Eric Olmstead
asked on
Inter-VLAN routing not working correctly. HP2930F L3
This is a networking question involving routing through L3 switch.
I have the following setup:
existing flat network with blackbox switch, which we will call SW0. All ports are on default vlan, so it is operating at L2.
SW0 has a network of 10.1.1.0/24, with an IP address of 10.1.1.209.
The gateway/firewall, which we shall call GW1 (CradlePoint for now), is 10.1.1.199, and has a static route of 10.1.2.0/23 next hop=10.1.1.208 (SW1)
SW1 is an HP 2930F operating at L3 with IP Routing enabled.
SW1 has the following config:
Running configuration:
SW2 is also an HP2930F, but it is operating at L2.
It's config is:
I can ping from SW1 to either GW1, SW0, SW2, and SW3
GW1 can ping SW0, SW1, SW2 or SW3
SW2 and SW3 can each ping SW1, but not SW0 or GW1.
Soooo.....what on earth am I missing here? All devices on the 10.1.2.0/23 network use the gateway address of SW1, which is 10.1.3.254.
Drawing1.pdf
I have the following setup:
existing flat network with blackbox switch, which we will call SW0. All ports are on default vlan, so it is operating at L2.
SW0 has a network of 10.1.1.0/24, with an IP address of 10.1.1.209.
The gateway/firewall, which we shall call GW1 (CradlePoint for now), is 10.1.1.199, and has a static route of 10.1.2.0/23 next hop=10.1.1.208 (SW1)
SW1 is an HP 2930F operating at L3 with IP Routing enabled.
SW1 has the following config:
Running configuration:
; JL259A Configuration Editor; Created on release #WC.16.07.0002
; Ver #14:01.4f.f8.1d.9b.3f.bf.b
hostname "SBT_SW01"
module 1 type jl259a
ip route 0.0.0.0 0.0.0.0 10.1.1.199
ip route 10.1.1.0 255.255.255.0 vlan 2
ip route 10.1.2.0 255.255.254.0 vlan 12
ip routing
no snmp-server enable
vlan 1
name "DEFAULT_VLAN"
no untagged 1-23,25-28
untagged 24
ip address 10.1.1.208 255.255.255.0
ipv6 address dhcp full
exit
vlan 12
name "VLAN_12"
untagged 1-23,25-28
ip address 10.1.3.254 255.255.254.0
exit
spanning-tree
allow-unsupported-transcei
no tftp server
; Ver #14:01.4f.f8.1d.9b.3f.bf.b
hostname "SBT_SW01"
module 1 type jl259a
ip route 0.0.0.0 0.0.0.0 10.1.1.199
ip route 10.1.1.0 255.255.255.0 vlan 2
ip route 10.1.2.0 255.255.254.0 vlan 12
ip routing
no snmp-server enable
vlan 1
name "DEFAULT_VLAN"
no untagged 1-23,25-28
untagged 24
ip address 10.1.1.208 255.255.255.0
ipv6 address dhcp full
exit
vlan 12
name "VLAN_12"
untagged 1-23,25-28
ip address 10.1.3.254 255.255.254.0
exit
spanning-tree
allow-unsupported-transcei
no tftp server
SW2 is also an HP2930F, but it is operating at L2.
It's config is:
SBT_SW02# show running-config
Running configuration:
; JL259A Configuration Editor; Created on release #WC.16.07.0002
; Ver #14:01.4f.f8.1d.9b.3f.bf.b
hostname "SBT_SW02"
module 1 type jl259a
ip default-gateway 10.1.3.254
no snmp-server enable
vlan 1
name "DEFAULT_VLAN"
untagged 1-28
ip address 10.1.3.253 255.255.254.0
exit
spanning-tree
allow-unsupported-transcei
no tftp server
SW3 is exactly the same as SW2, with an IP address of .252Running configuration:
; JL259A Configuration Editor; Created on release #WC.16.07.0002
; Ver #14:01.4f.f8.1d.9b.3f.bf.b
hostname "SBT_SW02"
module 1 type jl259a
ip default-gateway 10.1.3.254
no snmp-server enable
vlan 1
name "DEFAULT_VLAN"
untagged 1-28
ip address 10.1.3.253 255.255.254.0
exit
spanning-tree
allow-unsupported-transcei
no tftp server
I can ping from SW1 to either GW1, SW0, SW2, and SW3
GW1 can ping SW0, SW1, SW2 or SW3
SW2 and SW3 can each ping SW1, but not SW0 or GW1.
