HPE Community
LAN Routing
1753288 Members
5354 Online
108792 Solutions
New Discussion

Inter-vlan routing

 
MikaelBoyer
Occasional Advisor

‎04-26-2019 02:26 AM

‎04-26-2019 02:26 AM

Inter-vlan routing

Hello everyone,

 

i’m an intern and i have to create one network for multiple entreprises.

 

Here what i have to do :

Create an VLAN for each entreprise, and have one VLAN that contains my DHCP server, my firewall, and a printer.

 

I have a switch HP A3600 (JG 304A).

 

For the DHCP service, i did a dhcp relay and it’s working : the right adress for the right VLAN (i also add the DHCP snooping security)

 

My two problems are about inter-vlan.

I would like that each vlan can access the printer, and to have a default route on the firewall.

 

But it’s seem that i can’t ping my firewall or my printer.

 

For the configuration :

vlan 20 : 192.168.20.230 /24

vlan 32 : 192.168.32.230 /24

 

my two computer that i use for test :

computer 1 : 192.168.20.1 /24 (vlan 20), gateway : vlan adress

computer 2 : 192.168.32.1 /24 (vlan 20), gateway : vlan adress

 

As for the routing table, i left it in default :

Destination         mask               protocol       Priority         Next hop               interface
 
127.0.0.0           255.0.0.0              Direct           0              127.0.0.1                InLoopBack0
127.0.0.1           255.255.255.255    Direct           0              127.0.0.1                InLoopBack0
192.168.20.0      255.255.255.0        Direct           0             192.168.20.230         Vlan-Interface20
192.168.20.230   255.255.255.255    Direct           0              127.0.0.1                 InLoopBack0
192.168.32.0      255.255.255.0        Direct          0               192.168.32.230        vlan-Interface32
192.168.32.230   255.255.255.255    Direct           0               127.0.0.1                InLoopBack0

 

 

From computer 1, i ping vlan 20 address, and the vlan 32 address but not computer 2.

Same thing if i’m on computer 2. (for précision : both computer can ping each other on the same network)

I try to add ACL, but no result.

 

If anyone has ideas, i’m more than welcome to try.

Thank in advance,

 

0 Kudos
11 REPLIES 11
HP-Browniee
Respected Contributor

‎04-26-2019 04:12 AM

‎04-26-2019 04:12 AM

Re: Inter-vlan routing

You need default gateways, if you want to do intervlan routing.

Who is the gateway for all those vlans? is the gateway configured on your computers?

0 Kudos
MikaelBoyer
Occasional Advisor

‎04-26-2019 04:47 AM

‎04-26-2019 04:47 AM

Re: Inter-vlan routing

on the DHCP server i have the vlan address on the switch as gateway.

so for an ip address 192.168.32.5 i have for gateway 192.168.32.230

on the switch i execute the command : ip route-static 192.168.20.254 255.255.255.0

witch is my firewall (the internet acces is above).

 

 

0 Kudos
HP-Browniee
Respected Contributor

‎04-26-2019 04:50 AM

‎04-26-2019 04:50 AM

Re: Inter-vlan routing

Is it possible to show your switch config?

0 Kudos
MikaelBoyer
Occasional Advisor

‎04-26-2019 05:31 AM

‎04-26-2019 05:31 AM

Re: Inter-vlan routing

Here my config so far :

i delete all my test of acl, so there is no mention here  :

