Comware Based
1748256 Members
3774 Online
108760 Solutions
New Discussion юеВ

Re: VLAN access problem

 
RCI
Regular Visitor

VLAN access problem

I have a HPE 5900AF that is the core switch. I have 2 VLAN's the default VLAN1 (192.168.1.1) and VLAN10 (192.168.10.1) With a route to the Firewall located at 192.168.1.150. And on VLAN 10 routed to 192.168.10.150. I can access the Internet from the server I have on VLAN 10 and from servers in VLAN 1. and ping phones on VLAN 10 and the PC connected through the IP phone on VLAN 1. 

My config on the 5900Af is 1-52 untagged, Tagged ports 44 (trunk) that port uplinks to a HP 2920 POE switch on port 1 which is configured with VLAN1 untagged, VLAN10 Tagged. 

Port 2 of the HP 2920 has the Mitel phone server connected and is untagged VLAN10, tagged VLAN1

On port 5 of the Hp 2920 I have the port Untagged VLAN10, tagged VLAN 1 and that phone registers with the phone server. But the attached PC cannot get an IP from the DHCP server on VLAN1.

On port 6 of the HP 2920 I have the port Untagged VLAN 1 and Tagged VLAN 10 and the phone connected to that port can not be pinged and does not get an IP from the Mitel 250 Phone server which has DHCP enabled. But the Attached PC gets an IP from the DHCP server on VLAN1 and can ping the phone server on VLAN 10.

 

Now if I reverse the VLAN settings on Ports 2, 5 & 6 of the HP 2930 The Mitel 250 Phone server becomes unpingable. But the phones now get an IP from DHCP which is enabled on the MItel 250 but the phone server can no longer access the Internet. And I can no longer logon to the web interface of the Mitel 250 Phone server.

Seems that I can get the phones working with the PC connected to the phones. But then I can no longer manage the phone server unless I connect a computer with a  static IP (192.168.10.xxx) to a port that is  Untagged VLAN 1 and not Tagged VLAN 10. But then that PC cannot access the Internet either. And I cant access that PC unless I am standing in front of it to manage the Mitel 250 Phone server.

Can anyone help me figure out what I need to do to get things working correctly. Whereby the phones get an IP from the Phone server located in VLAN 10 and the PC's attached to the IP phones can access VLAN 1. And I can login to the Phone server from Either VLAN and the any PC I add to VLAN 10 can access the Internet.

9 REPLIES 9
Vince-Whirlwind
Honored Contributor

Re: VLAN access problem

Your Port6 config is the correct one.

Sounds like the phones don't know which the voice VLAN is - do you have "voice vlan enable" set on VLAN10?

Also sounds like maybe you don't have an IP helper address set on the VLAN10 router address.

Put together a network diagram showing where the hosts' default gateways are located.

RCI
Regular Visitor

Re: VLAN access problem

I tried manually assigning vlan 10 to an IP phone on port 6 but it still did not get an IP.

I did have a ip helper address set on vlan10. But removed it. As when the phone server port was set to vlan1 untagged, vlan 10 tagged the phones were getting IP's but I could not access the phone server to manage it.

And I do not have voice vlan enable set on vlan10. I wil enable it and see what happens.

And attached is the network diagrahm as requested.

 

Vince-Whirlwind
Honored Contributor

Re: VLAN access problem

Yeah, not really setup very well.

1/ Get rid of VLAN10 tagged off the DHCP Server port. The DHCP server will see the tagged requests in VLAN10 (as well as the forwarded unicats requests in VLAN1 if you have DHCP forwarding enabled) but because it has no IP address in VLAN10 it well send the responses from the VLAN10 requetss via VLAN1, which is just a mess.

2/ VLAN10 on the firewall is either superfluous, or bad design.

3/ MiVBX & "Phone DB server" - why do you have both VLANs on their switchports? Each of them is in VLAN10, or VLAN1, not both.

4/ Uplinks should be both VLANs tagged at both ends, otherwise you can have VLAN-hopping occur. Security issue.

