- Community Home
- >
- Networking
- >
- Legacy
- >
- Switches, Hubs, Modems
- >
- Re: Strange VLAN problem (loop?)
Switches, Hubs, and Modems
1751726
Members
5444
Online
108781
Solutions
Forums
Categories
Company
Local Language
юдл
back
Forums
Discussions
Forums
- Data Protection and Retention
- Entry Storage Systems
- Legacy
- Midrange and Enterprise Storage
- Storage Networking
- HPE Nimble Storage
Discussions
Discussions
Discussions
Forums
Forums
Discussions
юдл
back
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
- BladeSystem Infrastructure and Application Solutions
- Appliance Servers
- Alpha Servers
- BackOffice Products
- Internet Products
- HPE 9000 and HPE e3000 Servers
- Networking
- Netservers
- Secure OS Software for Linux
- Server Management (Insight Manager 7)
- Windows Server 2003
- Operating System - Tru64 Unix
- ProLiant Deployment and Provisioning
- Linux-Based Community / Regional
- Microsoft System Center Integration
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Blogs
Information
Community
Resources
Community Language
Language
Forums
Blogs
Go to solution
Topic Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО03-14-2004 09:39 AM
тАО03-14-2004 09:39 AM
Hi!
I'm currently have a HP 2524 switch on which i have 3 tagged VLANs incomming on port 24 from a fiber-converter.
I take them out each on three different untagged ports (2,3,4) on the same switch. The internet VLAN (port 2) goes directly to the outside of our firewall. Port 3 comes from the WAN side of a router from one of our local offices and has 172.16.1.5 as IP, port 4 comes from another office directly from a switch in that office which uses the same IP net as we do here (172.16.0.0/16).
With port 2 connected to the firewall and port 3 to our inside (another 2524 switch) everything works fine. However when i plug in port 4 in the same switch, after a while the router 172.16.1.5 "dissapears" and the whole office net with it.
If i unplug port 4, all is well again.
The really strange thing is, that if i connect any port, from the 2524 incomming switch, even if it is on a totally unused VLAN, the 172.16.1.5 router dissapears.
Is there some "leak" between the VLANs of the 2524 that makes some sort of a loop?
Anybody?
Mats
I'm currently have a HP 2524 switch on which i have 3 tagged VLANs incomming on port 24 from a fiber-converter.
I take them out each on three different untagged ports (2,3,4) on the same switch. The internet VLAN (port 2) goes directly to the outside of our firewall. Port 3 comes from the WAN side of a router from one of our local offices and has 172.16.1.5 as IP, port 4 comes from another office directly from a switch in that office which uses the same IP net as we do here (172.16.0.0/16).
With port 2 connected to the firewall and port 3 to our inside (another 2524 switch) everything works fine. However when i plug in port 4 in the same switch, after a while the router 172.16.1.5 "dissapears" and the whole office net with it.
If i unplug port 4, all is well again.
The really strange thing is, that if i connect any port, from the 2524 incomming switch, even if it is on a totally unused VLAN, the 172.16.1.5 router dissapears.
Is there some "leak" between the VLANs of the 2524 that makes some sort of a loop?
Anybody?
Mats
Solved! Go to Solution.
7 REPLIES 7
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО03-14-2004 08:26 PM
тАО03-14-2004 08:26 PM
Solution
Mats,
could you, please, make 2 topology sketches (one with the router visible, and one with the router invisible) and post them here - maybe in 2 different messages?
In HP switches, if you link 2 ports in a SWT to 2 ports in another SWT you'll get a loop no matter in what VLAN are the 4 ports.
Where is the "inside" of the firewall going?
What are the subnet masks you use for IP addressing (you could use /24 with 172.16.x.0, x=1..254)?
The second switch you're talking about: is it a L3 SWT and you're routing with it and have ACLs set on it, or is it a L2 device and you are placing the second office on the "outside"?
could you, please, make 2 topology sketches (one with the router visible, and one with the router invisible) and post them here - maybe in 2 different messages?
In HP switches, if you link 2 ports in a SWT to 2 ports in another SWT you'll get a loop no matter in what VLAN are the 4 ports.
Where is the "inside" of the firewall going?
What are the subnet masks you use for IP addressing (you could use /24 with 172.16.x.0, x=1..254)?
The second switch you're talking about: is it a L3 SWT and you're routing with it and have ACLs set on it, or is it a L2 device and you are placing the second office on the "outside"?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО03-15-2004 06:01 AM
тАО03-15-2004 06:01 AM
Re: Strange VLAN problem (loop?)
