Solved

HP v1910-xxG Switches Not Routing Between VLANs

Posted on 2014-02-07
18
2,578 Views
Last Modified: 2014-11-26
I'm having a problem with a customer running several HP v1910 network switches connected together via fiber across several buildings.  The issue is that I can't seem to reach camera devices on VLAN 2 from computers and devices on VLAN 1.  The HP V1910 switches are capable of Layer 3 Static routing and I have defined one of the switches as a routers for all VLANs / subnets.  There is also a Sonicwall NSA 2400 in the mix as the default gateway for all devices, which has static routes in it pointing traffic destined for the 192.168.2.x and 192.168.3.x subnets to the v1910 switching acting as the VLAN router.  For simplicity, I will limit the configuration example to three switches and the router, as I have drilled down to this layout for troubleshooting purposes onsite.  I have even taken the Sonicwall out of the mix during testing and used the v1910 as the default gateway, but have the same results.  There must be some basic error in my configuration of the ports / VLANs that I'm just overlooking.  Any help would be greatly appreciated!

Example Switch/Router Configuration:

Sonicwall NSA 2400

Port X0 - 192.168.1.1
Port X1 - Public Address block on Comcast

Static Routes - 192.168.2.x traffic routed to v1910 switch at 192.168.1.2
                        192.168.3.x traffic routed to v1910 switch at 192.168.1.2

Switch 1 - v1910-24G

VLAN 1  General
VLAN 2  Cameras
VLAN 3  Phones

VLAN Interface IPs

VLAN 1 - 192.168.1.2
VLAN 2 - 192.168.2.2
VLAN 3 - 192.168.3.2

IP V4 Routing

All ports untagged VLAN 1 with PVI VLAN 1, link type Access
Port 28 (fiber link to Switch 2) also tagged for VLAN 2 and VLAN 3, link type Hybrid

Switch 2 - v1910-24G

VLAN 1  General
VLAN 2  Cameras
VLAN 3  Phones

VLAN Interface IPs

VLAN 1 - 192.168.1.3

All ports untagged VLAN 1 with PVI VLAN 1, link type Access
Port 27 (fiber link to Switch 3) also tagged for VLAN 2 and VLAN 3, link type Hybrid
Port 28 (fiber link to Switch 1) also tagged for VLAN 2 and VLAN 3, link type Hybrid

Switch 3 - v1910-8G

VLAN 1  General
VLAN 2  Cameras
VLAN 3  Phones

VLAN Interface IPs

VLAN 1 - 192.168.1.4

All ports untagged VLAN 2 with PVI VLAN 2, link type Access
Port 9 (fiber link to Switch 2) also untagged for VLAN 1, tagged for VLAN 2 and VLAN 3, link type Hybrid

So, when I have a computer on any of the switches participating in the 192.168.1.x subnet with a default gateway of 192.168.1.1 (the Sonicwall), and it tries to ping a camera on Switch 3 (v1910-8G) at address 192.168.2.200, I get no reply.  If I try to ping the VLAN 2 interface at 192.168.2.2 on Switch 1, I get successful replies.  If I traceroute to 192.168.2.200, my first hop is Switch 1 at 192.168.1.2, then it loses its way.

All three switches show the MAC address in their tables for all cameras on Switch 3, as well as the MAC address of Switch 1 - all of which are assigned to VLAN 2.  I have even tried removing the Sonicwall as the default gateway on testing computers and reassigned it to Switch 1 as the default gateway, but still no ping to the cameras.  I have gone into the diagnostics section of Switch 1 and tried to ping the cameras, but no response.  The only time I get response to the cameras is when I'm pinging from devices on Switch 3 in the 192.168.2.x subnet.

