HPE Community
Switches, Hubs, and Modems
1752664 Members
5773 Online
108788 Solutions
New Discussion юеВ

Spanning tree per vlan on 2524?

 
Les Lovesee
Occasional Advisor

тАО05-13-2003 06:54 AM

тАО05-13-2003 06:54 AM

Spanning tree per vlan on 2524?

We are installing an E500 virus filtering appliance. Logically, it functions as a bridge, but filters web traffic passing thru it for viruses. We set up a second VLAN on a 2524 to support the outside interface, can't get it to work right. I suspect a spanning tree issue, even though spanning tree is disabled on the 2524.

Here's how it's connected: inside_net -> 2524_VLAN1 -> E500 -> 2524_VLAN2 -> PIX FW -> Internet

You can see this would be a spanning tree violation if spanning tree were on and the switch didn't support separate spanning tree per VLAN (802.1s). I can't find out if the 2524 supports 802.1s or not, but spanning tree is disabled on the switch so it shouldn't matter.

When I substitute a separate switch for 2524_VLAN2 everything works. When the E500 is connected to VLAN2 it works if the E500 is disconnected from VLAN1. Whenever one port on the E500 is connected to VLAN1 and the other is connected to VLAN2, pings to the management address of the E500 mostly fail but occasionally succeed but no traffic can get thru to the Internet.

So, what's going on? Is this a limitation of the 2524? I can put in another switch if necessary, but there is no room in the rack.

TIA,

Les...
0 Kudos
9 REPLIES 9
Jerome Henry
Honored Contributor

тАО05-13-2003 07:09 AM

тАО05-13-2003 07:09 AM

Re: Spanning tree per vlan on 2524?

There is something I do not understand on your configuration... Is E500 able to act as a router ?
If you set up 2 VLAN, you NEED to put something able to route paquest from one VLAN to another.
If E500 is not set to do so, then your problem is due. Put a router linking your vlans, and eveything'll be alright. That is maybe what happens when you describe substituting separate switch.
Maybe can you set up E500 to act as a router, but I do not see any routing table configuration possibility on the docs.
hth

Jerome
You can lean only on what resists you...
0 Kudos
Les Lovesee
Occasional Advisor

тАО05-13-2003 07:25 AM

тАО05-13-2003 07:25 AM

Re: Spanning tree per vlan on 2524?

Thanks for your response.

The E500 acts as a bridge, not a router. Let me expand and clarify the config a bit:

inside_net -> inside_router -> 2524_VLAN1 -> E500 -> 2524_VLAN2 -> firewall -> outside_router -> Internet

The inside_router is the default gateway for the inside_net. The firewall is the default gateway for the inside_router to reach the Internet. The inside_router is the gateway the firewall uses to reach the inside_net. The E500 is a bridge, looks like another switch hop except that it filters HTTP traffic looking for viruses.

When VLAN2 is replaced with a separate switch (switch2 below) then everything works:

inside_net -> inside_router -> 2524_VLAN1 -> E500 -> switch2 -> firewall -> outside_router -> Internet

Since I sent the original message I have discovered that the 2524 doesn't support 802.1s. Spanning tree is turned off, so it should work. It doesn't, I'm trying to figure out why.

TIA,

Les...

0 Kudos
Jerome Henry
Honored Contributor

тАО05-13-2003 07:40 AM

тАО05-13-2003 07:40 AM

Re: Spanning tree per vlan on 2524?

Ok,
I understand from that that you have a router abble to adress packets toward external side of your network.
There must be somewhere kinda configuration problem on your vlan settings, as it is the only difference between non working and working scheme as you reports.
Check that point, vlan, tagged/untagged, router-interface, ports address and corresponding on your routers.
hth
Jerome
You can lean only on what resists you...
0 Kudos
Les Lovesee
Occasional Advisor

тАО05-13-2003 09:15 AM

тАО05-13-2003 09:15 AM

Re: Spanning tree per vlan on 2524?

Here's the config from the switch. I don't know how readable it will be, but there it is.

Note that at the end it configures spanning tree, even though I turned it off in the menu. I really think I need spanning tree turned off but I can't figure out how to do it - I don't work with HP switches very often.

I'm wondering about turning off GVRP (unknown-vlans disable) on the VLAN2 ports, if that might help.



Scanning Network Switch# wr t
; J4813A Configuration Editor; Created on release #F.05.17

hostname "Scanning Network Switch"
snmp-server contact "Help Desk"
snmp-server location "De Soto, Kansas"
time timezone -6
time daylight-time-rule Continental-US-and-Canada
cdp run
interface 1
no lacp
exit

...
all interfaces configured the same as interface 1
...

ip default-gateway 10.200.1.1
no timesync
snmp-server community "********"
vlan 1
name "DEFAULT_VLAN"
untagged 1-21,25-26
ip address 10.200.1.250 255.255.240.0
no untagged 22-24
exit
vlan 2
name "SCANNET"
untagged 22-24
exit
no stack
no aaa port-access authenticator active
spanning-tree protocol-version stp
spanning-tree 1-24 mode fast
password manager
0 Kudos
Les Lovesee
Occasional Advisor

тАО05-13-2003 09:15 AM

тАО05-13-2003 09:15 AM

Re: Spanning tree per vlan on 2524?