Hi!
Thanks for the answer. Do you mean that you can't have two VLANs with the same IP net going through the same switch?
I have drawn a rough sketch which i attach with this message. It's in PNG format.
Thanks for the answer. Do you mean that you can't have two VLANs with the same IP net going through the same switch?
I have drawn a rough sketch which i attach with this message. It's in PNG format.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО03-15-2004 07:01 AM
тАО03-15-2004 07:01 AM
Re: Strange VLAN problem (loop?)
If the switch is layer 3 aware then it keeps a table of IP address to MAC addresses. Usually we call this the ARP table and there is only one per switch (or router). Having duplicate IP addresses even if on separate VLANs will confuse the table since there is supposed to be a 1 to 1 correspondance between the two.
You should see an error in the event log which says
IP:Invalid MAC Address: A.B.C.D to A.B.C.D
This duplication of addresses spaces is common these days when many companies are merging or being bought up. The usual solution is to stick a router in between and let the router do NAT (Network Address Translation) so that addresses from the second company appear as 172.17.x.x and yours appear as 172.18.x.x to them.
You could try and turn off IP routing if you can figure out how. The manual seems to indicate that it is possible but offers no command to do that. Since they copy Cisco a lot I would try
no ip routing
You might also look at Isolated Port Groups on page 7 of
ftp://ftp.hp.com/pub/networking/software/59903102-E2.pdf
but you need to be running the latest software (F.05.17). http://www.hp.com/rnd/software/switches.htm
I expect a 2400 series switch would work better for you since I don't believe they are level three aware.
Ron
You should see an error in the event log which says
IP:Invalid MAC Address: A.B.C.D to A.B.C.D
This duplication of addresses spaces is common these days when many companies are merging or being bought up. The usual solution is to stick a router in between and let the router do NAT (Network Address Translation) so that addresses from the second company appear as 172.17.x.x and yours appear as 172.18.x.x to them.
You could try and turn off IP routing if you can figure out how. The manual seems to indicate that it is possible but offers no command to do that. Since they copy Cisco a lot I would try
no ip routing
You might also look at Isolated Port Groups on page 7 of
ftp://ftp.hp.com/pub/networking/software/59903102-E2.pdf
but you need to be running the latest software (F.05.17). http://www.hp.com/rnd/software/switches.htm
I expect a 2400 series switch would work better for you since I don't believe they are level three aware.
Ron
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО03-15-2004 07:19 PM
тАО03-15-2004 07:19 PM
Re: Strange VLAN problem (loop?)
Ron,
you will not believe how funny HP2524 switch is:
1. "ip routing", "no ip routing" do not work
2. "show ip arp" does not work
3. "show ip route" shows the default, the loopback, the 127.0.0.0/8 and whatever subnet you define in the ip configuration for the VLANs
4. "ip route" lets you define static routes, which appear in the "show ip route"
I think this switch can NOT be used for inter-VLAN routing: the entire documentation mentions an "external router" for connecting VLANs. Why the routing table then?
you will not believe how funny HP2524 switch is:
1. "ip routing", "no ip routing" do not work
2. "show ip arp" does not work
3. "show ip route" shows the default, the loopback, the 127.0.0.0/8 and whatever subnet you define in the ip configuration for the VLANs
4. "ip route" lets you define static routes, which appear in the "show ip route"
I think this switch can NOT be used for inter-VLAN routing: the entire documentation mentions an "external router" for connecting VLANs. Why the routing table then?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО03-15-2004 08:46 PM
тАО03-15-2004 08:46 PM
Re: Strange VLAN problem (loop?)
Mats,
1. The links with arrows by-pass your firewall: is that what you really want?
2. In what switch/hub ports are the following connected:
2.1 Netgear router
2.2 Internet (your ISP's router, I suppose)
2.3 HP 2524 that supports Net2
In other words: drop the "Tagged VLAN" cloud and draw where the 3 connections feed. Do you physically have another switch/hub instead of this cloud?
3. It seems to me that "inside" and "otside" of your firewall are in the same subnet - which is not right.
4. The cloud "Internal net 172.16.0.0/16" is too general: can you be more specific as of where the firewall's "inside", the Net1 link and the Net2 link exactly connect? Do you physically have another switch/hub instead of this cloud?
