Solved

Routing between VLAN's on HP Procurve switches

Posted on 2014-08-01
24
202 Views
Last Modified: 2015-03-18
Hi,

We have a number of HP Procurve switches installed.  There is 1x 3500YL core switch, and a number of layer 2 2600 series switches.  We have 5 VLANs within the switches, and trunk ports between each of the switches.
VLAN 100, 110, 120, 130 and VLAN 1.

If I connect a device to any switch in one of the VLANs, lets say 110 for example, I can happily communicate with this device from any other switch within VLAN 110.  Exactctly as I want it.

The issue arises when I want to talk between VLAN's.  So, if I connect the same device at one of the switches with VLAN 110, I cannot connect to any device within VLAN 120.  However, if the device in VLAN 120 happens to be connected to the Core switch, it is OK.

Here is the core switch configuration:
hostname "1-3500YL"
module 1 type J86xxA
trunk 22 Trk1 Trunk
trunk 23 Trk2 Trunk
trunk 24 Trk3 Trunk
trunk 19 Trk4 Trunk
trunk 21 Trk5 Trunk
ip default-gateway 192.168.100.1
ip routing
vlan 1
   name "DEFAULT_VLAN"
   untagged 3
   ip address 192.168.100.1 255.255.255.0
   tagged Trk1-Trk5
   no untagged 1-2,4-18,20
   ip igmp
   exit
vlan 100
   name "100"
   untagged 1-2,4-11,14-16,18,20
   ip address 172.22.28.1 255.255.255.0
   tagged Trk1-Trk5
   ip igmp
   exit
vlan 110
   name "110"
   untagged 12-13,17
   ip address 172.22.22.254 255.255.255.0
   tagged Trk1-Trk5
   exit
vlan 120
   name "120"
   ip address 172.22.23.1 255.255.255.0
   tagged Trk1-Trk5
   exit
vlan 130
   name "130"
   ip address 172.22.24.1 255.255.255.0
   tagged Trk1-Trk5
   exit

And this is from one of the other switches (they are all the same, except the port VLAN memberships)

hostname "2620-48-1"
trunk 49 trk1 trunk
snmp-server community "public" unrestricted
spanning-tree
spanning-tree Trk1 priority 4
vlan 1
   name "DEFAULT_VLAN"
   no untagged 1-48
   untagged 50-52
   tagged Trk1
   ip address 192.168.100.5 255.255.255.0
   exit
vlan 100
   name "100"
   tagged Trk1
   no ip address
   ip igmp
   exit
vlan 110
   name "110"
   untagged 47-48
   tagged Trk1
   no ip address
   exit
vlan 120
   name "120"
   untagged 1-46
   tagged Trk1
   no ip address
   exit
vlan 130
   name "130"
   tagged Trk1
   no ip address
   exit

Any help, greatly appreciated!
0
Comment
Question by:Samantha Smith
  • 11
  • 7
  • 4
  • +2
24 Comments
 
LVL 1

Expert Comment

by:Daniel Blackmore
ID: 40233791
It sounds like there is an IP routing issue somewhere. I'm assuming that your routing for VLANS are being handled by your Core? Are you able to ping the VLAN IP addresses on your Core Switch from your Access switches or does that fail as well?
0
 
LVL 1

Author Comment

by:Samantha Smith
ID: 40233802
Hi Daniel,
The core switch is the router, and there is no other router connected.  There is no internet connections.  So the VLANs are the extent of the entire setup.

I CANNOT ping those interfaces from any other switch unless I am in the correct VLAN.  I cannot ping any of the interfaces if I am am at the switches CLI.

Thank you.
0
 
LVL 6

Expert Comment

by:LHT_ST
ID: 40233807
Can you provide the output from the command "show ip route"
0
 
LVL 1

Expert Comment

by:Daniel Blackmore
ID: 40233808
Does pinging through the devices work with VLAN1? Connect 2 devices on 2 switches on VLAN to see if that works

Do a sh ip route as well please
0
 
LVL 1

Author Comment

by:Samantha Smith
ID: 40233830
Hi, yes, ping though VLAN1 is good.  I can also connect to all the switches via telnet etc using the VLAN1 addresses.

destination         gw        vlan    type             subtype    metric    dist.

127.0.0.0/8          reject              static                               0            0
127.0.0.1/32        lo0                  connected                      1            0
172.22.22.0/24   110     110      connected                      1            0
172.22.23.0/24   120     120      connected                      1            0
172.22.24.0/24   130     130      connected                      1            0
172.22.28.0/25   100     100      connected                      1            0
192.168.100.0/24          1           connected                      1            0

Thank you.
0
 
LVL 1

Expert Comment

by:Daniel Blackmore
ID: 40233834
Is that a ip route from your core? Can you do the same for 1 of the access switches as well please?
0
 
LVL 1

Author Comment

by:Samantha Smith
ID: 40233849
That is indeed from the Core.  Access switch as follows, much smaller.....

