Switches, Hubs, and Modems
cancel
Showing results for 
Search instead for 
Did you mean: 

Router help with 2910al

SOLVED
Go to solution
Ken Richmond
Advisor

Router help with 2910al

Hi all,

I'm struggling with config'ing these switches for my new setup. It's been a long time since I've done any routing work and I can't seem to get this sorted. I'm in need of some help.

This is in a lab environment which needs to go into production soon to support our new VOIP project.

I have 5 2910al switches connected via copper interconnect kits. Each switch has an ip address (192.168.0.11-192.168.0.15). Ive removed all ports from the default-vlan and created four additional vlans.

Vlan4 is data (192.168.0.x), vlan 5 is voice (192.168.3.x). Vlan4 is the primary vlan. Both vlans are tagged.

When I connect a laptop with a 192.168.0 address I am able to connect to the switch interfaces at either 192.168.0.11 AND 192.168.3.11 (or .12,.13, .14 and .15).

When I connect a laptop with a 192.168.3 address I cannot see either of the switch interfaces.

This leads me to believe that it's a routing issue. I thought that enabling local proxy arp would help, but when I try to issue the command I get the error "192.168.0.11 can not be switch IP address and route gateway at the same time".

I think I'm running in circle at this point and am starting to worry that I won't get this config'd in time to meet the next stage of the project despite reading what I can find on config'ing the switches to meet my needs. HELP!!

I'm grateful for any assistance you can offer.

Cheers,
Ken



22 REPLIES
Shadow13
Respected Contributor

Re: Router help with 2910al

Can you post your config here please "show run"
Manfred M.
Advisor

Re: Router help with 2910al

Hi Ken!

1.
What will be the Router between the VLANs?
One of the 2910al or an external Router?
If it's one (and only one!) of the 2910al then you must activate routing on that switch with the command "ip routing".
After that routing takes place between all VLANs that have ip adresses on that switch configured.
Every client in your VLAN should then have the IP Address of that switch in the correspondig vlan. On that switch you will probably have to add a default route to your firewall.

2.
"Both VLANs are tagged":
I hope that only the Copper Uplink Ports between the switches are tagged on both sides in all (wanted) VLANs...
All client ports must be untagged in the correct VLAN - PC clients in vlan4, IP phones in vlan5

3.
"When I connect a laptop with a 192.168.3 address I cannot see either of the switch interfaces."
Seems that the port where you connected your laptop is not untagged in the voice VLAN.

4.
You don't need to enable the Proxy ARP Feature.
The Manual says:
Proxy ARP allows a routing switch to answer ARP requests from devices on one network on behalf of devices in another network. Since ARP requests are MAC-layer broadcasts, they reach only the devices that are directly connected to the sender of the ARP request. Thus, ARP requests do not cross routers.

Good Luck!

Manfred
Manfred M.
Advisor

Re: Router help with 2910al

1. is not totally clear:
Every client or phone in your VLAN should then have set the IP Address of that switch in the correspondig vlan AS DEFAULT GATEWAY


Ken Richmond
Advisor

Re: Router help with 2910al

Thanks so much for your replies. I'm grateful for your input. The routing will be done by the 2910al.

I've learned a few things from your questions. Most notibly that the ports must be untagged for voice and data and that only one switch will act as a router. I'm going to undo some of the changes that I've made to be more inline with your questions then post the config for review.

Cheers!
Ken Richmond
Advisor

Re: Router help with 2910al

Manfred,

I'm confused by this:

"Both VLANs are tagged":
I hope that only the Copper Uplink Ports between the switches are tagged on both sides in all (wanted) VLANs...
All client ports must be untagged in the correct VLAN - PC clients in vlan4, IP phones in vlan5


I reset the switches to factory default and started over. When I tried to set my vlan4 and vlan5 as untagged, I get an error saying that only one vlan can be untagged. I'm not sure where to go as this seems to contradict your advice. Suggestions?
Ken Richmond
Advisor

Re: Router help with 2910al

Ok... The learning continues.

I've discovered that you can indeed only have one untagged vlan per port to answer any untagged traffic that's generated by devices that cannot tag packets. What was unclear from my original post is that there will only be one port available to each desk for both ip phone and desktop/laptop, so I have untagged vlan4 (data) and tagged vlan5 (voice). Is this the appropriate thing to do?