5. It seems to me that your network documentation is missing: let's draw it together in this thread.
-------------------------------------
Having 7 VLANs on a switch is exacly as if you would have 7 different switches powered by the same AC source and situated in the same rack. Advantages of using VLANs:
(a) the number of ports per broadcast domain is reduced (small broadcast domains are good for network's performance: instead of having one broadcast domain with 700 computers, we can create 10 smaller broadcast domains with 70 computers each),
(b) improved security (the users in the Engineering VLAN can't access computers in Accounting/Finance VLAN to increase their salaries:-)
Ports that are in one VLAN in HP 2524 cannot communicate with ports that are in another VLAN on the same switch, unless an external router helps (see page 9.51 in the "Management and Configuration Guide" for HP 2524 switches). This router is the "interVLAN router".
Usually (and I recommend this practice) you should associate 1 IP subnet to 1 VLAN. It could be possible to setup 2 or more IP subnets in 1 VLAN, but do NOT USE THE SAME IP SUBNET ON 2 OR MORE VLANS!
This is why: when you want to have the 2 or more VLANs speak to each other, you have to assign an IP address to each interface of the router (the gateway IP address for the VLAN clients) that is connected to each VLAN. If you have 7 VLANs, you need 7 physical interfaces (or 7 logical sub-interfaces of one physical interface), 1 per VLAN. If all your 7 VLANs use the same IP subnet, the IP addresses of the 7 interfaces have to be in the same subnet: it is not possible in routers to assign IP addresses from the same subnet to different interfaces/sub-interfaces.
How about having 2 switches in 2 buildings that are 1.5 km away and you want to link them because both Accounting/Finance (users in VLAN1) and Engineering (users in VLAN2) have offices in the two buildings? Also Management (VLAN3) have users dispersed in the 2 buildings. And you've defined VLAN4 to keep IP addresses for switch management (you don't like your normal users to telnet into your switches, right?) and you want to manage your switches from 1 PC, without trips to each switch for serial connections. Also you defined VLAN5, VLAN6 and VLAN7 for future use.
What to do? Use a 14-fiber optics cable, 1 pair of fibers per VLAN? You'd need 7 transceivers in each switch! Optical transceivers do not come cheap, and you only have 2 slots on your 2524.
Solution: use one pair of fibers between switches, 1 transceiver per switch AND use VLAN tagging. IEEE 802.1Q describes VLAN tagging for the purpose of transporting IEEE frames over 1 physical link.
If a frame comes from VLAN3 and is destined for a host in VLAN3 phisically located on the other switch, the transmitting switch puts a tag on the frame and sends it to the fiber. The receiving switch looks at the tag and knows in which VLAN to forward the frame.
The tag is an integer, and is called "802.1Q VLAN ID". You can see what tags you (or the guy before you) associated with each VLAN in "Switch Configuration - VLAN - VLAN Names" menu on your HP2524.
To be able to transport all 7 VLANs over the fiber, you will set the uplink port (25 or 26 in HP2524) to pertain to all VLANs, in "Switch Configuration - VLAN - VLAN Port Assignment" menu. If you want you can set "Tagged" for all VLANs, though the port can remain "Untagged" in just 1 VLAN.
Be sure to name and number VLANs the same in both switches: VLAN4 should have the same "802.1Q VLAN ID" in both switches. Maybe 4.
Remember the sub-interfaces on the router? this is another application of VLAN tagging: you need to get users from 7 VLANs to their default gateways, but you have just 1 UTP cable between the router and the switch. (serious routers with 7 RJ-45 connectors also don't come cheap).
1. The links with arrows by-pass your firewall: is that what you really want?
2. In what switch/hub ports are the following connected:
2.1 Netgear router
2.2 Internet (your ISP's router, I suppose)
2.3 HP 2524 that supports Net2
In other words: drop the "Tagged VLAN" cloud and draw where the 3 connections feed. Do you physically have another switch/hub instead of this cloud?
3. It seems to me that "inside" and "otside" of your firewall are in the same subnet - which is not right.
4. The cloud "Internal net 172.16.0.0/16" is too general: can you be more specific as of where the firewall's "inside", the Net1 link and the Net2 link exactly connect? Do you physically have another switch/hub instead of this cloud?
