Solved

Routing between VLAN's on HP Procurve switches

Posted on 2014-08-01
24
206 Views
Last Modified: 2015-03-18
Hi,

We have a number of HP Procurve switches installed.  There is 1x 3500YL core switch, and a number of layer 2 2600 series switches.  We have 5 VLANs within the switches, and trunk ports between each of the switches.
VLAN 100, 110, 120, 130 and VLAN 1.

If I connect a device to any switch in one of the VLANs, lets say 110 for example, I can happily communicate with this device from any other switch within VLAN 110.  Exactctly as I want it.

The issue arises when I want to talk between VLAN's.  So, if I connect the same device at one of the switches with VLAN 110, I cannot connect to any device within VLAN 120.  However, if the device in VLAN 120 happens to be connected to the Core switch, it is OK.

Here is the core switch configuration:
hostname "1-3500YL"
module 1 type J86xxA
trunk 22 Trk1 Trunk
trunk 23 Trk2 Trunk
trunk 24 Trk3 Trunk
trunk 19 Trk4 Trunk
trunk 21 Trk5 Trunk
ip default-gateway 192.168.100.1
ip routing
vlan 1
   name "DEFAULT_VLAN"
   untagged 3
   ip address 192.168.100.1 255.255.255.0
   tagged Trk1-Trk5
   no untagged 1-2,4-18,20
   ip igmp
   exit
vlan 100
   name "100"
   untagged 1-2,4-11,14-16,18,20
   ip address 172.22.28.1 255.255.255.0
   tagged Trk1-Trk5
   ip igmp
   exit
vlan 110
   name "110"
   untagged 12-13,17
   ip address 172.22.22.254 255.255.255.0
   tagged Trk1-Trk5
   exit
vlan 120
   name "120"
   ip address 172.22.23.1 255.255.255.0
   tagged Trk1-Trk5
   exit
vlan 130
   name "130"
   ip address 172.22.24.1 255.255.255.0
   tagged Trk1-Trk5
   exit

And this is from one of the other switches (they are all the same, except the port VLAN memberships)

hostname "2620-48-1"
trunk 49 trk1 trunk
snmp-server community "public" unrestricted
spanning-tree
spanning-tree Trk1 priority 4
vlan 1
   name "DEFAULT_VLAN"
   no untagged 1-48
   untagged 50-52
   tagged Trk1
   ip address 192.168.100.5 255.255.255.0
   exit
vlan 100
   name "100"
   tagged Trk1
   no ip address
   ip igmp
   exit
vlan 110
   name "110"
   untagged 47-48
   tagged Trk1
   no ip address
   exit
vlan 120
   name "120"
   untagged 1-46
   tagged Trk1
   no ip address
   exit
vlan 130
   name "130"
   tagged Trk1
   no ip address
   exit

Any help, greatly appreciated!
0
Comment
Question by:Samantha Smith
  • 11
  • 7
  • 4
  • +2
24 Comments
 
LVL 1

Expert Comment

by:Daniel Blackmore
ID: 40233791
It sounds like there is an IP routing issue somewhere. I'm assuming that your routing for VLANS are being handled by your Core? Are you able to ping the VLAN IP addresses on your Core Switch from your Access switches or does that fail as well?
0
 
LVL 1

Author Comment

by:Samantha Smith
ID: 40233802
Hi Daniel,
The core switch is the router, and there is no other router connected.  There is no internet connections.  So the VLANs are the extent of the entire setup.

I CANNOT ping those interfaces from any other switch unless I am in the correct VLAN.  I cannot ping any of the interfaces if I am am at the switches CLI.

Thank you.
0
 
LVL 6

Expert Comment

by:LHT_ST
ID: 40233807
Can you provide the output from the command "show ip route"
0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 
LVL 1

Expert Comment

by:Daniel Blackmore
ID: 40233808
Does pinging through the devices work with VLAN1? Connect 2 devices on 2 switches on VLAN to see if that works

Do a sh ip route as well please
0
 
LVL 1

Author Comment

by:Samantha Smith
ID: 40233830
Hi, yes, ping though VLAN1 is good.  I can also connect to all the switches via telnet etc using the VLAN1 addresses.

destination         gw        vlan    type             subtype    metric    dist.

127.0.0.0/8          reject              static                               0            0
127.0.0.1/32        lo0                  connected                      1            0
172.22.22.0/24   110     110      connected                      1            0
172.22.23.0/24   120     120      connected                      1            0
172.22.24.0/24   130     130      connected                      1            0
172.22.28.0/25   100     100      connected                      1            0
192.168.100.0/24          1           connected                      1            0

Thank you.
0
 
LVL 1

Expert Comment

by:Daniel Blackmore
ID: 40233834
Is that a ip route from your core? Can you do the same for 1 of the access switches as well please?
0
 
LVL 1

Author Comment

by:Samantha Smith
ID: 40233849
That is indeed from the Core.  Access switch as follows, much smaller.....