My switches are connected via J9165A interconnect modules in ports A1 in the commander then A1/B1 in four subsequent member switches.

Here is the current config for the commander switch in my stack:

Running configuration:

; J9148A Configuration Editor; Created on release #W.14.38

hostname "SW0"
module 1 type J9148A
module 2 type J9165A
stack commander "2910alStack"
stack member 1 mac-address 0026F1433700
ip routing
vlan 1
name "DEFAULT_VLAN"
forbid 1-48,A1
no untagged 1-48,A1
no ip address
exit
vlan 4
name "Data"
forbid 1-16
untagged 17-48,A1
ip address 192.168.0.11 255.255.255.0
exit
vlan 5
name "Voice"
forbid 1-16
ip address 192.168.3.11 255.255.255.0
tagged 17-48,A1
exit
vlan 2
name "iNetWild"
forbid 9-48
untagged 1-8
no ip address
exit
vlan 3
name "iNetSafe"
forbid 1-8,17-48,A1
untagged 9-16
no ip address
exit
snmp-server community "public" unrestricted
primary-vlan 4

And here's the config for the first member switch in my stack:

Running configuration:

; J9148A Configuration Editor; Created on release #W.14.38

hostname "SW1"

module 1 type J9148A
module 2 type J9165A
module 3 type J9165A
stack join C09134CAA980
vlan 1
name "DEFAULT_VLAN"
forbid 1-48,A1,B1
no untagged 1-48,A1,B1
no ip address
exit
vlan 4
name "Data"
untagged 1-48,A1,B1
ip address 192.168.0.11 255.255.255.0
exit
vlan 5
name "Voice"
ip address 192.168.3.11 255.255.255.0
tagged 1-48,A1,B1
exit
snmp-server community "public" unrestricted
primary-vlan 4

Should I enable Multicast Filtering and STP or RSTP?

I welcome any comments on this setup. If this looks good then I'll proceed with configuring the three remaining switches and move on to the uncharted world of VLAN Priority :)

Cheers!
Manfred M.
Advisor

Re: Router help with 2910al

Hi Ken!

So far so good - I think you are very close to the final conig.

1.
"I have untagged vlan4 (data) and tagged vlan5 (voice). Is this the appropriate thing to do?"
YES that's the right way - you will have to set the Voice VLAN ID on your IP-Phones to VLAN ID 5.
2.
You should set the uplink ports between the switches in VLAN 4 also to tagged.
If you need VLAN2 and VLAN3 on other member switches too they must also be tagged on the uplink ports between the switches.
3.
I don't use (like) stacking in my configurations - I prefer to manage the switches individually with their IP adresses. You have to set a unique IP address on each of the member switches in your Data VLAN so that you can also switch off the stacking. Maybe for security reasons you want to use a separate Management VLAN where you can reach all your switches, but that's your own decision.
4.
Are your member switches connected in a star manner to the main switch? You should try to do this and connect all your servers to the main switch because of performance reasons.
5.
Enabling RSTP (don't use STP) or even MSTP is not necessary if you don't have redundant uplinks - but it can also be a kind of security measure against accidentally connected network loops. (MSTP 802.1s is more sophisticated and allows different instances of spanning tree - especially imported with VLANs - but you should not need it)
6.
QoS in VLAN's:
Maybe you don't need it! The voice stream of the IP Phones runs from phone to phone - usually within the department switch. Only the uplinks and the link to your voice gatekeeper, where the breakout lines are installed maybe critical. One phone produces a data traffic of (only) aprox. 80kbit/s with the best quality codec G.711
Maybe it would be generally a good idea to add an additional uplink and form a trunk between the main switch and each of the member switches for performance and redundancy purpose. You should test this in your lab to get operating experience with trunks (bundled uplinks). Trunks (of course) can carry multiple VLANs.
For QoS you should read the Chapter 5 in the Advanced Traffic Management Guide of the 2910al
7.
You will probably need a default route on your main switch to the external gateway/firewall.
You can set this with the command "ip route 0.0.0.0 0.0.0.0 x.x.x.x" where x.x.x.x ist the ip address of your firewall.

Good luck!

Manfred
Manfred M.
Advisor

Re: Router help with 2910al

I have overlooked, that you have installed the 10G CX4 modules on all of your switches - forget about the trunking part in my proposal - that's not interesting for you...
(Why did'nt you buy a modular switch with more ports?)