#
version 5.20.99, Release 2108P01
#
sysname A3600-SW-01
#
super password level 3 cipher
#
dhcp relay server-group 1 ip 192.168.20.200
#
irf mac-address persistent timer
irf auto-update enable
undo irf link-delay
#
domain default enable system
#
telnet server enable
#
password-recovery enable
#
vlan 1
description default
name default
#
vlan 20
description Infrastructure
name Infrastructure
#
vlan 31
description Bureau_1
name Bureau_1
#
vlan 32
#
domain system
access-limit disable
state active
idle-cut disable
self-service-url disable
#
user-group system
group-attribute allow-guest
#
local-user admin
password cipher $c$3$wSI0s4KurNK0n2TORCsI4QWb+LN+U379AknLPqs=
authorization-attribute level 3
service-type ssh telnet terminal
service-type web
#
cwmp
undo cwmp enable
#
interface NULL0
#
interface Vlan-interface1
ip address 192.168.80.230 255.255.255.0
dhcp select relay
dhcp relay server-select 1
#
interface Vlan-interface20
ip address 192.168.20.230 255.255.255.0
dhcp select relay
dhcp relay server-select 1
#
interface Vlan-interface31
ip address 192.168.31.230 255.255.255.0
dhcp select relay
dhcp relay server-select 1
#
interface Vlan-interface32
ipv6 address auto link-local
ip address 192.168.32.230 255.255.255.0
dhcp select relay
#
interface Ethernet1/0/1
port link-mode bridge
#
interface Ethernet1/0/2
port link-mode bridge
dhcp-snooping trust
#
#
interface Ethernet1/0/5
port link-mode bridge
port access vlan 20
#
interface Ethernet1/0/6
port link-mode bridge
port access vlan 31
#
interface Ethernet1/0/7
port link-mode bridge
port access vlan 32
#
interface Ethernet1/0/24
port link-mode bridge
#
interface GigabitEthernet1/0/25
port link-mode bridge
port link-type trunk
port trunk permit vlan 1 20 31 to 32
#
interface GigabitEthernet1/0/26
port link-mode bridge
port link-type trunk
port trunk permit vlan 1 20 31 to 32
#
interface GigabitEthernet1/0/27
port link-mode bridge
#
interface GigabitEthernet1/0/28
port link-mode bridge
#
nqa entry imclinktopologypleaseignore ping
type icmp-echo
destination ip 10.10.255.254
frequency 270000
#
dhcp-snooping
#
ip route-static 192.168.20.0 255.255.255.0 192.168.20.254
#
snmp-agent
snmp-agent local-engineid 800063A20344319205D145
snmp-agent community read public
snmp-agent community write private
snmp-agent sys-info contact DSI
snmp-agent sys-info location laFabrik
snmp-agent sys-info version v2c v3
snmp-agent target-host trap address udp-domain 10.10.10.30 params securityname public v2c
#
dhcp enable
#
nqa schedule imclinktopologypleaseignore ping start-time now lifetime 630720000
#
ssh server enable
ssh user admin service-type all authentication-type password
#
load xml-configuration
#
load tr069-configuration
#
user-interface aux 0
authentication-mode password
set authentication password cipher $c$3$f4vRjPo6qwxklSwRKXu9XxrgrmRpLHDSAHSzs3g=
user-interface vty 0 4
authentication-mode scheme
protocol inbound ssh
user-interface vty 5 15
#
return

thank for your contribution



 

0 Kudos
HP-Browniee
Respected Contributor

‎05-06-2019 01:56 AM

‎05-06-2019 01:56 AM

Re: Inter-vlan routing

Your config seems ok.

Note that your static route does nothing, you should create e default route 0.0.0.0 0 192.168.20.254

Try to diasble firewall on your computers and check if you can reach the gateways.

 

0 Kudos
MikaelBoyer
Occasional Advisor

‎05-06-2019 04:37 AM

‎05-06-2019 04:37 AM

Re: Inter-vlan routing

 if i understand correctly, on level 3 switch,, all routing operation are done as default ?

If so, why can't i reach my second computer with a ping ? Specially if i access the vlan address....

i just don't understand how i wan access the vlan interface, but not the network.

thank for your advise on default route, i'll try it tomorrow (today i work on something else)

0 Kudos
HP-Browniee
Respected Contributor

‎05-06-2019 07:28 AM

‎05-06-2019 07:28 AM

Re: Inter-vlan routing

can you see arp entries for your computers?

0 Kudos
MikaelBoyer
Occasional Advisor

‎05-06-2019 11:29 PM

‎05-06-2019 11:29 PM

Re: Inter-vlan routing

hello

i have the same result with no windows firewall.

Yes i can see the arp table.

i've tried to reset to default-configuration, but nothing change.

i think i'm going to try another switch.

My main goal is to change the current configuration : all inter-vlan routing are done by the firewall (except for the printer, which is a new demand). Same for DHCP relay. It's working, but it's far from perfect.

 

 

0 Kudos
parnassus
Honored Contributor

‎05-16-2019 04:03 PM - edited ‎05-16-2019 04:04 PM

‎05-16-2019 04:03 PM - edited ‎05-16-2019 04:04 PM

Re: Inter-vlan routing

@MikaelBoyer wrote: My main goal is to change the current configuration : all inter-vlan routing are done by the firewall (except for the printer, which is a new demand). Same for DHCP relay. It's working, but it's far from perfect.

If that is your main goal then you simply need to remove IP Addresses assigned to your VLANs defined on the Switch and tag (permit) them to the uplink to your Firewall (so the uplink port from your Switch and your Firewall become a Trunk port in Comware jargon...so a port which carries multiple - tagged - VLAN Ids and just one - default - untagged VLAN). Your Firewall need to become responsible for your inter-VLANs routing by enabling it (basically you need to define all required VLAN Ids on downlink interface to your Switch) by means of its configuration (Routing+Access rules...I figure). At this point your L3 Switch acts as a pure L2 Switch and you need only to worry about untagging relevant ports to their VLAN Id (to the VLAN Id they need to belong). Clients need to use the Firewall's VLAN IP Addresses (you have defined) as their default gateway.

Another approach would require you to define a "transport VLAN" with IP Routing enabled on your Switch...then communications between your L3 Switch and your Firewall should happen by using this "transport VLAN" only (but this is not your main goal scenario).

@MikaelBoyer wrote: if i understand correctly, on level 3 switch,, all routing operation are done as default ?

Yes, as long as there is a VLAN Id with an associated IP Address the IP Routing is automatically enabled and your Switch starts acting as a Layer 3 one.


I'm not an HPE Employee
Kudos and Accepted Solution banner
0 Kudos
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.