an overkill in this place :)
please disregard my comment ID 39185195
For example we are using Cisco gear and the phone is VLAN 100 and the computer is VLAN 400 so the port has to be in both VLAN's
The Cisco commands are:
switchport access vlan 400
switchport mode access
switchport nonegotiate
switchport voice vlan 100