Manfred
Shadow13
Respected Contributor

Re: Router help with 2910al

Add the command "Voice" under the voice VLAN, that will enable LLDP-MED and will help the phones configure the VLANs automatically for there config.
Ken Richmond
Advisor

Re: Router help with 2910al

Thanks again for all of your help with this.

Shadow13, I've added Voice to vlan 5 as suggested.

Manfred,

2. Set uplink ports between switches in VLAN 4 to tagged? What does this do for me? When I plug the laptop into SW1, I can still browse to the web interface on SW0 with A1/B1 (the CX modules) as untagged. Could you explain or send a reference to help me understand?

3. I used descrete ip's on my current lan and like taht. I thought I'd try stacking to see what benefits there were, but I don't care much for it. I have the spare IP's in my current live LAN. I will assign them to the switches for my live environment.

4. This is a cascading config using the CX modules, not a star config. Would it make sense to add trunking in a star topology for redundancy incase one of the switches or CX modules failed? If so, do you have any recommendations in that regard?

5. If I build trunks as above I suspect RSTP would help (or even be necessary). I will enable regardless, as you state, it offers protection against accidental loops.

6. I will look to my phone vendor (ShoreTel) for recommendations on QoS settings. Agreed that call data provides very little bandwidth, but will take their advice into consideration.

7. Thanks for the default route. I'll add that to my main switch. My firewall is a sonicwall NSA with the lan side already connected to the current 192.168.0.x network. I don't think I need to make any changes to the NSA, would you concur?

Why didn't I buy a modular switch with more ports? These switches were recommended for our 'simple' environment. I'm already considering adding a more modular switch into the equation for next budget year and reconfiging the network from cascade to a star.

Now I've set up two laptops as follows

Laptop 1
IP Address: 192.168.0.100/24
G/W: 192.168.0.11

Laptop 2
IP Addres 192.168.3.200/24
G/W: 192.168.3.11

Both laptops are connected to the same physical switch (ports 23 and 26)

Laptop 1 can ping both vlan 4 and vlan 5
Laptop 2 cannot ping either vlans
Laptop 1 cannot ping laptop 2
Laptop 2 cannot ping laptop 1

(both laptops ping each other successfully when configured on the same vlan)

I presume laptop2 can't ping (or respond to pings) because it's not tagging any traffic as vlan 5. Does that make sense? If so, is there some way I can tag this device as being on vlan5 for testing puropses?

Cheers!
Ken Richmond
Advisor

Re: Router help with 2910al

Woo Hoo!

Ok. After some more research I discovered that vlan tagging is a function of the nic an driver. I found a current driver for nic in laptop 2. I upgraded the driver and presto! There were the vlan configuration options that I was looking for. I configured the device for vlan5 and I can see everything from everywhere!

Time to tidey up some details and get caught up on configing the remaining three switches, adding ip adds to all of them, removing the stack, investigating QoS for the voice side, and preparing for DHCP on both vlans. This is really starting to come together. I may actually be in a position to put this new network online this weekend after all!

I have a new found appreciation for those of you who can build this stuff in a single sitting.

Manfred M.
Advisor
Solution

Re: Router help with 2910al

Hi Ken!

I definitely agree with you that things really come together now!

'I presume laptop2 can't ping (or respond to pings) because it's not tagging any traffic as vlan 5. Does that make sense? If so, is there some way I can tag this device as being on vlan5 for testing puropses?'

You found out the most important things about 802.1Q VLAN tagging.

How can you memorize 'tagged' and 'untagged'?

It's simple now (I hope...)
To mark (tag) a frame at an uplink port, the switch adds the 802.1Q VLAN header (32 additional bits with the VLAN ID and the 802.1p Class of Service priority information).
A normal PC client does not understand this frame format! Only switches, firewalls and servers (especially important in virtualization environments) can 'remove' the VLAN header (tag) and work with that additional 32bits.
The role of the switch in Port based VLANs is to add (tag)or remove (untag) the VLAN header.

Actually your IP phone has also a 2-port switch in it, which understands VLAN tagging.

Only with VLAN tagging it's possible to multiplex traffic belonging to different VLANs over a single wire (the Cisco guys call this 'trunk' - but that is not conform with the actual IEEE Std. 802.1D-2004 standard anymore).

