topic Re: Vlans and IP routing 5304xl switch in Switches, Hubs, and Modems

Vlans and IP routing 5304xl switch

JaWe — Sat, 16 Jul 2005 05:44:40 GMT

Can someone help me with the following problem:

I got:
- 1 Procurve 5304xl switch,
- 3x Procurve 2626 switch
- 7x Procurve 2650 switch
- 1 Procurve 2824 switch

With these network components I have to create a 'new' network.

We have here 7 locations connected with fiber to the 5304xl switch.
I want to create for each location a VLAN. These VLANs has to communicate with all ports on the 5304xl switch where all of our servers are connected to.
I also want to create a vlan for these servers.
How do I have to configure this all?

For each VLAN I have a IP subnet like:

Location servers: 192.168.40.*
Other locations 192.168.41.* till 192.168.47.*.

All the workstations connected to the 41.* till 47.* range has to communicate with te 40.* range. How do I configure this?

Another question: I have a sonicwall pro 230 in my network. If workstations want to go to the internet they have to have a gateway of the address from the sonicwall. But I think I'll have that gateway needed for my routing between the subnets. How do I configure this?

Thanks in advance.

In the attachement you find a model how the network has to be configured.

Re: Vlans and IP routing 5304xl switch

André Beck — Sat, 16 Jul 2005 12:45:12 GMT

Hi Jacco,

interesting project and starting with a sound design. I know Layer 8 ressources are scarce but you might consider to round it up with a second 5300xl at the core and redundant paths to the access layer switches, XRRPing the xl boxes and running the OSPF routing with equal cost multipath. But to start at what you have:

Your design is L3 switching at the collapsed core with L2 access. This is rather easy to set up. You will have the VLANs as you describe. You will give the 5304xl an IP address in each of the VLANs and enable IP routing. Essentially, that's it - given all end systems have correct default gateways (pointing to "their" respective IP on the xl) it will already route. The access switches are very easy here, you could run them with just the default VLAN as long as you need just one VLAN on them, eliminating all issues of 802.1Q trunking. If you need more than one VLAN at some day (Voice), you may need to tag and then, distributing them properly is an issue of its own due to missing PVST. But don't break your head about this now.

For the default gateway to the internet: Just add a static route to the xl:

ip route 0.0.0.0 0.0.0.0

The sonicwall will have to be connected to any of the VLANs (preferably the server farm VLAN but you could also choose one for infrastructure stuff like that) and of course it will need a bunch of routes to the internal IP networks, all pointing to the xl address in its VLAN. Voila, magic done.

Re: Vlans and IP routing 5304xl switch

JaWe — Mon, 18 Jul 2005 02:53:00 GMT

Hi Andre,

Thanks for your help.
I still have a few questions more:

I have now the following configuration on my 5304xl:

######
HP ProCurve Switch 5304XL# sh run

Running configuration:

; J4850A Configuration Editor; Created on release #E.08.42

hostname "HP ProCurve Switch 5304XL"
module 1 type J4907A
module 2 type J4907A
module 3 type J4878A
ip routing
snmp-server community "public" Unrestricted
vlan 1
name "DEFAULT_VLAN"
untagged A1-A16,B1-B16,C1-C4
ip address 192.168.40.253 255.255.255.0
exit
vlan 41
name "vlan-41"
ip address 192.168.41.253 255.255.255.0
exit
vlan 42
name "vlan-42"
ip address 192.168.42.253 255.255.255.0
tagged A16
exit
vlan 43
name "vlan-43"
ip address 192.168.43.253 255.255.255.0
exit
vlan 44
name "vlan-44"
ip address 192.168.44.253 255.255.255.0
exit
vlan 45
name "vlan-45"
ip address 192.168.45.253 255.255.255.0
exit
vlan 46
name "vlan-46"
ip address 192.168.46.253 255.255.255.0
exit
vlan 47
name "vlan-47"
ip address 192.168.47.253 255.255.255.0
exit
ip route 0.0.0.0 0.0.0.0 192.168.40.254
password manager
#######

And this configuration on a procurve 2626 switch:

######
Paviljoen# SH RUN

Running configuration:

; J4900B Configuration Editor; Created on release #H.08.60

hostname "Paviljoen"
ip default-gateway 192.168.42.253
snmp-server community "public" Unrestricted
vlan 1
name "DEFAULT-VLAN"
no ip address
no untagged 1-26
exit
vlan 42
name "VLAN-42"
untagged 1-25
ip address 192.168.42.254 255.255.255.0
tagged 26
exit
primary-vlan 42
password manager
#####

I tagged the ports where the 2 switches are connected with each other.

When I want to ping from the 2626 to the 5304,I got a reply. When I connect a workstation to the 2626 switch and I ping to the 5304xl switch I got a reply from all of its ip addresses configured.
The workstation has the gateway of the 5304xl vlan ip number (192.168.42.253)and have the ip number 192.168.42.42 configured.

When I connect a workstation to the 5304xl switch and I set up a ping to the workstation on the 2626 switch i don't get a reply back. The gateway on this workstation is 192.168.40.253 and have a IP number 192.168.40.42.

Can you help me??

Re: Vlans and IP routing 5304xl switch

HRE — Mon, 18 Jul 2005 04:37:57 GMT

Hi Jacco,

If i remember the 5304xl correct, you have to enable something more than IP Routing. Additionally you have to setup either a static route or enabling a routing protocol like RIP or OSPF. You will find more information about that here: ftp://ftp.hp.com/pub/networking/software/59906051-0105b.pdf
on page 487 ff.