127.0.0.0/8             reject                     static             0   0
127.0.0.1/32           lo0                         connected    1   0
192.168.100.0/24  DEFAULT_VLAN   connected   1   0
0
 
LVL 1

Expert Comment

by:Daniel Blackmore
ID: 40233851
On the access switches do ip default-gateway 192.168.100.1 then try to ping the core's from the access switches CLI again.

With the client devices, I assume you are changing the IP addresses to match the VLAN's subnets? Can you show a ipconfig from a device in say VLAN 120 on an access switch?
0
 
LVL 1

Author Comment

by:Samantha Smith
ID: 40233857
I will test that line in a moment.  Thank you.
The client devices are each configured with an IP address and mask from the associated subnet, and use the interfaces addresses from that VLAN as the default gateway.
0
 
LVL 1

Author Comment

by:Samantha Smith
ID: 40233882
Hi Daniel,
From within the CLI of an edge switch, if I add the ip default-gateway 192.168.100.1 line you suggested, each of those interfaces from the Core switch become reachable.
0
 
LVL 1

Expert Comment

by:Daniel Blackmore
ID: 40233884
Well, atleast were moving forward :)

Can you show an IPconfig from one of the devices in VLAN 120?

Thanks
0
 
LVL 1

Author Comment

by:Samantha Smith
ID: 40233902
These are not Windows devices (they are not actually computers at all).  But a device in VLAN 120 shows as follows:

IP Address:      172.22.23.56
Subnet Mask:  255.255.255.0
Def G/W:          172.22.23.1
DNS 1:              not specified
DNS 2:              not specified
0
Better Security Awareness With Threat Intelligence

See how one of the leading financial services organizations uses Recorded Future as part of a holistic threat intelligence program to promote security awareness and proactively and efficiently identify threats.

 
LVL 1

Expert Comment

by:Daniel Blackmore
ID: 40233952
Can you try to give one of the access switches an IP address for VLAN 120 then try to ping that from the Core?
0
 
LVL 50

Expert Comment

by:Don Johnston
ID: 40233971
Can a host on VLAN 120 ping the 172.22.23.1 address?

If so, can that host ping 172.22.22.1? Or 172.22.24.1?
0
 
LVL 1

Author Comment

by:Samantha Smith
ID: 40233974
Hi Don,
Can a host on VLAN 120 ping 172.22.23.1 - Yes
Can that host ping 172.22.22.1 or 172.22.24.1 - Only if connected directly to the Core switch!!
Thanks
0
 
LVL 50

Expert Comment

by:Don Johnston
ID: 40233983
But the VLAN 120 host can ping 172.22.23.1 from any switch?
0
 
LVL 1

Author Comment

by:Samantha Smith
ID: 40234011
Hi Don, yes, that is correct.
0
 
LVL 1

Author Comment

by:Samantha Smith
ID: 40234013
Daniel, we have added the address to VLAN 120 on an edge switch and we can ping this from the core switch.
0
 
LVL 50

Expert Comment

by:Don Johnston
ID: 40234014
That makes no sense at all. :-(
0
 
LVL 1

Author Comment

by:Samantha Smith
ID: 40234028
Don, I am so pleased!  We have reached the same conclusion - no sense whatsoever.
0
 
LVL 1

Expert Comment

by:Daniel Blackmore
ID: 40234063
Can you do some trace route equivalents from the devices to the core switch when they are plugged into an access switch?
0
 
LVL 50

Expert Comment

by:Don Johnston
ID: 40234114
Don, I am so pleased!
Well, as long as you're happy. ;-)

Is the VLAN interface configs you posted complete?  Are there any ACLs applied to any of the VLANs?
0
 
LVL 1

Author Comment

by:Samantha Smith
ID: 40234373
no acl's  configs are complete.  tracert to follow.
0
 
LVL 17

Accepted Solution

by:
jburgaard earned 500 total points
ID: 40235453
I cannot see the purpose or the harm for that matter of the Trunk statements.
So i would try in both end of a link to revert to the more simple
no trunk 49 trk1 trunk
and for all the vlans instead of 'Tag trk1'
tag 49  
-and as part of this experiment also do same type of change on uplink-port (tagging port directly instead of tagging trunk of one port)

Hope this makes some sense
0

Featured Post

Threat Intelligence Starter Resources

Integrating threat intelligence can be challenging, and not all companies are ready. These resources can help you build awareness and prepare for defense.

Join & Write a Comment

Suggested Solutions

Title # Comments Views Activity
Edgemax OS VPN, to Barracuda Link Balancer 7 82
SNMP v3 Encryption of encoded messages 3 31
Arista Switches 2 42
NSD FAIL 2 19
Creating an OSPF network that automatically (dynamically) reroutes network traffic over other connections to prevent network downtime.
In the world of WAN, QoS is a pretty important topic for most, if not all, networks. Some WAN technologies have QoS mechanisms built in, but others, such as some L2 WAN's, don't have QoS control in the provider cloud.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…

707 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now