So to be consequent you should also set the uplink ports of your Data VLAN to tagged (tidiness?)

ad 4:
If you have spare CX4 ports on the first and last switch and they are within 15m (CX4 maximum lenght) you can close the loop - if RSTP is active on all switches one of the uplinks will be blocked. So if one of your member switches, the CX4 module or the CX4 cable fails, the switches behind that switch still have a link to the main switch.
This can also be done with a single gigabit uplink or a LACP trunk with more ports (with poor performance in the case of a failed switch). Don't forget to set that trunk to tagged in the VLANs too! I encourage you to test this in your lab - especally the scenario of a failed switch! Look at the spanning tree state of the uplink ports to find out which one is blocked.

Good luck!
Manfred
Ken Richmond
Advisor

Re: Router help with 2910al

OK... I reset all of the switches to factory default (again) and started over. Here's what I did this time around.

Reset switches using two pointy things as per the manual.
#Menu
Run Setup
Assigned Host Name (SWx)and IP Address
Went to CLI
Configured Vlans as per configs below
Returned to Menu
Switch Config...
VLAN Menu
VLAN Support
Changed Primary VLAN to Data

Note I didn't config a stack, thinking that I can admin via each switches IP address.

I can ping to/from vlan 4 and vlan 5 devices from any switch.
I can browse to the web interface on SW0 from either laptop using 192.168.0.11 or 192.168.3.11.

I cannot ping 192.168.0.12-192.168.0.15. Obviously I'm missing something fundamental here, but I've been pulling out my hair trying to figure it out.

Also, when I tried to assign an IP address to vlan4 or vlan 5 on the rest of the switches I got the following:

SW1# config
SW1(config)# vlan 4
SW1(vlan-4)# ip address 192.168.0.11/24
The IP address (or subnet) 192.168.0.11/24 already exists.

I presume that this is ok because my vlans are tagged at the CX ports, but not sure if it's correct?!?

I'm so close I can taste it :)


Here's my config run for all switches...

*******SW0*******

Running configuration:

; J9148A Configuration Editor; Created on release #W.14.38

hostname "SW0"
module 1 type J9148A
module 2 type J9165A
no stack auto-join
ip routing
vlan 1
name "DEFAULT_VLAN"
forbid 1-48,A1
no untagged 1-48,A1
no ip address
exit
vlan 4
name "Data"
forbid 1-16
untagged 17-48
ip address 192.168.0.11 255.255.255.0
tagged A1

exit
vlan 5
name "Voice"
forbid 1-16
ip address 192.168.3.11 255.255.255.0
tagged 17-48,A1
exit
vlan 2
name "iNetWild"
forbid 9-48
untagged 1-8
no ip address
exit
vlan 3
name "iNetSafe"
forbid 1-8,17-48,A1
untagged 9-16
no ip address
exit
ip route 0.0.0.0 0.0.0.0 192.168.0.22
snmp-server community "public" unrestricted
primary-vlan 4


*******SW1*******

Running configuration:

; J9148A Configuration Editor; Created on release #W.14.38

hostname "SW1"
module 1 type J9148A
module 2 type J9165A
module 3 type J9165A
vlan 1
name "DEFAULT_VLAN"
forbid 1-48,A1,B1
ip address 192.168.0.12 255.255.255.0
no untagged 1-48,A1,B1
exit
vlan 4
name "Data"
untagged 1-48
tagged A1,B1
no ip address
exit
vlan 5
name "Voice"
tagged 1-48,A1,B1
voice
no ip address
exit
snmp-server community "public" unrestricted
primary-vlan 4


*******SW2*******

Running configuration:

; J9148A Configuration Editor; Created on release #W.14.38

hostname "SW2"
module 1 type J9148A
module 2 type J9165A
module 3 type J9165A
vlan 1
name "DEFAULT_VLAN"
forbid 1-48,A1,B1
ip address 192.168.0.13 255.255.255.0
no untagged 1-48,A1,B1
exit
vlan 4
name "Data"
untagged 1-48
tagged A1,B1
no ip address
exit
vlan 5
name "Voice"
tagged 1-48,A1,B1
voice
no ip address
exit
snmp-server community "public" unrestricted
primary-vlan 4


*******SW3*******

Running configuration:

