HPE Community
Web and Unmanaged
1753678 Members
5746 Online
108799 Solutions
New Discussion

Re: VLAN and Routing problems

 
kanzensolphil
Occasional Visitor

‎01-21-2016 04:27 AM

‎01-21-2016 04:27 AM

VLAN and Routing problems

Guys 

Was wondering if somebody could help me out, im a little confused trying to work out an issue with an inherited network setup, im having a basic problem of trying to get a PC on a subnet out onto the internet, and wondered if somebody could just verify any potential problems.  Network details listed below

So i have two Procurve V1910-48G switches 

First the client side switch, i have a PC on an IP of 192.168.12.108 connected to a switch with the gateway set to its IP of 192.168.12.6, on this switch it has a VLAN 12 which then has a routing table attached (routingtable1) traffic on the outgoing VLAN1 192.168.10.5 is tagged.

Second main switch has a VLAN of 10 with the IP of 192.168.10.5 with all traffic going out to a firewall and in turn out to the internet, routing table attached (routingtable2)

Now if i tracert on my PC i get to 10.5 via 12.6 but then it stops, if i try to ping 10.1 i get request timed out on the PC yet get traffic on the firewall attached (firewall) if i try to browse the internet i get nothing on the firewall and no internet.

Can anyone help please, or point me in the right direction?

Thanks

0 Kudos
4 REPLIES 4
16again
Respected Contributor

‎01-21-2016 12:45 PM

‎01-21-2016 12:45 PM

Re: VLAN and Routing problems

-Does the firewall itself has entry in routing table for 192.168.12.0/24 subnet?  And rules (both access an NAT ) allowing internet access for that subnet?
-Don't draw wrong conclusions for switches not answering in traceroute. I have the newer HP1920, which also doesn't show up in traceroute outputs.  Seems like it simply doesn't send ttl-expired or unreachable packets

 

0 Kudos
kanzensolphil
Occasional Visitor

‎01-21-2016 01:04 PM

‎01-21-2016 01:04 PM

Re: VLAN and Routing problems

Hi 

Thanks for your reply much appreciated, i have a static route for the subnet in the firewall, and it is listed in the routing table (attached) so as far as i can see it should know and route to the subnet?  I have also allowed all trusted networks to access the http rule for internet access.

I was starting to think all was setup correct and if it was a issue with the firewall but im not sure how to diagnose that, just out of interest the 13.0 subnet is VLAN but on the main switch and that works fine for internet access and i can see that going via the firewall.

Any help massively appreciated at this time, as im totally stuck.

Thanks

 

0 Kudos
16again
Respected Contributor

‎01-22-2016 11:02 AM

‎01-22-2016 11:02 AM

Re: VLAN and Routing problems

Seems like this firewall is an ASA. 
Try using its build in packet tracer wizard, it might give a clue where packets end up.

0 Kudos
Vince-Whirlwind
Honored Contributor

‎01-27-2016 07:36 PM

‎01-27-2016 07:36 PM

Re: VLAN and Routing problems

I can't say that this would definitely cause any traffic issues, but you have a design issue: you have 3 Layer3 devices, with a shared subnet spanning all 3. This means you could get asymmetric routing, and/or some other weirdness.

Your PC is sending a packet to, say, 8.8.8.8. According to its subnet mask, the PC can see that this address is off-subnet. Therefore the PC will encapsulate the frame in a packet addressed to Switch2's VLAN1 interface.(...10.5) This interface will then route the packet to an address ... that is in the same subnet! (...10.1).
(Some devices would at this point send an ICMP redirect back to SW1 saying, "use ...10.1 for that destination in future").

A return packet will cause a similar issue.

One issue could be that the TCP stream is starting with a source MAC of switch2, then continuing with a source MAC of SW1. No idea if the FW would get upset about that. Definitely the sort of thing a FW should get upset about though.

Alternatively, the ICMP redirect will cause a new ARP request, and that may be failing for some reason.

You need to ensure that your subnets that join any 2 Layer3 devices do not span to any 3rd (or more) Layer3 device. You just don't need the complication of ICMP redirects trying to put weird stuff in routing tables.

A good LAN design has:
SW1:
VLAN10 Data VLAN for hosts
VLAN101 Point-to-point routed link for neighbouring routing device 1
VLAN102 Point-to-point routed link for neighbouring routing device 2
VLAN103 Point-to-point routed link for neighbouring routing device 3
etc....

Or, even better, you choose one device on your LAN to be the routing device (your network "core"), and all the other switches are layer2 switches, with all IP addressing removed from them except for a management IP address in a dedicated management VLAN. You create a VLAN interface for each VLAN on your "Core", then trunk that VLAN to the switch that uses that VLAN for its hosts. You don't trunk that VLAN anywhere else, and you avoid as much as possible putting multiple VLANs on the same switch.

0 Kudos
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.