So, what elemental error am I making with this configuration?  Do I need to specify interface IP addresses on Switch 2 and Switch 3 for proper routing?  Do I have the ports tagged/untagged incorrectly?  I've run this configuration with other HP 2000 level Procurve switches and never had a problem - maybe because they incorporate routing protocols vs. static routing.  Assistance please!  Thanks!
0
Comment
Question by:rgmckenz
  • 7
  • 7
  • 3
  • +1
18 Comments
 
LVL 26

Expert Comment

by:Soulja
ID: 39842132
The default gateway for pc's in vlan 1 should be the vlan 1 interface of the switch 1. 192.168.1.2.

Switch 1 should have a default route pointing to the FW 192.168.1.1.
0
 

Author Comment

by:rgmckenz
ID: 39842280
Thanks for the quick response.  During recent testing, I had changed the Default Gateway for several computers in VLAN1 to 192.168.1.2 - the address on the routing Switch 1.  The default gateway for Switch 1 is 192.168.1.1 - the Sonicwall Internet firewall/router.  The cameras each have an address in the 192.168.2.x network with a gateway of 192.168.2.2, as well as being in VLAN2.  The routing table for Switch 1 looks like this:

0.0.0.0           0.0.0.0                  Static   60 192.168.1.1    Vlan-interface1
127.0.0.0       255.0.0.0              Direct  0   127.0.0.1        InLoopBack0
127.0.0.1       255.255.255.255  Direct  0   127.0.0.1        InLoopBack0
192.168.1.0   255.255.255.0      Direct  0   192.168.1.2    Vlan-interface1
192.168.1.2   255.255.255.255  Direct  0   127.0.0.1        InLoopBack0
192.168.2.0   255.255.255.0      Direct  0   192.168.2.2    Vlan-interface2
192.168.2.2   255.255.255.255  Direct  0   127.0.0.1        InLoopBack0
192.168.3.0   255.255.255.0      Direct  0   192.168.3.2    Vlan-interface3
192.168.3.2   255.255.255.255  Direct  0   127.0.0.1        InLoopBack0

Do I have something wrong with my VLAN configuration?  If, for example, ICMP packets are received at Switch 1 destined for a device with a 192.168.2.x address on a Switch 3 untagged VLAN2 port, and all three switches are connected by fiber lines with ports tagged in VLAN2, shouldn't Switch 1 be able to forward those packets to the device on Switch 3, especially if all three switches have that device in their MAC/ARP tables?  Am I getting routing and switching mixed up here?
0
 
LVL 26

Expert Comment

by:Soulja
ID: 39842573
When you state "PVI" what are you saying?
0
 
LVL 45

Expert Comment

by:Craig Beck
ID: 39842652
Why are you doing routing at the Sonicwall and the HP switch?  Do you need to provide firewalling between each VLAN?

You should probably look at creating a point-to-point link between the main HP switch and the Sonicwall purely for internet routing.  VLAN1 devices would use the HP switch as their gateway, as would VLAN2 and VLAN3 devices.  Basically everything uses the main switch as the gateway.

The main HP switch would have one route which is a default route pointing to the Sonicwall, and the Sonicwall would have a static route pointing all 192.168.x.y traffic to the HP switch.
0
 

Author Comment

by:rgmckenz
ID: 39842782
Thank you both for the quick responses.  The original network was not nearly as complex - a single default VLAN - so all devices, servers, printers, etc., were using the Sonicwall as the default gateway.  The network is currently in flux, as the company is adding buildings to the campus, some of which have been completed.  The end goal is to configure the network exactly as you have both described - with the HP L3 switch doing the routing and all devices using it as their default gateway (or another more centrally located switch), and the Sonicwall acting as the default gateway for the L3 switch.  That's worked fine in the past.

What I described in my first posting is the "transition state" of the network (sorry, didn't mention that).  My concern is that when I have the workstations, switches and Sonicwall configured as you described, I still can't route packets to the appropriate camera across Switch 1 that routes between the VLANs.  Before I commit all of the gateway changes on the devices, I want to make sure my design and configurations are sound.  I could put a true Cisco router in as the central router in place of the switch, but the client would rather I not do that.