; J9148A Configuration Editor; Created on release #W.14.38

hostname "SW3"

module 1 type J9148A
module 2 type J9165A
module 3 type J9165A
vlan 1
name "DEFAULT_VLAN"
forbid 1-48,A1,B1
ip address 192.168.0.14 255.255.255.0
no untagged 1-48,A1,B1
exit
vlan 4
name "Data"
untagged 1-48
tagged A1,B1
no ip address
exit
vlan 5
name "Voice"
tagged 1-48,A1,B1
no ip address
exit
snmp-server community "public" unrestricted
primary-vlan 4


*******SW4*******

Running configuration:

; J9148A Configuration Editor; Created on release #W.14.38

hostname "SW4"

module 1 type J9148A
module 3 type J9165A
vlan 1
name "DEFAULT_VLAN"
forbid 1-48,B1
ip address 192.168.0.15 255.255.255.0
no untagged 1-48,B1
exit
vlan 4
name "Data"
untagged 1-48
tagged B1
no ip address
exit
vlan 5
name "Voice"
tagged 1-48,B1
voice
no ip address
exit
snmp-server community "public" unrestricted
primary-vlan 4
Manfred M.
Advisor

Re: Router help with 2910al

Hi Ken!

Sorry for answering one day later - I was very busy yesterday.

Leave your hair on your head (I have lost already almost of my hair - don't know why...)

That one is easy:

You must set the management adresses of the switches 1 to 4 in VLAN4 (not VLAN1)- of course different adresses from switch 0!
Remember: VLAN 4 ist your Primary VLAN!

Think of the switch management as if it would be a PC in that VLAN! Maybe you want do add the address of the default gateway also: 'ip default-gateway 192.168.0.11'
(so that you can reach your switches from other VLANs if you wish)

Again - Good Luck!

Manfred
(from the rainy Austria - desperately waiting for the summer sun...)
Shadow13
Respected Contributor

Re: Router help with 2910al

From the config you have posted

From switch 1
vlan 1
name "DEFAULT_VLAN"
forbid 1-48,A1,B1
ip address 192.168.0.12 255.255.255.0
no untagged 1-48,A1,B1
exit

And you were trying to configure and IP address from the same subnet configured in VLAN 1 in VLAN 4

SW1# config
SW1(config)# vlan 4
SW1(vlan-4)# ip address 192.168.0.11/24
The IP address (or subnet) 192.168.0.11/24 already exists.

The switch will not accept assigning IP addresses from the same subnet in 2 different VLANs, so if you don't need the IP address under VLAN 1 you need to remove it hen you will be able to assign an IP address from that range in VLAN 4

Regards.
Ken Richmond
Advisor

Re: Router help with 2910al

Manfred - Don't appolgize! I'm truly grateful for your help, education and patience. I've learned a lot from you this week.

Shadow13 - Thanks for the insight. For some reason I thought the management address needed to be on the default_vlan. I couldn't connect the fact that I took the default_vlan out of the equation with why my addressing scheme wasn't working. Much better now.

Now I've added the the IP Helper address to vlan5 so my requests should make it to my DHCP server. I've created a second scope on the DHCP server to assign addresses in the 192.168.3.x range. I'll try that after hours tonight and looking forward to the result.

Another area that I'm confused with is time protocols. I'm currently using a windows server as a time source. The server goes out to a time source on the internet. Can I point my switches to this windows server or should/can I point them to an internet time server? On the surface, it would seem that manually assigning a time server's address using TIMEP would be the way to go, but I've been wrong before :)

Finally, I'm looking to document this new network. I'm starting with printouts of config run from each switch, and designing two network diagrams showing Physical and Logical layouts. Is there anything else I should be concerned with while preparing my documentation?

Cheers (from soggy Calgary - who never really had a summer at all this year - it's rainy and 11 degrees here right now).

Manfred M.
Advisor

Re: Router help with 2910al

Hi Ken!

Normally the SNTP Protocol (Unicast) should work with your Windows Server.

A hint for your documentation:
If you have Visio you can download all HP shapes for free at http://www.visiocafe.com/

Good luck for your migration this weekend!

Cheers,
Manfred

Ken Richmond
Advisor

Re: Router help with 2910al

My migration went well. Thanks again for all your help!!

