HPE Community
Web and Unmanaged
1752594 Members
3035 Online
108788 Solutions
New Discussion юеВ

Re: HP 1910-48 VLAN can't access to internet

 
Narfux
Occasional Visitor

тАО06-06-2016 02:31 AM

тАО06-06-2016 02:31 AM

HP 1910-48 VLAN can't access to internet

Hi,

I've created 2 Vlans in my switch:

VLAN 1:  192.168.1.254 / 255.255.255.0 - Untagged

VLAN 2: 192.168.128.254 / 255.255.255.0 - Untagged

And i've created the route 0.0.0.0 / 0.0.0.0 - 192.168.1.1 (router IP, connected to PORT 48) to get internet access.

But i only have internet access on VLAN 1 and we need internet access in VLAN 2 too.

What is the setting that I did wrong?

0 Kudos
8 REPLIES 8
gerdesj
Frequent Visitor

тАО06-06-2016 05:01 AM

тАО06-06-2016 05:01 AM

Re: HP 1910-48 VLAN can't access to internet

You are confusing layer 2 and 3, which is understandable because the term "VLAN" is often used for both.

So:

  • You have two layer 2 VLANs: the default one with an id of 1 and another that you have added with an id of 2
  • You have a router plugged into port 48
  • You have added a default route on the switch to 192.168.1.1
  • You have set the default route on your devices to either 192.168.1.254 or 192.168.128.254

So what you have done is enable layer three routing on the switch and it defers to an internet router for external access.  However you have two routers on VLAN 1 - the switch and the other router.

I suggest you create another VLAN to link the router and the switch - call it VLAN254 and set it up with an address on the switch and change the router's IP as well.  Then set the switch's default gateway to the new address.  Now you will not have asymmetric routing.  So switch VLAN 256 IP = 192.168.254.1 and the router 192.168.254.254.  Set the PVID on port 48 to 256 to put the router on VLAN 256 and make sure port 48 is an access port.  This is all done at Networking -> VLAN (modify port)

Now you set the PVID on the other ports depending on whether the device is to be on VLAN 1 or 2.  They should probably all be access ports.

If you are able to start again, I highly recommend that you instead pick a random 10.x address.  Then set VLAN 1 to be 10.x.1.0/24, VLAN 2 to 10.x.2/24 etc . That way you can refer to your whole network as 10.x/16 which is very useful if you have to create VPN tunnels later.  You could use 192.168.1 192.168.2 etc but that is not a good idea for the future.

Cheers

Jon

0 Kudos
parnassus
Honored Contributor

тАО06-06-2016 06:24 AM - edited тАО06-06-2016 06:40 AM

тАО06-06-2016 06:24 AM - edited тАО06-06-2016 06:40 AM

Re: HP 1910-48 VLAN can't access to internet

Just curious, noob question:

Why not mentioning another possible scenario in which the actual Router/Firewall, provided that it commonly supports VLANs on its physical LAN interfaces, can be configured to provide its gateway functionalities to any VLANs indipendently (so providing various services - like NAT, Firewall, DHCP service, DNS service, etc. - to VLANs its LAN interface has been configured to be part of) avoiding other Layer 3 configurations on the Switch side?

Couldn't be this another valid approach?


I'm not an HPE Employee
Kudos and Accepted Solution banner
0 Kudos
Narfux
Occasional Visitor

тАО06-06-2016 06:46 AM

тАО06-06-2016 06:46 AM

Re: HP 1910-48 VLAN can't access to internet

Thanks for your reply Jon,

This is the actual setting:

SWITCH INTERFACES:

VLAN 1:

VLAN 2:

VLAN 254:

Route table:

Port 48 PVID is 254 Access Mode but now i only have internet access on VLAN 254.

Same as before but with one more VLAN created.

What i missing?

0 Kudos
gerdesj
Frequent Visitor

тАО06-06-2016 08:26 AM

тАО06-06-2016 08:26 AM

Re: HP 1910-48 VLAN can't access to internet

Your external router probably needs return routes ie:

192.168.100.0/24 via 192.168.1.254

192.168.128.0/24 via 192.168.1.254

You will also have to put another return route in very time you add a new VLAN.  You could try 192.168/16 via 192.168.1.254 which will route all subnets with an address like 192.168.x.x provided its routing table works "properly".  The more specific route for its own 192.168.1 interface should still work.  You will also not be able to connect a VPN in the 192.168.x.x range from outside if you do that.  You are probably better off with a route per subnet.

The return route is probably the actual answer to your original question but on the bright side you now will avoid weird asymmetric routing issues that your original design would probably have given you enentually. if not from the get go.  

Without the stub VLAN (ie 192.168.1/24 here) packets from your VLAN 1 clients could hit the switch, get forwarded to the router and the reply would come back directly from the router and not via the switch.  You would see odd things like connections dying after five minutes working fine and other joys.  In all, if you ever find yourself plugging two routers into one subnet/VLAN then something is probably wrong unless it is to join one domain to another.

That said, if you want to protect a VLAN/subnet with your firewall/router then plug it in to that VLAN via an access port and do not add an IP address to the VLAN interface on your switch.  The firewall can act as the sole router for just that VLAN/VLANs whilst your switch is the router for the others.  It can be a bit hard to get your head around until you have done it a few times 8)

0 Kudos
gerdesj
Frequent Visitor

тАО06-06-2016 08:31 AM - edited тАО06-07-2016 01:09 AM

тАО06-06-2016 08:31 AM - edited тАО06-07-2016 01:09 AM

Re: HP 1910-48 VLAN can't access to internet

 

 

Just curious, noob question:

Absolutely.  If you use your firewall to do all the routing internally then it will also become a switch but one that can protect all VLANs/subnets.  In my final post I mention doing just that and how to use both the firewall and the switch to act as routers.

In the end it is a balance/trade off between raw switching speed, network segregation and security.  The switch will generally do L3 routing quicker and with less overhead than a firewall but the firewall has better packet filter capabilities.

Just don't try to do both!

0 Kudos
Vince-Whirlwind
Honored Contributor

тАО06-06-2016 06:42 PM

тАО06-06-2016 06:42 PM

Re: HP 1910-48 VLAN can't access to internet

Your router doesn't have a route back to the subnet you have in VLAN2.

The asymmetric routing mentioned above should be fixed.

0 Kudos
Narfux
Occasional Visitor

тАО06-07-2016 06:10 AM

тАО06-07-2016 06:10 AM

Re: HP 1910-48 VLAN can't access to internet

Hi,

I've configured returns routes on my external router but not success.

Only internet access if i connect my pc to VLAN254 ports.

0 Kudos
Vince-Whirlwind
Honored Contributor

тАО06-07-2016 06:34 PM

тАО06-07-2016 06:34 PM

Re: HP 1910-48 VLAN can't access to internet

Your switch routing table doesn't display VLAN2.

Your router will also need policies and NAT rules for all subnets that need access to the internet.

 

0 Kudos
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.