Soooo.....what on earth am I missing here? All devices on the 10.1.2.0/23 network use the gateway address of SW1, which is 10.1.3.254.
Drawing1.pdf
ASKER
Darrell,
Thanks for the reply.
EDIT: I have updated the original post to remove VLAN2 from the mix. It makes it more clear as it didn't add any effect to the issue.
The following text can be omitted.
Thanks for the comment on sanitization, but this is mockup (proof of concept) for the time being and names, numbers, locations, etc aren't real.
Silly answers: I had originally used VLAN1 on SW1 with the same settings as what VLAN2 is now using. VLAN1 on SW1 isn't assigned to any ports, but for all intents and purposes, you can pretend that the settings for VLAN2 are actually for VLAN1, and that VLAN2 doesn't exist.
I tried using a different VLAN in case there was something in the switch that wouldn't let the ip route work with the default vlan. I can change it back if you like, to clean up the config.
Regarding routes, there are no routes in SW0, SW2, or SW3. They are operating, as stated, in L2. All ports are untagged on each of those switches.
I have attached a file for viewing that should visualize the simple task at hand.
10.1.99.0/24 is not used, and was only placed there in VLAN1 so I could free up the address space for use on VLAN2.
Confusing, but I can simplify and repost if that makes it easier.
Thanks for the reply.
EDIT: I have updated the original post to remove VLAN2 from the mix. It makes it more clear as it didn't add any effect to the issue.
The following text can be omitted.
Thanks for the comment on sanitization, but this is mockup (proof of concept) for the time being and names, numbers, locations, etc aren't real.
Silly answers: I had originally used VLAN1 on SW1 with the same settings as what VLAN2 is now using. VLAN1 on SW1 isn't assigned to any ports, but for all intents and purposes, you can pretend that the settings for VLAN2 are actually for VLAN1, and that VLAN2 doesn't exist.
I tried using a different VLAN in case there was something in the switch that wouldn't let the ip route work with the default vlan. I can change it back if you like, to clean up the config.
Regarding routes, there are no routes in SW0, SW2, or SW3. They are operating, as stated, in L2. All ports are untagged on each of those switches.
I have attached a file for viewing that should visualize the simple task at hand.
10.1.99.0/24 is not used, and was only placed there in VLAN1 so I could free up the address space for use on VLAN2.
Confusing, but I can simplify and repost if that makes it easier.
I understand the diagram. I want to know what the switches think they're doing. Whether the switch is in L2 or L3 mode, there should still be an IP route list available.
ASKER
Darrell,
My misunderstanding. I took it as a request to show the static routes, which can only be entered if the switch is in ip routing mode.
SW1:
SBT_SW01(config)# show ip route
IP Route Entries
Destination Gateway VLAN Type Sub-Type Metric Dist.
------------------ --------------- ---- --------- ---------- ---------- -----
0.0.0.0/0 10.1.1.199 1 static 1 1
10.1.1.0/24 DEFAULT_VLAN 1 connected 1 0
10.1.2.0/23 VLAN_12 12 connected 1 0
127.0.0.0/8 reject static 0 0
127.0.0.1/32 lo0 connected 1 0
SW2:
My misunderstanding. I took it as a request to show the static routes, which can only be entered if the switch is in ip routing mode.
SW1:
SBT_SW01(config)# show ip route
IP Route Entries
Destination Gateway VLAN Type Sub-Type Metric Dist.
------------------ --------------- ---- --------- ---------- ---------- -----
0.0.0.0/0 10.1.1.199 1 static 1 1
10.1.1.0/24 DEFAULT_VLAN 1 connected 1 0
10.1.2.0/23 VLAN_12 12 connected 1 0
127.0.0.0/8 reject static 0 0
127.0.0.1/32 lo0 connected 1 0
SW2:
SBT_SW02(config)# show ip route
IP Route Entries
Destination Gateway VLAN Type Sub-Type Metric Dist.
------------------ --------------- ---- --------- ---------- ---------- -----
0.0.0.0/0 10.1.3.254 1 static 250 1
10.1.2.0/23 DEFAULT_VLAN 1 connected 1 0
127.0.0.0/8 reject static 0 0
127.0.0.1/32 lo0 connected 1 0
IP Route Entries
Destination Gateway VLAN Type Sub-Type Metric Dist.
------------------ --------------- ---- --------- ---------- ---------- -----
0.0.0.0/0 10.1.3.254 1 static 250 1
10.1.2.0/23 DEFAULT_VLAN 1 connected 1 0
127.0.0.0/8 reject static 0 0
127.0.0.1/32 lo0 connected 1 0
ASKER
Here is the route table for SW0:
Aruba-2930F-24G-4SFP(confi
IP Route Entries
Destination Gateway VLAN Type Sub-Type Metric Dist.