I have two issues left outstanding. The switches are not syncing with my Windows 2003 server - Support advises that this is fixed in 14.49. I've yet to update the switches but will report back on my findings once I do.

The other issue is routing to the internet from my vlan. Routing from vlan4 is working fine (to both vlan5 as well as my internet connection - a sonicwall 4500 nsa). Routing from vlan5 works well to vlan4, but not to the internet. I believe this has everything to do with how the sonicwall device is configured.

As near as I can tell, I cannot have traffic from my tagged vlan (192.168.3.x) going out to the sonicwall via the default route (192.168.0.22) and expect the sonicwall to send return traffic back to the tagged vlan without configuration effort on my part, but I'm not sure where I should concentrate those efforts. While I appreciate that this is not a sonicwall support site, I'm struggling with their documentation and thought I'd come back here for some direction.

Again, thanks for any nudges in the right direction.

Cheers,
Ken
Ken Richmond
Advisor

Re: Router help with 2910al

Woo Hoo!! The time sync problem is resolved. Not exactly as simple as it should have been - at least not when you're as thick as I am.

For anyone following along at home, updating to 14.49 was one step. Next, I went into Switch config/system information and changed the timezone from -7 to -420, which would be in minutes (NOT hours), just like it says in the docs and on the 'hint' bar in the menu... All I had to do was pay attention!

Finally apply the daylight time rule, Continental US and Canada in my case.

Restart the switch and all was good.

Getting more clueless about how to tie my sonicwall into the scene tho.

Vlan4 -> Default g/w -> default route works

Vlan4 -> Default g/w works. Looks like it's breaking at default route on the procurve. I'm thinking I only have one option and that's to use the sonicwall to route between my vlans as well as the internet, but then I'd lose the 10Gbit backplane on the procurve switches and be down to 1GB routing on the sonicwall.

Can I add routes from vlan4 to the sonicwall and vlan5 to the sonicwall? I'm sure I have to do something on the sonicwall side, but the interface is confusing and the documentation is even more confusing!

Shadow13
Respected Contributor

Re: Router help with 2910al

Just for confirmation, is there a route from the Sonic wall pointing back to the subnet of VLNA 5 (which is has the issue)

Can you please tell us to which port is the Sonic wall connected on the switch and the tag, untag for this port and the IP address of the Sonic wall.

Basicly if the Sonic wall is in the same VLAN as VLAN 4 you wont need a route back to that VLAN, for any other VLAN you will need to add a route in the sonic wall showing it how to send the traffic destined to the other vlans back (where to send it)

If VLAN 5 wants to access the internet the source IP will be from VLAN 5, now when the traffic from the internet comes back through Sonic wall (after natting and all these things) Sonic wall needs to know where to send this traffic (since it will be distened to VLAN 5 which he does not know where it is)

Is what i said clear ? :S
Ken Richmond
Advisor

Re: Router help with 2910al

Hi Shadow13,

The Sonicwall is connected Port 25 on my SW0 switch and is untagged in vlan4 and tagged in vlan5.

The sonicwall is indeed in vlan4 and all devices on that side are working fine - it's only vlan5 that has the issue. I agree that the issue appears to be routing back from the sonicwall to vlan5.

As I mentioned earlier, I believe this is a sonicwall issue. I'll post on their forums to see what I can gleen from there. I may also post this issue in a new thread on this group.

Just a note... I typo'd my previous post. It should have read Vlan5 looks like it's breaking at the default route (not Vlan4 as I posted).

Ken Richmond
Advisor

Re: Router help with 2910al

Got it!!

I was making this harder than it had to be (there's a surprize)!

I decided to ignore vlans on the sonicwall and just look at routing. It was the vlan reference on the sonicwall that was causing me all of the grief. While the sonicwall is capable of configuring vlans, I had already configured them on the procurve equipment. Basically, I was trying to recreated the vlans on the sonicwall device - totally unnecessary.

Essentially I needed to do the following:

1 - create address objects for vlan5 (192.168.3.0) and the vlan 5 address of the switch (192.168.3.11).
2 - add a static ARP entry on the sonicwall with a vlan5 address (192.168.3.22) for the port connected to my lan (X1)
3 - create a route for 192.168.3.x to 192.168.3.11 via port X1.

Piece of cake (yeah, right!)

Again... thanks so much for the help I've received in this forum!!