I will go ahead and start readdressing devices with the appropriate gateway address.  It won't harm the routing to my default VLAN 1 devices and it is the end game anyway.

Solujia, I left off the D at the end of PVI ..... that was PVID, defined as the following:

"A Port VLAN ID (pvid) is a default VLAN ID that is assigned to an access port to designate the virtual LAN segment to which this port is connected. The pvid places the port into the set of ports that are connected under the designated VLAN ID. Also, if a trunk port has not been configured with any VLAN memberships, the virtual switch's Port VLAN ID (pvid) becomes the default VLAN ID for the ports connection."
0
 
LVL 26

Expert Comment

by:Soulja
ID: 39842800
Okay, have you tried tagging vlan 1 also on the trunk between the switches. It sound like currently you it set as a native vlan.

To confirm, you stated you already tested the vlan 1 clients using the switch as their defaul gateway correct? You should leave them that way. Don't switch them to use the FW as their default gateway.  Also for the future, keep the switch as the VLAN routing entity, not a Cisco router.
0
 
LVL 45

Expert Comment

by:Craig Beck
ID: 39842815
Ok so we need to leave all devices on VLAN 1 using the Sonicwall as the default gateway.  That's fine.

If you want PCs on VLAN1 to be able to see the devices on VLANs 2 and 3 the easiest thing to do is use a static route on the PCs in VLAN1 which points to the HP switch.

So, if PC 192.168.1.10 wants to ping 192.168.2.10 you'd need a route like this on the PC...

route -p add 192.168.2.0 mask 255.255.255.0 192.168.1.2

Open in new window


You could script that quite easily using login script, etc.
0
 

Author Comment

by:rgmckenz
ID: 39842816
I just changed a Remote Desktop server default gateway on the 1.x network to 192.168.1.2 (Switch 1 address).  I can get to the Internet, as Switch 1 has the Sonicwall as it's Default Gateway and traceroute proves that out.  However, I still cannot ping a camera device at 192.168.2.202 from there as described in my configuration above.  When I try to traceroute from the Remote Desktop server to the camera at 192.168.2.202, it lists Switch 1 (192.168.1.2) as the first hop, then I get "request timed out" for the rest of the attempts.  To me, that has to be a configuration error on one or more of the HPs.  Would you agree?  And thanks again - hope I'm not being dense.
0
 
LVL 45

Expert Comment

by:Craig Beck
ID: 39842821
Do you have the ip routing command configured on the HP switch?

Can you post its config?
0
Network it in WD Red

There's an industry-leading WD Red drive for every compatible NAS system to help fulfill your data storage needs. With drives up to 8TB, WD Red offers a wide array of solutions for customers looking to build the biggest, best-performing NAS storage solution.  

 
LVL 26

Expert Comment

by:Soulja
ID: 39842866
Lol, yeah Craig it could be that simple.Can anything on vlan 2 access the internet? Try putting a laptop/computer on vlan 2 and test to vlan 1 or the internet?
0
 
LVL 26

Expert Comment

by:Soulja
ID: 39842874
Also, leaving the sonic as the default gateway is fine, routing wise, since it has static routes back to switch1, but the routing path isn't optimal and unnecessarily uses resources on the sonicwall.
0
 

Author Comment

by:rgmckenz
ID: 39842907
Agreed with both your comments above.  Hmmmm, that's something I didn't think about!  IP  Routing turned on.  That's something I'm used to with 2000 level HP Procurves.  However, here's the thing - I can't drop to a command line on this switch.  There is an option called "IP V4 Routing" on the Networking Menu which displays the Active Routes as shown above, so I assumed the switch is supposed to be static routing, based on the VLAN interface IPs and subnets.