Regards

HRE

Re: Vlans and IP routing 5304xl switch

André Beck — Mon, 18 Jul 2005 11:37:29 GMT

Re Jacco,

> ip routing

Ok. That's the core statement after all.

> vlan 1
> name "DEFAULT_VLAN"
> untagged A1-A16,B1-B16,C1-C4
> ip address 192.168.40.253 255.255.255.0
> exit

Yep. That means you use the default VLAN as the server farm VLAN? Works, but there are some reasons to not do that, basically in the security department. But there are lots of installations which do it anyway. If you have a chance, turn it into a dedicated management VLAN or something like that and use something different for the server farm.

> vlan 41
> name "vlan-41"
> ip address 192.168.41.253 255.255.255.0
> exit

So the VLAN on VID 41 exists, but hasn't any way to leave the switch, causing the associated L3 interface to stay down and the connected route to not show up. I'm assuming you are still testing with just one access switch, else that would not make sense.

> vlan 42
> name "vlan-42"
> ip address 192.168.42.253 255.255.255.0
> tagged A16
> exit

Yeah, that's better ;)

> ip route 0.0.0.0 0.0.0.0 192.168.40.254

This will do the Internet thing, provided 192.168.40.254 is connected to the default VLAN and has routes to all the other networks. Thanks to classless, you could deal on that box with a single route bouncing 192.168.40.0/21 to 192.168.40.253.

Now for the access switch:

> ip default-gateway 192.168.42.253

Remember that's just for the management, but I guess you already know that ;)

> vlan 1
> name "DEFAULT-VLAN"
> no ip address
> no untagged 1-26
> exit
> vlan 42
> name "VLAN-42"
> untagged 1-25
> ip address 192.168.42.254 255.255.255.0
> tagged 26
> exit
> primary-vlan 42

Setting it up this way should work and is a starting point should you later need to carry more than one VLAN on this switch. From your sketch, you already have a case where this is necessary. In the most simple case, though, it would be easier and more straightforward to let the individual VLAN (like 42) egress on a given port on the 5304xl untagged, and run the access switch entirely in the default VLAN without any 802.1Q tagging whatsoever.

Then again, there might still be a problem with this setup: The 5304xl lets VID 1 (default) egress untagged on A16. On the other side, you connect a switch that has VLAN 42 marked as native, with the default VLAN taken off every port explicitely. This might cause a shortcut between VIDs 1 and 42 in your network, as untagged frames egressing out A16 might be assumed to belong to VID 42 on the 2626 and vice versa. This could break things. I don't have lab-tested this though, so I may be wrong here. Just leaving the default VLAN untagged on all the ISLs is a good solution. There's IMO no need to make VID 42 native.

> When I want to ping from the 2626 to the
> 5304,I got a reply. When I connect a
> workstation to the 2626 switch and I ping
> to the 5304xl switch I got a reply from all
> of its ip addresses configured.

Sounds good so far. The latter, however, isn't always much of a clue, as a multihomed system (such as a router) will typically answer packets to *any* of its local addresses by means of a shortcut, not by actually applying them to a forwarding path. But it means you got a number of routes correct so far ;)

> The workstation has the gateway of the
> 5304xl vlan ip number (192.168.42.253) and
> have the ip number 192.168.42.42
> configured.

Fits.

> When I connect a workstation to the 5304xl
> switch

To one of the ports that are untagged in the default VLAN I suppose, as there are no others?

> and I set up a ping to the workstation on
> the 2626 switch i don't get a reply back.

Well, you should.

> The gateway on this workstation is
> 192.168.40.253 and have a IP number
> 192.168.40.42.

That fits, too. Can the host attached to the 5304xl ping its gateway? Does it get an ARP resolution? Do you see the packets up to the WS in VLAN 42? Are they answered there? Is, by any chance, some malicous firewall software in the way on any of the hosts?

> Can you help me??

Not directly, as you are already there. Your setup should work and if it doesn't, there is probably some trivial oddness that keeps it from working, some typo, firewall, rotten cable, abovementioned VLAN tagging shortcut etc. The real problem is to find it. Doing step by step orthogonal (layers 1 up) debugging usually finds it and usually leads to some loud cursing...

You don't need OSPF or RIP, there isn't a single peer speaking it in your network yet. You already have connected routes working. I'm sure from here you'll find the final glitch and eliminate it.

HTH,
Andre.

Re: Vlans and IP routing 5304xl switch

André Beck — Mon, 18 Jul 2005 11:45:21 GMT

Re,

just something additional about cursing: You are using 2626s. They have a misbehavior that broke several of my initial installations until I finally learned to remeber it before it will bite me: Whenever you configure port aspects like especially port VLAN memberships on either port 25 or 26 of these boxes (which are dual personality ports), these are *forgotten* and replaced by defaults when you plug an SFP later. Always configure these ports with the SFP already plugged, or if you can't, remember you will have to do it again on site. Losing a certain VLAN tag this way (or by people who try to reseat SFPs as a means of "debugging" missing blinkenlights) in 2626s is one of the hard to find problems which can cost you hours. And it's one reason to run VID1 for management, as this one survives.

HTH,
Andre.