HPE Community
Web and Unmanaged
1753823 Members
8919 Online
108805 Solutions
New Discussion юеВ

Re: Tagged VLANs not getting DHCP/traffic on 1920 and 5130 switches?

 
ltsjohnny
Occasional Visitor

тАО01-04-2018 06:02 PM - edited тАО01-09-2018 07:50 AM

тАО01-04-2018 06:02 PM - edited тАО01-09-2018 07:50 AM

Tagged VLANs not getting DHCP/traffic on 1920 and 5130 switches?

I have 3 clients all running Watchguard Fireboxes, Watchguard APs, and HP switches. 2 of the clients have 1920s, one has a 5130. The two 1920 clients have VLAN1 default corp lan and VLAN20 for guest wifi. The 5130 client has 6 VLANs...1corp/lan, 20guest, 30 production network, 40 redundant ISP from remote site 1, 50 voip, 60 remote site 1-fiber, 70 remote site 2-fiber.

The VLANs are created on the Watchguard Fireboxes except for clientwith 5130...it only has 1, 20, and 30 configured...40, 50, 60, 70 are not created on their Firebox yet.   Corp and Guest VLANS at all three clients have DHCP enabled on them in the Fireboxes.

Both 1920 switches have all ports untagged VLAN1. Port 24 of each switch goes to Firebox and is set for 1U/10T/PVID1/Trunk. Each switch port that has an AP plugged in to it is set as 1T/10U/PVID1/Trunk. If I log in to guest wireless I do not get an IP from the DHCP Server on VLAN20.  I have webGUI access to these switches via a remote machine at these sites, but have not tried configuring SSH/Telnet in webGUI to see if I can putty in to them from those remote machines.

The 5130 site has witch port 24 to Firebox set as Trunk/PVID1/Permit1,20,30,50,60,70 and everything else default...clients on VLAN1 can't get out to internet or ping router so I had to plug router in to another temporary port(default pvid1/access) to get them online and talking to the router. Switch port 23 to AP is Trunk/PVID1/Permit20 and everything else default...guest wireless clients not getting DHCP.  Switch fiber port 25 is remote site 1 and is Trunk/PVID1/Permit-1,20,50,60. Switch fiber port 26 is remote site 2 and is Trunk/PVID1/Permit-1,20,40,70.  Both those sites have internet connectivity.  The goal for those sites is separate VLANs from everything, but connectivity to the shared domain controller/fileserver on VLAN1.  The fact these two seem to work, yet their VLANs aren't yet configured in the Firebox, is odd and perhaps a hint at what might be wrong?  I have webGUI access via a remote machine at this site, enabled SSH and telnet to use putty from that remote machine, but ssh unexpectedly closes after login and telnet connects and immediately says failed login and I can't figure out why.

I do not have physical access to the sites with 1920 switches.  I have limited access to the site with the 5130 and major changes needed to be performed after hours and scheduled in advance.

0 Kudos
3 REPLIES 3
ltsjohnny
Occasional Visitor

тАО01-04-2018 06:38 PM

тАО01-04-2018 06:38 PM

Re: Tagged VLANs not getting DHCP/traffic on 1920 and 5130 switches?

Could an admin please move this post to the appropriate section?  For some reason it ended up under Legacy and these are currently offered products.  Thanks.

0 Kudos
Vince-Whirlwind
Honored Contributor

тАО01-07-2018 09:34 PM

тАО01-07-2018 09:34 PM

Re: Tagged VLANs not getting DHCP/traffic on 1920 and 5130 switches?

I'm not sure if I understand this:
1T/10U/PVID1/Trunk

Does that mean you have PVID set to 1 but you have VLAN 10 set as untagged? I'm not even sure the switch would allow you to configure it that way...

You talk about your VLAN configs but your question is about IP connectivity.

You need to explain where each VLANs default gateway is configured in the network and confirm that devices on each VLAN can ping their default gateway.

Once each VLAN has devices on it that can ping their default gateway you can look at your routing - how do the devices get to subnets beyond their own segment - the device that has the default gateway address would need IP forwarding config if the DHCP server is in a different segment, default route to the device that has the internet access, and that device in turn may need a route back to the internal subnet if it isn't on the same segment.

It may be best to break down your question into smaller, simple chunks - for example, let's not talk about 3 networks all at once. Let's just talk about 1 device on one network, the full ip configuration of it and its network infrastructure, DHCP server details and router details. You get that working then you will have a model to follow for the rest.

0 Kudos
ltsjohnny
Occasional Visitor

тАО01-09-2018 07:48 AM - edited тАО01-09-2018 07:53 AM

тАО01-09-2018 07:48 AM - edited тАО01-09-2018 07:53 AM

Re: Tagged VLANs not getting DHCP/traffic on 1920 and 5130 switches?

Sorry, that was a typo, meant to say 1U/10T/PVID1.

The VLANs are created and assigned an IP in their respective subnets on the Watchguard, so I assume those IPs are the VLAN gateways?  In these VLAN configs on the Watchguard, each VLAN has it's own DHCP server enabled for their respective subnets.  Example - VLAN20 has an interface IP of 192.168.20.5 with DHCP Server enabled with a scope of 192.168.20.100-200.  VLAN20 is added to switch with an interface IP of 192.168.20.10.  Most VLANs will need to communicate with a domain controller/fileserver on the main corporate network/VLAN1 which is 192.168.1.x(main gateway/router/firewall is 192.168.1.1, server is 192.168.1.10, etc).  Guest wireless, or VLAN20, only goes out to the internet and should have no connectivity to anything else in any other VLAN/network.

On Saturday I went on site with the 5180 client and I tried setting an unused switch port as 20U/PVID20/Access and plugged my laptop in to it to see if any VLAN20 traffic was passing and it did not work.  Through a bunch of troublshooting and tests I somehow got everything working, no idea how, I've gone over the conifg numerous times and it doesn't look like I did anything different than before.  Router is plugged in to trunk port 24 of switch, all tagged VLANs appear to be passing traffic, accessing the server on VLAN1, etc.  Need to make sure my inter-vlan traffic/firewall policies are configured correctly, especially to make sure VLAN20/guest wireless is segrated out to the internet, but so far so good.

On the two 1920 clients I still couldn't get VLAN20(tagged) working to get the guest wireles segrated and sent out straight to the internet.  Other than default/cop VLAN1 that is the only VLAN, so the simplest configuration, but it doesn't work for whatever reason.  They're located on the other side of the country so it's not a easy to untag an unsused port for VLAN20 to plug a device in to see traffic and if DHCP works.

0 Kudos
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.