To that end, I found some kind of a backdoor into the command line through Telnet that opens up all of the commands.  I displayed the configuration and it doesn't explicitly show "IP ROUTING", but is does show this command:

ip route-static 0.0.0.0  0.0.0.0  Vlan-interface1 192.168.1.1


I guess this makes sense since the switch is only Layer 3 static switch.  That's the only route I can see, even though it has a routing table as displayed above.  So, did HP just eliminate that from their configuration and the software assumes it will be routing the VLANs based on the VLAN interface IP addresses?  I guess with the entries that I see in the routing table, it should know where the 192.168.2.x network is, right - the gateway on the switch is 192.168.2.2.  And, since the switch has a port tagged for VLAN2 that connects with other switches on those ports, shouldn't it be able to find the 192.168.2.202 address?  All of the switches have the MAC address for 192.168.2.202 listed in their tables.  What am I doing wrong?

FYI:  I tagged VLAN1 on those same ports to no affect.  Here's one thing - when I tagged VLANs on those ports, it changed the link type from Access to Hybrid.  You can force it to be a link type of Trunk.  However, I'm not linking several ports together - going port to port on the switches.  Ugh - gives me a headache.  :-)
0
 
LVL 26

Expert Comment

by:Soulja
ID: 39843146
I am not referring to the access ports. I'm talking about tagging vlan one on the hybrid port. The ports connecting each switch to one another.
0
 

Author Comment

by:rgmckenz
ID: 39843207
Sorry - I'm not too clear in my explanations today.  I tagged VLAN1 on all of the Hybrid ports.  Still the same results.  This one has got me stumped.  I haven't worked with the V1910 switches before - just the prior model in the series.  Other thoughts?
0
 
LVL 26

Expert Comment

by:Soulja
ID: 39843279
Doesn’t make sense.  It's not a complex design.  At this point I think we need to see configs. Not saying I don't take your word but a second pair of eyes is always beneficial.
0
 

Author Comment

by:rgmckenz
ID: 39843310
I agree - I'll jump into that command line and get the configs for the switches in question.  I'll have to do this tomorrow, as the customer is closed now, but I'll post them all here.  Thank you once again.
0
 
LVL 1

Accepted Solution

by:
Ignacio Garcia earned 500 total points
ID: 40172108
Hi rgmckenz!

We are having the exact same problem with this same switch model. Maybe we can help each other :).

If you want to use SSH/Telnet you have to go, trough the web interface, to Network > Service > and enable corresponding service.

Once done, if you SSH/telnet to your device's IP, you will be asked to login. After you get to the first prompt enter the following:

"_cmdline-mode on"

Answer Yes and input "512900" as the password.

You will then have full access to the CLI. If you type "system-view" you enter config mode. To see the running config type "display current-configuration". To negate a command you have to enter "undo" before it.

Hope this helps you!!

About routing problem, we also tried an older firmware (we found in some forum someone that managed to have inter VLAN routing working with it), 1910_5.20.R1111P02, also tried the last one 1910_5.20.R1513P85 and had no luck.

I also wasn't able to find any command to "enable" IP routing like in Cisco world...odd...

Ideas are welcome!!

Thanks and regards.

Nachol.
0
 

Author Closing Comment

by:rgmckenz
ID: 40467460
Appreciate the help and apologize for taking so long to get back to you.  Later firmware upgrades helped, but there are still issues overall with the VLAN routing.  I'll post additional info during implementation in December, 2014.
0

Featured Post

Zoho SalesIQ

Hassle-free live chat software re-imagined for business growth. 2 users, always free.

Join & Write a Comment

Suggested Solutions

The Cisco RV042 router is a popular small network interfacing device that is often used as an internet gateway. Network administrators need to get at the management interface to make settings, change passwords, etc. This access is generally done usi…
In the world of WAN, QoS is a pretty important topic for most, if not all, networks. Some WAN technologies have QoS mechanisms built in, but others, such as some L2 WAN's, don't have QoS control in the provider cloud.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

706 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

15 Experts available now in Live!

Get 1:1 Help Now