Solved

Procurve 2620 Config Problem

Posted on 2013-05-17
24
1,340 Views
Last Modified: 2013-05-21
I am a managed switch newby.

We have an HP ProCurve 2620 switch configured by a third party to support a new phone system in our office. We are testing the switch before fully implementing it. The switch has 4 VLANS  only one of which is causing problems. 1 VLAN is connected to our router. The other 2 VLANS are connected to phone related equipment. The 4th VLAN  hosts the phones and workstations plugged into the phones. I will call this VLAN TROUBLE. Any phone plugged into a TROUBLE port works fine. Any computer plugged directly into a TROUBLE port or into a phone which is plugged into a TROUBLE port can access the Internet without problem, but no device plugged into a TROUBLE port can see any other device plugged into a TROUBLE port.

In other words, a device plugged into TROUBLE can access anything it needs except another device on TROUBLE.

I checked for ACL's (show access-list) and Port Filters (show filters). There are none configured. All devices on TROUBLE are in the same IP subnet.

What could be preventing traffic between the TROUBLE ports.

I have a call into the 3rd party, but am running out of time for an adequate response before the switch must go into action. Any help is appreciated.

Thanks for your input.
0
Comment
Question by:pfry1713
  • 10
  • 7
  • 3
  • +3
24 Comments
 
LVL 26

Expert Comment

by:pony10us
Comment Utility
Normally you would assign the ports that will have the phones in them to both VLAN's if they are also going to have the computer in the same port.

For example we are using Cisco gear and the phone is VLAN 100 and the computer is VLAN 400 so the port has to be in both VLAN's

The Cisco commands are:

switchport access vlan 400
switchport mode access
switchport nonegotiate
switchport voice vlan 100
0
 

Author Comment

by:pfry1713
Comment Utility
Thanks for the info, but I don't understand your response.

The computers are all on the same VLAN, TROUBLE, which also happens to be the VLAN for the phones. Take the phones out of the equation for a moment. With or without phones plugged into the VLAN, the computers on TROUBLE can't access other devices, i.e. shared printers, other computer, etc.,  on TROUBLE.

BTW, the phones work fine sharing the VLAN with the computers. They are able to access the necessary phone devices (a proprietary phone device and a computer which works in conjunction with the phone device)  which are in separate VLANS.
0
 
LVL 26

Expert Comment

by:pony10us
Comment Utility
VLAN 1 --->   Router (Internet and ?)
VLAN 2 --->   Phone equipment
VLAN 3 --->   Phone equipment
VLAN 4 --->   All Workstations/phones  --->  AKA Trouble

What is the gateway on the workstations?

x.x.4.x
0
 
LVL 50

Expert Comment

by:Don Johnston
Comment Utility
Typically, when using a phone that also has a port for PC's, the switch is configured pass the voice VLAN and the data VLAN.

So on the ports that have those phones, the config should look something like this:

vlan 2
 name voice
 tagged 13
vlan 17
 name data
 untagged 13

Open in new window


Where VLAN 2 is the voice VLAN and VLAN 17 is the data VLAN. Port 13 is the port which has the phone connected to it.
0
 

Author Comment

by:pfry1713
Comment Utility
The workstations are all in the 10.1.2.x subnet. The VLAN is assigned the IP address of 10.1.2.1. That is also the gateway on TROUBLE. The switch itself has an IP address of 172.16.10.1. The router on VLAN 1 has an IP address of 192.168.1.1
0
 

Author Comment

by:pfry1713
Comment Utility
Dan Johnston. Thanks for the reply.

All of the ports in TROUBLE are untagged for TROUBLE and tagged for the phone VLAN. I think this is what your example shows.

Just to reiterate, the problem is that the devices in TROUBLE can not see each other.
0
 
LVL 50

Expert Comment

by:Don Johnston
Comment Utility
All of the ports in TROUBLE are untagged for TROUBLE and tagged for the phone VLAN. I think this is what your example shows.
That is not correct. The "trouble" VLAN (since the switches only care about VLAN numbers, that is the preferred way to reference them) should be untagged on the switchport.
0
 
LVL 17

Expert Comment

by:jburgaard
Comment Utility
Is the netmask for 10.1.2.x  everywhere = 255.255.255.0?

"..access anything it needs except another device.." , found by pinging IP or? (PC-firewall-status?)

Could you provide output from show running config?
0
 
LVL 18

Expert Comment

by:fgasimzade
Comment Utility
Make sure nothing is blocked on PC - firewalls, antivirus etc
0
 

Author Comment

by:pfry1713
Comment Utility
Thanks to all.

