SOLVED
Hi,
I'm trying to understand how VLANs will affect the traffic flow through my network. We're moving from using Cisco Nexus switches to a ProCurve 5402zl as the core. IP routing is enabled, but it will not have a public IP and will eseentially act as a layer 2 device between the ISP and our load balancer (and eventually our Cisco ASA 5505).
Here's the configuration right now:
Ports B21 and B23 are the uplinks to our ISP and untagged for V200. The trunked ports go to our load balancer: Trunks 1 and 2 specifically to the one in this discussion (3 and 4 go to a failover LB) so we'll only be referencing Trunks 1 and 2. For reasons I won't go into, the LB doesn't have a VLAN 1 so it uses V1000 as the internal network. The LB also doesn't do trunking so it has two aggregated ports per vlan, which means that even though the HP links are carrying multipe vlans, the other side of the link is only tagged or untagged for one vlan. The LB sits in front of a cluster of web servers that have a public IP, let's say 1.1.1.1.
Here's how I understand the flow of traffic when a client on the internet requests a web page from us:
-Client url DNS lookup resolves to 1.1.1.1
-HTTP request is sent to 1.1.1.2, the ISP router
-the ISP router arps for the device that has that IP. The arp is received on the untagged V200 port on the HP (let's say B21 cuz B23 is not active), thus associating the frame with v200.
-the HP sees that it doesn't know the network in question and continues forwarding the frame out all of its ports that are members of an untagged vlan, including ports belonging to Trunks 1 and 2 to the LB. VLAN 200 is untagged on both trunks.
-the LB drops the frames from Trunk 2 because its connected ports are only tagged for V1000. It accepts the frames from Trunk 1 because those connected ports are untagged v200, so at this point the frames become associated with vlan 200 again. It sees that it has the IP the router is looking for and responds to the router back out ports 1-2 (attached to Trunk 1), still untagged for V200. Dst mac is the router now.
-HP receives this frame on Trunk 1which is set untagged for V1. That means the ARP response from the LB goes from V200 back to V1.
-Now the HP has a frame destined for the router, coming in on a port assigned to V1. It's not going to flood now because it has a mac table entry for the router, but the entry is associated with a port with pvid 200. That means that technically the frame should be dropped and outbound traffic to the router doesn't get through.
It does. How? My theories:
-by default (according to a document I read called "Understanding VLANs by Understand MAC Table Operation") when 802.1Q-capable switches look in their mac tables, they only look for entries matching the pvid of the received frame. So in this case, the HP would only look for entries matching VLAN 1. Once it didn't find that entry, it supposedly treats it as a broadcast and floods out its untagged ports again, which would mean it would get to the router. This seems contrary to the whole idea of segregating broadcast traffic though.
-or, because IP routing is enabled, it just looks through the mac table and send it out the port to the router despite being on a different vlan because it knows how to do that.
Can someone confirm/explain/deny this? I'd really appreciate it.
Thanks!