5. It seems to me that your network documentation is missing: let's draw it together in this thread.
-------------------------------------
Having 7 VLANs on a switch is exacly as if you would have 7 different switches powered by the same AC source and situated in the same rack. Advantages of using VLANs:
(a) the number of ports per broadcast domain is reduced (small broadcast domains are good for network's performance: instead of having one broadcast domain with 700 computers, we can create 10 smaller broadcast domains with 70 computers each),
(b) improved security (the users in the Engineering VLAN can't access computers in Accounting/Finance VLAN to increase their salaries:-)
Ports that are in one VLAN in HP 2524 cannot communicate with ports that are in another VLAN on the same switch, unless an external router helps (see page 9.51 in the "Management and Configuration Guide" for HP 2524 switches). This router is the "interVLAN router".
Usually (and I recommend this practice) you should associate 1 IP subnet to 1 VLAN. It could be possible to setup 2 or more IP subnets in 1 VLAN, but do NOT USE THE SAME IP SUBNET ON 2 OR MORE VLANS!
This is why: when you want to have the 2 or more VLANs speak to each other, you have to assign an IP address to each interface of the router (the gateway IP address for the VLAN clients) that is connected to each VLAN. If you have 7 VLANs, you need 7 physical interfaces (or 7 logical sub-interfaces of one physical interface), 1 per VLAN. If all your 7 VLANs use the same IP subnet, the IP addresses of the 7 interfaces have to be in the same subnet: it is not possible in routers to assign IP addresses from the same subnet to different interfaces/sub-interfaces.
How about having 2 switches in 2 buildings that are 1.5 km away and you want to link them because both Accounting/Finance (users in VLAN1) and Engineering (users in VLAN2) have offices in the two buildings? Also Management (VLAN3) have users dispersed in the 2 buildings. And you've defined VLAN4 to keep IP addresses for switch management (you don't like your normal users to telnet into your switches, right?) and you want to manage your switches from 1 PC, without trips to each switch for serial connections. Also you defined VLAN5, VLAN6 and VLAN7 for future use.
What to do? Use a 14-fiber optics cable, 1 pair of fibers per VLAN? You'd need 7 transceivers in each switch! Optical transceivers do not come cheap, and you only have 2 slots on your 2524.
Solution: use one pair of fibers between switches, 1 transceiver per switch AND use VLAN tagging. IEEE 802.1Q describes VLAN tagging for the purpose of transporting IEEE frames over 1 physical link.
If a frame comes from VLAN3 and is destined for a host in VLAN3 phisically located on the other switch, the transmitting switch puts a tag on the frame and sends it to the fiber. The receiving switch looks at the tag and knows in which VLAN to forward the frame.
The tag is an integer, and is called "802.1Q VLAN ID". You can see what tags you (or the guy before you) associated with each VLAN in "Switch Configuration - VLAN - VLAN Names" menu on your HP2524.
To be able to transport all 7 VLANs over the fiber, you will set the uplink port (25 or 26 in HP2524) to pertain to all VLANs, in "Switch Configuration - VLAN - VLAN Port Assignment" menu. If you want you can set "Tagged" for all VLANs, though the port can remain "Untagged" in just 1 VLAN.
Be sure to name and number VLANs the same in both switches: VLAN4 should have the same "802.1Q VLAN ID" in both switches. Maybe 4.
Remember the sub-interfaces on the router? this is another application of VLAN tagging: you need to get users from 7 VLANs to their default gateways, but you have just 1 UTP cable between the router and the switch. (serious routers with 7 RJ-45 connectors also don't come cheap).
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО03-16-2004 01:57 AM
тАО03-16-2004 01:57 AM
Re: Strange VLAN problem (loop?)
I think your switch can do routing between VLANs even tho it is not advertised that way. I think the routing stuff was added in later code releases. See if you can assign a separate IP address to each VLAN. The IP addresses must be in separate subnets. Then put a host in each VLAN with an IP address in the same subnet as the switch's VLAN and tell the host to use the switch's VLAN IP address as its default gateway. Can you ping from one host to the other?
The manual makes a big deal of not supporting duplicate MACs in separate VLANs. Is there any chance that that is what is happening?
Do you see any problems in the event log?
Ron
The manual makes a big deal of not supporting duplicate MACs in separate VLANs. Is there any chance that that is what is happening?
Do you see any problems in the event log?
Ron
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО03-17-2004 10:14 AM
тАО03-17-2004 10:14 AM
Re: Strange VLAN problem (loop?)
Hi again!
Have had some hectic days so i haven't been able to follow this thread until now.
OLARU Dan.