DanJohnston - All ports in the VLAN I am concerned with are untagged as you suggest.

jburgaard - As far as I know, netmask is 255.255.255.0, but I will check and get you an ipconfig printout. Computer IP's are handed out by DHCP.

fgasimzade - firewalls,etc aren't the issue. One of the devices which cannot be contacted is a digital printer/copier.
0
 
LVL 50

Expert Comment

by:Don Johnston
Comment Utility
You're going to have to post the config of the switch.
0
 

Author Comment

by:pfry1713
Comment Utility
Here is the output for show VLAN commands. VLAN 1 attaches to the router. No problem getting to Internet. VLAN 2 (TROUBLE) is the problematic VLAN. VLAN 30 has phone equipment.

show vlan 1

 Status and Counters - VLAN Information - VLAN 1

  VLAN ID : 1
  Name : Internet
  Status : Port-based
  Voice : No
  Jumbo : No

  Port Information Mode     Unknown VLAN Status
  ---------------- -------- ------------ ----------
  25               Untagged Learn        Down
  26               Untagged Learn        Up
  27               Untagged Learn        Down
  28               Untagged Learn        Down

  Overridden Port VLAN configuration

  Port Mode
  ---- ------------



 show vlan 2

 Status and Counters - VLAN Information - VLAN 2

  VLAN ID : 2
  Name : TROUBLE
  Status : Port-based
  Voice : No
  Jumbo : No

  Port Information Mode     Unknown VLAN Status
  ---------------- -------- ------------ ----------
  1                Untagged Learn        Up
  2                Untagged Learn        Up
  3                Untagged Learn        Up
  4                Untagged Learn        Up
  6                Untagged Learn        Up
  7                Untagged Learn        Up
  8                Untagged Learn        Down
  9                Untagged Learn        Down
  10               Untagged Learn        Down
  11               Untagged Learn        Down
  12               Untagged Learn        Down
  13               Untagged Learn        Down
  14               Untagged Learn        Down
  15               Untagged Learn        Down
  16               Untagged Learn        Down
  17               Untagged Learn        Down
  18               Untagged Learn        Down
  19               Untagged Learn        Down
  20               Untagged Learn        Down
  21               Untagged Learn        Down

show vlan 30

 Status and Counters - VLAN Information - VLAN 30

  VLAN ID : 30
  Name : VLAN 30
  Status : Port-based
  Voice : Yes
  Jumbo : No

  Port Information Mode     Unknown VLAN Status
  ---------------- -------- ------------ ----------
  1                Tagged   Learn        Up
  2                Tagged   Learn        Up
  3                Tagged   Learn        Up
  4                Tagged   Learn        Up
  5                Tagged   Learn        Up
  6                Tagged   Learn        Up
  7                Tagged   Learn        Up
  8                Tagged   Learn        Down
  9                Tagged   Learn        Down
  10               Tagged   Learn        Down
  11               Tagged   Learn        Down
  12               Tagged   Learn        Down
  13               Tagged   Learn        Down
  14               Tagged   Learn        Down
  15               Tagged   Learn        Down
  16               Tagged   Learn        Down
  17               Tagged   Learn        Down
  18               Tagged   Learn        Down
  19               Tagged   Learn        Down
  20               Tagged   Learn        Down
  21               Tagged   Learn        Down
  22               Untagged Learn        Up
  23               Untagged Learn        Up
  24               Untagged Learn        Down

Once again, the problem is that devices on VLAN 2 cannot see each other.
0
How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

 
LVL 50

Expert Comment

by:Don Johnston
Comment Utility
Output looks right for phone that have host ports.  I'm assuming the phones are connected to ports 1-7?

What manufacture/model phones are these?
0
 

Author Comment

by:pfry1713
Comment Utility
Right now phones are only attached to 6 ports. Port 7 has a digital printer/copier/scanner attached. I will have to go onsite to get the phone model number.

The problem is that with or without phones devices on VLAN 2 can not see each other. Every port on VLAN 2 seems to be isolated from every other port.
0
 
LVL 50

Expert Comment

by:Don Johnston
Comment Utility
Try this:

make a couple ports members of VLAN2 only. Then see if they can communicate.

Also, as been requested before, it would really help if you would post the config of the switch.
0
 

Author Comment

by:pfry1713
Comment Utility
I will do what you suggest.

