HPE Community
Switches, Hubs, and Modems
1751811 Members
5461 Online
108781 Solutions
New Discussion юеВ

Re: HP 5304 blocks Traffic

 
Alen Ahja
Frequent Advisor

тАО12-29-2007 05:28 PM

тАО12-29-2007 05:28 PM

HP 5304 blocks Traffic

Hi @ all,
before I will explain my problem here are some informations about the network Infrastructure:

Management VLAN --> Firewall --> Server VLAN

Management VLAN and Server VLAN are also on the Core Switches (HP5304). We route the Management VLAN through the Firewall. So the Default Gateway from the Server in the Mgmt-VLAN will be the Firewall. The Defualt Gateway in the Server VLAN will be the Core Switch.

Now the problem:
If I wan like to access a Server in the Server VLAn from a management host in the Management VLAN with RPC (eg. WMI) then I won't get any connection.

If I will change the Default Gateway on the server in the Server VLAN to the Firewall (which has also a leg in ther Server VLAN) then it will work fine.

So I think that the core Switch will block the RPC traffic. ICMP will work fine :(
The Frewall log told me that no connection will established and onto the Core Switch I don't have any entries in the log.

So what can it be? How can I find the problem and how can I resolve it?

Thanx for helping.

Alen
0 Kudos
9 REPLIES 9
Joel Belizario
Trusted Contributor

тАО12-30-2007 06:57 PM

тАО12-30-2007 06:57 PM

Re: HP 5304 blocks Traffic

Did you define the management vlan explicitly on the switch with the "management-vlan" command?

If you did so then the management VLAN becomes isolated and non-routable.
0 Kudos
Alen Ahja
Frequent Advisor

тАО12-31-2007 03:51 AM

тАО12-31-2007 03:51 AM

Re: HP 5304 blocks Traffic

No we didn't it yet. We also route all traffic from the management VLAN through a Firewall and through the switch so this cannot be the issue.
0 Kudos
Mohieddin Kharnoub
Honored Contributor

тАО12-31-2007 06:28 AM

тАО12-31-2007 06:28 AM

Re: HP 5304 blocks Traffic

Hi

Attaching the config of the 5300 will be helpful to understand whats going on.

But basically, what i understand from your situation that you have 2 Routers connected together, the Firewall and the 5300.

And to do a proper work here, both routers should be aware of other's Routing Table either statically or Dynamically.

So you can add a static routes on both router to be aware of each other.

Note:
In such a situation, Trace Route is a very helpful tool that will help you understand where the packet stopped.

Good Luck !!!
Science for Everyone
0 Kudos
Alen Ahja
Frequent Advisor

тАО12-31-2007 06:45 AM

тАО12-31-2007 06:45 AM

Re: HP 5304 blocks Traffic

Hi!

The Routing will work ICMP Packets (eg. PING) will work only RPC Connections like opening a FileShare or so won't work.

That's what I see is strange :(

I attached the config to my post (without any IP-Addresses).

Thanx for helping.
0 Kudos
Mohieddin Kharnoub
Honored Contributor

тАО01-04-2008 08:43 AM

тАО01-04-2008 08:43 AM

Re: HP 5304 blocks Traffic

Hi Alen

Looks interesting to me.

I hope that i won't be asking too much if asked you to attach a small drawing with IP addresses if possible to your devices interconnected together :)

Also, what is the Gateway you are setting for PCs in :
- Vlan 1003
- Vlan 1004

hint, have you tried to disable XRRP temporarily to check the situation ?

Good Luck !!!
Science for Everyone
0 Kudos
Alen Ahja
Frequent Advisor

тАО01-04-2008 10:56 AM

тАО01-04-2008 10:56 AM

Re: HP 5304 blocks Traffic

Hi,

I attached a Overview and the Config from all 4 Core Switches to this Post.
I hope this will give you a better view of the backbone.

The Devices has this IP-Adresses for the

VLAN 1003 - 192.168.3.1
VLAN 1004 - 192.160.0.3

I don't have XRRP for testing.

Thanx for help.
0 Kudos
Alen Ahja
Frequent Advisor

тАО01-04-2008 10:57 AM

тАО01-04-2008 10:57 AM

Re: HP 5304 blocks Traffic

Now the Overview and the Config.
0 Kudos
Case Van Horsen
Frequent Advisor

тАО01-04-2008 01:00 PM

тАО01-04-2008 01:00 PM

Re: HP 5304 blocks Traffic

I think there may be an issue with assymetrical routing and the firewall. When you try to establish a TCP connection between your management host to the server, the packet flow goes from the management host, to the firewall, then directly to the server vlan. The response packet from the server goes to the default gateway on the core switch and then to the firewall. Since the firewall sees the response packet return on a different interface, it will not allow the TCP connection to be established.

The firewall is configured to allow all ICMP so pings do work.

This would explain why it worked when you changed the server to use the firewall as its default gateway.

Using a traceroute tool from both ends should help isolate the issue.

If my guess is correct, a solution would be add a static route on the server for the management VLAN pointing to the IP address of the firewall that is on the server network.

casevh

0 Kudos
Alen Ahja
Frequent Advisor

тАО01-07-2008 05:52 AM

тАО01-07-2008 05:52 AM

Re: HP 5304 blocks Traffic

Hi CaseVH,

you're right. The main problem will be the asynchronic routing. It gives three possibilities to resolve it:

1) A static route onto all server in the Server VLAN

2) A ststic route onto the NMS Host and ACL on the switches to prevent access to the Management VLAN

3) A NAT Rule onto the Firewall to hide the NMS behind an address from the Server VLAN

We would take the possibiliy No.2 to resolve our problem, because we also want to implement ACL's onto the switches and only set one static Route instead of many on all servers.

Thanx for helping.
0 Kudos
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.