------------------ --------------- ---- --------- ---------- ---------- -----
0.0.0.0/0 10.1.1.199 1 static 250 1
10.1.1.0/24 DEFAULT_VLAN 1 connected 1 0
127.0.0.0/8 reject static 0 0
127.0.0.1/32 lo0 connected 1 0
IP Route Entries
Destination Gateway VLAN Type Sub-Type Metric Dist.
------------------ --------------- ---- --------- ---------- ---------- -----
0.0.0.0/0 10.1.1.199 1 static 250 1
10.1.1.0/24 DEFAULT_VLAN 1 connected 1 0
127.0.0.0/8 reject static 0 0
127.0.0.1/32 lo0 connected 1 0
When you say SW2 and SW3 can ping SW1, I am presuming you're pinging 10.1.3.254.
Can they ping 10.1.1.208?
Can they ping 10.1.1.208?
ASKER
static route of 10.1.2.0/23 next hop 10.1.1.208
I'll include an image. The route to get to that network doesn't seem to be the issue, as the devices on 10.1.1.0/24 can ping all devices on the 10.1.2/23 network. Communication fails on the route back. That's the part that has me rather confused.
Route_Policies_GW1.png
Route_Table_GW1.png
I'll include an image. The route to get to that network doesn't seem to be the issue, as the devices on 10.1.1.0/24 can ping all devices on the 10.1.2/23 network. Communication fails on the route back. That's the part that has me rather confused.
Route_Policies_GW1.png
Route_Table_GW1.png
ASKER
Yes, they can also ping 10.1.1.208. Both interfaces are pingable on SW1, regardless of the source network.
ASKER
Here are the results from a traceroute:
SW2 to GW1:
SW2 to SW1:
SW0 to SW2:
SW2 to GW1:
SBT_SW02(config)# traceroute 10.1.1.199
traceroute to 10.1.1.199 ,
1 hop min, 30 hops max, 5 sec. timeout, 3 probes
1 10.1.3.254 0 ms 1 ms 0 ms
2 * * *
3 * * *
4 Operation aborted.
traceroute to 10.1.1.199 ,
1 hop min, 30 hops max, 5 sec. timeout, 3 probes
1 10.1.3.254 0 ms 1 ms 0 ms
2 * * *
3 * * *
4 Operation aborted.
SW2 to SW1:
SBT_SW02(config)# traceroute 10.1.1.208
traceroute to 10.1.1.208 ,
1 hop min, 30 hops max, 5 sec. timeout, 3 probes
1 10.1.3.254 1 ms 1 ms 1 ms
traceroute to 10.1.1.208 ,
1 hop min, 30 hops max, 5 sec. timeout, 3 probes
1 10.1.3.254 1 ms 1 ms 1 ms
SW0 to SW2:
Aruba-2930F-24G-4SFP(confi
traceroute to 10.1.3.253 ,
1 hop min, 30 hops max, 5 sec. timeout, 3 probes
1 10.1.1.208 0 ms 1 ms 1 ms
2 10.1.3.253 1 ms 1 ms 1 ms
traceroute to 10.1.3.253 ,
1 hop min, 30 hops max, 5 sec. timeout, 3 probes
1 10.1.1.208 0 ms 1 ms 1 ms
2 10.1.3.253 1 ms 1 ms 1 ms
ASKER
A PC on 10.1.1.0/24 connected to SW0 with IP of 10.1.1.59 can traceroute to a device located on a switch port of SW01 in VLAN12:
As another troubleshooting step, I cleared the ARP Cache in SW0, SW1, and SW2. From SW2, I can now ping SW0, so that's an improvement, but I still cannot telnet to it from the PC listed directly above.
C:\Users\Administrator>tra
Tracing route to 10.1.2.1 over a maximum of 30 hops
1 <1 ms * <1 ms MOCK-GW.local.tld [10.1.1.199]
2 <1 ms <1 ms <1 ms 10.1.1.208
3 <1 ms <1 ms <1 ms 10.1.2.1
Trace complete.
Tracing route to 10.1.2.1 over a maximum of 30 hops
1 <1 ms * <1 ms MOCK-GW.local.tld [10.1.1.199]
2 <1 ms <1 ms <1 ms 10.1.1.208
3 <1 ms <1 ms <1 ms 10.1.2.1
Trace complete.