1. The links with arrows (Net 1 and Net 2) is two different VLANs who we connect to a HP ProCurve 2524 switch inside the net-cloud. The internet is incomming on a different VLAN and thus should not be bypassed by the other two VLANs
2.1 Netgear router goes via SDSL modem to our networkprovider which puts it in a tagged VLAN (Net1).
2.2 Internet comes through our ISP which is the same as our network provider and comes through another tagged VLAN.
2.3 HP2524 is connected to a fiberconverter and again to our NP (Network Provider) through a third tagged VLAN.
The "Tagged VLAN" cloud is our network providers stuff, which i don't have a clear view of except that we should (in our local office) recieve 3 tagged VLANs from them which is Internet, Net1 (which is from an external office) and Net2 (which is from another external office). The tagged VLANs come through a fiberconverter into our 2524 via one cat5 cable into port 24 and is split up in three untagged ports 1 (Internet), 14 (Net1), 18(Net2).
Internet (port 1) is as said before connected to the outside of our firewall, Net1 (port 14) is connected to another 2524 which is our main switch in our office. The problem occurs when we connect the Net2 (port 18) to our main switch. Then Net1 "dissapears", Net2 doesn't function correctly (Appletalk gets all funny). If we unplugg Net2 Net1 appears again.
3. look above.
4. Our net here is 172.16.0.0/16 Net2 is on the same ip-net, also 172.16.0.0/16, but there are no duplicate ip adresses anywhere, i know that because when we connect the net (Net2) to our net from another separate fiber (totally physically unconnected to the above VLANs) everything works OK.
Our NP has now solved/sidestepped the problem by joining Net1 and Net2 before it comes to the 2524 and put i on the same VLAN, so we connect with just one cable.
Seems to me that (as you and Ron confirmed above) if you put two cables from two ports on a 2524 to two ports on another 2524, no matter what different VLANs, you got troble, especially if you have the same ip-net on the two VLANs.
Ron.
I would like to try what you said, test if the VLANs perform some kind of routing, but the switch is currently in production and, as of now, the net at least work. Though i'm kind of curious myself.
Thanks for all your help!
Mats
Have had some hectic days so i haven't been able to follow this thread until now.
OLARU Dan.
1. The links with arrows (Net 1 and Net 2) is two different VLANs who we connect to a HP ProCurve 2524 switch inside the net-cloud. The internet is incomming on a different VLAN and thus should not be bypassed by the other two VLANs
2.1 Netgear router goes via SDSL modem to our networkprovider which puts it in a tagged VLAN (Net1).
2.2 Internet comes through our ISP which is the same as our network provider and comes through another tagged VLAN.
2.3 HP2524 is connected to a fiberconverter and again to our NP (Network Provider) through a third tagged VLAN.
The "Tagged VLAN" cloud is our network providers stuff, which i don't have a clear view of except that we should (in our local office) recieve 3 tagged VLANs from them which is Internet, Net1 (which is from an external office) and Net2 (which is from another external office). The tagged VLANs come through a fiberconverter into our 2524 via one cat5 cable into port 24 and is split up in three untagged ports 1 (Internet), 14 (Net1), 18(Net2).
Internet (port 1) is as said before connected to the outside of our firewall, Net1 (port 14) is connected to another 2524 which is our main switch in our office. The problem occurs when we connect the Net2 (port 18) to our main switch. Then Net1 "dissapears", Net2 doesn't function correctly (Appletalk gets all funny). If we unplugg Net2 Net1 appears again.
3. look above.
4. Our net here is 172.16.0.0/16 Net2 is on the same ip-net, also 172.16.0.0/16, but there are no duplicate ip adresses anywhere, i know that because when we connect the net (Net2) to our net from another separate fiber (totally physically unconnected to the above VLANs) everything works OK.
Our NP has now solved/sidestepped the problem by joining Net1 and Net2 before it comes to the 2524 and put i on the same VLAN, so we connect with just one cable.
Seems to me that (as you and Ron confirmed above) if you put two cables from two ports on a 2524 to two ports on another 2524, no matter what different VLANs, you got troble, especially if you have the same ip-net on the two VLANs.
Ron.
I would like to try what you said, test if the VLANs perform some kind of routing, but the switch is currently in production and, as of now, the net at least work. Though i'm kind of curious myself.
Thanks for all your help!
Mats
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.
News and Events
Support
© Copyright 2024 Hewlett Packard Enterprise Development LP