127.0.0.0/8             reject                     static             0   0
127.0.0.1/32           lo0                         connected    1   0
192.168.100.0/24  DEFAULT_VLAN   connected   1   0
0
 
LVL 1

Expert Comment

by:Daniel Blackmore
ID: 40233851
On the access switches do ip default-gateway 192.168.100.1 then try to ping the core's from the access switches CLI again.

With the client devices, I assume you are changing the IP addresses to match the VLAN's subnets? Can you show a ipconfig from a device in say VLAN 120 on an access switch?
0
 
LVL 1

Author Comment

by:Samantha Smith
ID: 40233857
I will test that line in a moment.  Thank you.
The client devices are each configured with an IP address and mask from the associated subnet, and use the interfaces addresses from that VLAN as the default gateway.
0
 
LVL 1

Author Comment

by:Samantha Smith
ID: 40233882
Hi Daniel,
From within the CLI of an edge switch, if I add the ip default-gateway 192.168.100.1 line you suggested, each of those interfaces from the Core switch become reachable.
0
 
LVL 1

Expert Comment

by:Daniel Blackmore
ID: 40233884
Well, atleast were moving forward :)

Can you show an IPconfig from one of the devices in VLAN 120?

Thanks
0
 
LVL 1

Author Comment

by:Samantha Smith
ID: 40233902
These are not Windows devices (they are not actually computers at all).  But a device in VLAN 120 shows as follows:

IP Address:      172.22.23.56
Subnet Mask:  255.255.255.0
Def G/W:          172.22.23.1
DNS 1:              not specified
DNS 2:              not specified
0
 
LVL 1

Expert Comment

by:Daniel Blackmore
ID: 40233952
Can you try to give one of the access switches an IP address for VLAN 120 then try to ping that from the Core?
0
 
LVL 50

Expert Comment

by:Don Johnston
ID: 40233971
Can a host on VLAN 120 ping the 172.22.23.1 address?

If so, can that host ping 172.22.22.1? Or 172.22.24.1?
0
 
LVL 1

Author Comment

by:Samantha Smith
ID: 40233974
Hi Don,
Can a host on VLAN 120 ping 172.22.23.1 - Yes
Can that host ping 172.22.22.1 or 172.22.24.1 - Only if connected directly to the Core switch!!
Thanks
0
 
LVL 50

Expert Comment

by:Don Johnston
ID: 40233983
But the VLAN 120 host can ping 172.22.23.1 from any switch?
0
 
LVL 1

Author Comment

by:Samantha Smith
ID: 40234011
Hi Don, yes, that is correct.
0
 
LVL 1

Author Comment

by:Samantha Smith
ID: 40234013
Daniel, we have added the address to VLAN 120 on an edge switch and we can ping this from the core switch.
0
 
LVL 50

Expert Comment

by:Don Johnston
ID: 40234014
That makes no sense at all. :-(
0
 
LVL 1

Author Comment

by:Samantha Smith
ID: 40234028
Don, I am so pleased!  We have reached the same conclusion - no sense whatsoever.
0
 
LVL 1

Expert Comment

by:Daniel Blackmore
ID: 40234063
Can you do some trace route equivalents from the devices to the core switch when they are plugged into an access switch?
0
 
LVL 50

Expert Comment

by:Don Johnston
ID: 40234114
Don, I am so pleased!
Well, as long as you're happy. ;-)

Is the VLAN interface configs you posted complete?  Are there any ACLs applied to any of the VLANs?
0
 
LVL 1

Author Comment

by:Samantha Smith
ID: 40234373
no acl's  configs are complete.  tracert to follow.
0
 
LVL 17

Accepted Solution

by:
jburgaard earned 500 total points
ID: 40235453
I cannot see the purpose or the harm for that matter of the Trunk statements.
So i would try in both end of a link to revert to the more simple
no trunk 49 trk1 trunk
and for all the vlans instead of 'Tag trk1'
tag 49  
-and as part of this experiment also do same type of change on uplink-port (tagging port directly instead of tagging trunk of one port)

Hope this makes some sense
0

Featured Post

NFR key for Veeam Backup for Microsoft Office 365

Veeam is happy to provide a free NFR license (for 1 year, up to 10 users). This license allows for the non‑production use of Veeam Backup for Microsoft Office 365 in your home lab without any feature limitations.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

The use of stolen credentials is a hot commodity this year allowing threat actors to move laterally within the network in order to avoid breach detection.
Join Greg Farro and Ethan Banks from Packet Pushers (http://packetpushers.net/podcast/podcasts/pq-show-93-smart-network-monitoring-paessler-sponsored/) and Greg Ross from Paessler (https://www.paessler.com/prtg) for a discussion about smart network …
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

820 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question