As another troubleshooting step, I cleared the ARP Cache in SW0, SW1, and SW2. From SW2, I can now ping SW0, so that's an improvement, but I still cannot telnet to it from the PC listed directly above.
One more tracert for my own edification - SW2 to SW0 - we know 0->2 works but does 2->0 at this point and, if not, where does it fall off...
ASKER
I had done that already, just hadn't posted:
Oddly enough, the ping no longer makes it from SW2 to SW0 either.
SBT_SW02(config)# ping 10.1.1.209
Request timed out.
SBT_SW02(config)# clear arp
SBT_SW02(config)# ping 10.1.1.209
10.1.1.209 is alive, time = 2 ms
SBT_SW02(config)# ping 10.1.1.199
Request timed out.
SBT_SW02(config)# ping 10.1.1.199
Request timed out.
SBT_SW02(config)# ping 10.1.1.209
10.1.1.209 is alive, time = 1 ms
SBT_SW02(config)# ping 10.1.1.199
Request timed out.
SBT_SW02(config)# traceroute 10.1.1.199
traceroute to 10.1.1.199 ,
1 hop min, 30 hops max, 5 sec. timeout, 3 probes
1 10.1.3.254 1 ms 1 ms 1 ms
2 * * *
3 Operation aborted.
SBT_SW02(config)# traceroute 10.1.1.209
traceroute to 10.1.1.209 ,
1 hop min, 30 hops max, 5 sec. timeout, 3 probes
1 10.1.3.254 0 ms 1 ms 1 ms
2 * * *
3 * * *
4 * * *
5 * * *
6 * * *
7 * * *
8 * * *
9 Operation aborted.
Request timed out.
SBT_SW02(config)# clear arp
SBT_SW02(config)# ping 10.1.1.209
10.1.1.209 is alive, time = 2 ms
SBT_SW02(config)# ping 10.1.1.199
Request timed out.
SBT_SW02(config)# ping 10.1.1.199
Request timed out.
SBT_SW02(config)# ping 10.1.1.209
10.1.1.209 is alive, time = 1 ms
SBT_SW02(config)# ping 10.1.1.199
Request timed out.
SBT_SW02(config)# traceroute 10.1.1.199
traceroute to 10.1.1.199 ,
1 hop min, 30 hops max, 5 sec. timeout, 3 probes
1 10.1.3.254 1 ms 1 ms 1 ms
2 * * *
3 Operation aborted.
SBT_SW02(config)# traceroute 10.1.1.209
traceroute to 10.1.1.209 ,
1 hop min, 30 hops max, 5 sec. timeout, 3 probes
1 10.1.3.254 0 ms 1 ms 1 ms
2 * * *
3 * * *
4 * * *
5 * * *
6 * * *
7 * * *
8 * * *
9 Operation aborted.
Oddly enough, the ping no longer makes it from SW2 to SW0 either.
Is vlan 1 extended from SW1 to SW0 and GW1?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
How did vlan 12 come into play, when your issue had to do with vlan 1 ( subnet) connectivity between the switches?
What routing changes did you have to add to the CP to make it work? Perspiring mimes want to know!
ASKER
The CP route was setup for LAN routing. There wasn't an option to select the DEVICE, so I had to select ALL, even though I didn't need WAN/LTE/etc for the routes. Really quite bizarre, since the functionality of the route worked from the same subnet as the CP, but was hit or miss from the secondary subnet. I eliminated the CP from the equation, made the .208 interface of SW1 the GW for the devices on the 10.1.1.0/24 network, and verified inter-vlan was functional. Then I focused my attention on the CP. Since this was such a simple network to provision, it had only the one route to dissect.
Thank you, Darrell, for the second set of eyes on the switch configs. Turns out we were right, that there wasn't anything wrong there.
Thank you, Darrell, for the second set of eyes on the switch configs. Turns out we were right, that there wasn't anything wrong there.
For what reason are you not homogenizing your VLAN numbering scheme?
Why would you use VLAN 12 on your "core" switch then change it to VLAN 1 on your downstream switches?
What does SHOW IP ROUTE list at SW0, SW1, SW2, and SW3?
Unrelated to your routing issue:
If the 10.1.99.0/24(?) network is a management/configuration network of some kind, shouldn't there be IPs assigned to VLAN 1 (once you move "normal" traffic to VLAN 12) on SW2 and SW3?
A note on sanitization:
Edit your original post and sanitize the hostname directives in your switches. It is far too easy to identify the target organization if these are their real names.