I do not no how to get the entire switch configuration. Is there a show command I can use to get all of the info you want?
0
 
LVL 50

Expert Comment

by:Don Johnston
Comment Utility
show run
0
 

Author Comment

by:pfry1713
Comment Utility
danjohnston,

Thanks so much for your help. The show run command made it obvious. A partial printout of the command is below. VLAN 2, aka TROUBLE, has addresses in the 10.1.2.x range. As you can see, the Bsic-ACL prevents access to VLAN 2 ports. I think if I fix Basic-ACL, all will be well.

; J9624A Configuration Editor; Created on release #RA.15.05.0006
; Ver #01:01:00

hostname "HP1"
time timezone -420
time daylight-time-rule Continental-US-and-Canada
ip access-list extended "Basic-ACL"
   10 permit ip 0.0.0.0 255.255.255.255 172.16.10.10 0.0.0.0 log
   20 deny ip 0.0.0.0 255.255.255.255 10.1.0.0 0.0.255.255 log
   30 deny ip 0.0.0.0 255.255.255.255 192.168.1.0 0.0.0.255 log
   40 permit ip 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255
   exit
interface 1
   ip access-group "Basic-ACL" in
exit
interface 2
   ip access-group "Basic-ACL" in
exit
interface 3
   ip access-group "Basic-ACL" in
exit
interface 4
   ip access-group "Basic-ACL" in
exit
interface 5
   ip access-group "Basic-ACL" in
exit
interface 6
   ip access-group "Basic-ACL" in
exit
interface 7
   ip access-group "Basic-ACL" in
exit
interface 8
   ip access-group "Basic-ACL" in
exit
0
 
LVL 26

Expert Comment

by:pony10us
Comment Utility
@donjohnston

In looking at this ACL wouldn't it be better to be coded like this:

 ip access-list extended "Basic-ACL"
   10 permit ip 0.0.0.0 255.255.255.255 172.16.10.10 0.0.0.0 log
   20 permit ip 0.0.0.0 255.255.255.255 10.1.0.0 0.0.255.255 log
   30 deny ip any any log

Open in new window


This would permit any ip traffic to the 172.16.10.10 address, any traffic to any 10.1.x.x device and block all other traffic?
0
 
LVL 50

Accepted Solution

by:
Don Johnston earned 500 total points
Comment Utility
That's one of the most...  interesting applications of an ACL I've seen in while. :-)

Quickest fix would be it insert a line 15 into the ACL.

  15 permit ip 0.0.0.0 255.255.255.255 10.1.2.0 0.0.0.255

BTW, this is why we ask for configs. The problem would have been solved the minute we saw that config.
0
 

Author Comment

by:pfry1713
Comment Utility
Thanks (is it Dan or Don?) I agree at least in part, but it wasn't my call. The original configuration was done by the guys who provided the phone system whom I was finally able to contact today. I had thought they had configured the switch so that anything on VLAN 2 would be accessible from any other VLAN, i.e. a shared device VLAN, so I was surprised when even computers on VLAN 2 could not see other computers and devices on VLAN 2. One operational parameter which I didn't provide above was that this is in an executive office suite where each user needs to be isolated from every other user. The ACL certainly does that. Unfortunately, the ACL also prevented the sharing of common devices.

We are going to continue using the same ACL with a modification for a separate VLAN accessible to all other VLANS. VLAN 2 will continue to be the VLAN most clients are using. That way we don't have to configure a new VLAN for each client.

BTW, I wasn't aware of the ACL until I issued the show run command so thanks for that, too.
0
 

Author Comment

by:pfry1713
Comment Utility
Thanks also pony10us. I thought your comment was from danjohnston.
0
 
LVL 3

Expert Comment

by:corower
Comment Utility
pfry1713: printer (and every other "common device" you have) is no different from any user. switch basically has no way to distinguish between them. so, you either must move your common devices to a separate vlan (and allow others to cointact it), or allow inter-node communication in your vlan. it seems a design error here - either you have not told those guys, that you have some common devices, or they ignored that info. :) and, from my POV, ACLs and fat smartswitch are a bit of an overkill in this place :)
0
 
LVL 17

Expert Comment

by:jburgaard
Comment Utility
please disregard my comment ID 39185195
0

Featured Post

Free Trending Threat Insights Every Day

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

Join & Write a Comment

This is an article about my experiences with remote access to my clients (so that I may serve them) and eventually to my home office system via Radmin Remote Control. I have been using remote access for over 10 years and have been improving my metho…
If you're not part of the solution, you're part of the problem.   Tips on how to secure IoT devices, even the dumbest ones, so they can't be used as part of a DDoS botnet.  Use PRTG Network Monitor as one of the building blocks, to detect unusual…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.

771 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now