Here's the config from the switch. I don't know how readable it will be, but there it is.

Note that at the end it configures spanning tree, even though I turned it off in the menu. I really think I need spanning tree turned off but I can't figure out how to do it - I don't work with HP switches very often.

I'm wondering about turning off GVRP (unknown-vlans disable) on the VLAN2 ports, if that might help.



Scanning Network Switch# wr t
; J4813A Configuration Editor; Created on release #F.05.17

hostname "Scanning Network Switch"
snmp-server contact "Help Desk"
snmp-server location "De Soto, Kansas"
time timezone -6
time daylight-time-rule Continental-US-and-Canada
cdp run
interface 1
no lacp
exit

...
all interfaces configured the same as interface 1
...

ip default-gateway 10.200.1.1
no timesync
snmp-server community "********"
vlan 1
name "DEFAULT_VLAN"
untagged 1-21,25-26
ip address 10.200.1.250 255.255.240.0
no untagged 22-24
exit
vlan 2
name "SCANNET"
untagged 22-24
exit
no stack
no aaa port-access authenticator active
spanning-tree protocol-version stp
spanning-tree 1-24 mode fast
password manager
0 Kudos
Jerome Henry
Honored Contributor

тАО05-13-2003 10:12 PM

тАО05-13-2003 10:12 PM

Re: Spanning tree per vlan on 2524?

Hi,
sorry for this delay, it's now morning in my time zone.
I do not get clearly why you want to disable spanning tree, as your problem seems to be VLAN one (whatsoever, refer to my post to your other question for disabling it).
On your config, here is how it should be :
1. On your switch, let's assume that E500 is plgged to port 1 and port 2.
Create VLAN 1. You put port 1 in this VLAN as untagged.
2. Create VLAN 2. You put port 2 in this VLAN as untagged.
Now you have both VLAN anable to commnicate with each other.
On your config, ports 22-24 are both seen untagged and tagged, which means that they are untagged to VLAN 2 and tagged to VLAN 1, such there is no real VLAN, and it doesn't work.
Does it seem helpful ?
J
You can lean only on what resists you...
0 Kudos
Les Lovesee
Occasional Advisor

тАО05-15-2003 09:44 AM

тАО05-15-2003 09:44 AM

Re: Spanning tree per vlan on 2524?

Ok, I've done some more experimenting and here's my current theory.

Using "Status and Counters" / "Address Table" / "Search" I learned that the switch will only associate a particular mac address with a single port. Doesn't matter if you have multiple vlans, except the vlan boundary blocks a packet that would otherwise be forwarded.

Here's an illustration.

HostA mac = 1
HostB mac = 2
SWC is a switch with two vlans.
SWD is a normal switch.
SWE is another normal switch.

HostA -> SWC_VLAN1 -> SWD -> SWC_VLAN2 -> HostB doesn't work.

HostA -> SWC_VLAN1 -> SWD -> SWE -> HostB works.

When SWC_VLAN2 is replaced by a separate switch it works. Because they are different vlans in the same switch, it can only learn the mac address of HostA and HostB in on one port.

Let's assume it learns it on the port that the hosts are actually connected to. Packet destined for HostB comes into VLAN1, the switch sees that HostB is connected to a port in VLAN2 and doesn't forward the packet because doing so would cross VLAN boundaries.

Does this make sense? Is this why you were saying I needed a router? Note that replacing either VLAN with a totally separate switch makes the configuration work. I'll have to test this on a Cisco switch and see if it works the same way.

Let me know if I'm on the right track, thanks!

Les...
0 Kudos
Jerome Henry
Honored Contributor

тАО05-15-2003 11:32 PM

тАО05-15-2003 11:32 PM

Re: Spanning tree per vlan on 2524?

You're right ! That's exactly why I was thinking about a router, as communication can't be done anymore based on mac adresse, as VLAN is virtually cutting your switch in two pieces (2 switches, smaller though, for the same price !), so A and B can't communicate anymore based on MAC ; router anable them (or vlans) to communicate based on IP address, thus saying 'the way to B Ip is thru VLAN2 switch port IP)...
If this week end is rainny, read a few tips about tha whole stuff here :
http://computer.howstuffworks.com/lan-switch8.htm
How are you going to proceed, so ?
J
You can lean only on what resists you...
0 Kudos
Jerome Henry
Honored Contributor

тАО05-16-2003 12:17 AM

тАО05-16-2003 12:17 AM

Re: Spanning tree per vlan on 2524?

On reading back these pages, I feel that maybe you know already the whole content.Sorry if it's the case...
BTW, do not hesitate assigning points if you feel those posts helped : I'm feed with them ! :-)
J
You can lean only on what resists you...
0 Kudos
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.