 

The way it works is:

phone boots up
Switch uses LLDP to tell the phone Voice VLAN is 10
phone sends DHCP request on VLAN10
core switch forwards DHCP request off VLAN10 to the DHCP server
DHCP Server replies to the core switch with a DHCP offer
Core switch routes DHCP offer onto VLAN10 and sends it to the phone
Phone acquires IP address and controller address from the Vendor Option in the DHCP offer
Phone registers to the phone controller

RCI
Regular Visitor

Re: VLAN access problem

I change port 5 to match the port 6 settings. I also noticed that in the config under vlan1 it showed no untagged port2, So I changed it so that it now it shows vlan10 untagged port 2, vlan1 tagged. 

Now the phone will get an IP from DHCP only if I config the phone to vlan10. Then it gets an ip address from the MItel 250 and the pc attached to the phone gets an IP from DHCP on vlan1.

My remaining issue is why do I have to config the phone to vlan 10 before it will get an ip address from the DHCP server?

Vince-Whirlwind
Honored Contributor

Re: VLAN access problem

What is the purpose of having VLAN1 tagged on Port 2?

If you have to configure the phone's VLAN before it will get an IP address, that indicates that LLDP isn't configured. It also tells me that your IP-helper isn't configured and/or you don't have the Mitel vendor option configured in the VLAN1 scope.

There are two ways to tell your phone what its VLAN is:
1/ LLDP
2/ Vendor option in the VLAN1 scope.

RCI
Regular Visitor

Re: VLAN access problem

So that the Phone admin software installed on a server in vlan1 can be used to manage the phone server. I had the ip helper assigned in vlan10. I will change it to vlan1 and test.

I am not familiar with LLDP. So I have not made changes to it. But after reviewing a HPE help doc on it. And finding a Interoperability between Mitel IP phones and ProCurve Switches app note. I now am beginning to understand why LLDP is gong to become very important to prioritizing the voice traffic. And how it will take care of the VLAN assignments. Once I determine the dscp codepoint. I need to assign the following policy.

Vlan 10 voice

Vlan 10 tagged 1,4-48 untagged 2

int 1-48 qos priority 7

vlan 10 qos dscp-map  <codepoint> priority <0-7>

Vince-Whirlwind
Honored Contributor

Re: VLAN access problem

No, don't use "7", that is wrong.
HP & Mitel both tell you to use "6" and even though that is also wrong, so long as you only have HP & Mitel in your network, it will work fine.

Because "6" is the default you don't need either of those qos commands - you've told it VLAN10 is voice, so the incoming packets will be trusted.

On your phone controller, make sure QOS is set to 6, and also make sure your DHCP scope vendor option 125 is telling "6" to the handsets.

Vince-Whirlwind
Honored Contributor

Re: VLAN access problem

I asked
What is the purpose of having VLAN1 tagged on Port 2?

You replied
So that the Phone admin software installed on a server in vlan1 can be used to manage the phone server.

Correct me if I'm wrong, but the phone server and the admin server are on different VLANs and in different subnets. The phone server doesn't even have an IP address in VLAN1. So what is the purpose of trunking VLAN1 to it? Is something weird going on?

The basic concept here is this: A VLAN is a network. Everything in the same VLAN is in the same subnet.
Anything trying to get to something in a different VLAN (= trying to get to something in a different subnet), has to go via its default gateway.
The default gateway is where your different networks (different VLANs) touch each other.

Another thing you should fix is that you have your networks being routed by a Layer3 switch AND by a firewall. You shoulnd't span one network across multiple routers like that. The link between "core" switch and firewall should *not* be in the same subnet as any hosts that are using one of those devices as a default gateway.
(Multiple routers on a Layer2 segment are fine so long as every host's routing table has the correct route for the destination network, not something that applies when you are using one of them as a "default gateway").
What's going to happen is your hosts are going to have temporary static routes inserted in their routing tables by ICMP redirects from devices that see there is asymmetric routing going on. Also, depending on your firewall, it might see dodgy-looking routing and cause you problems.

RCI
Regular Visitor

Re: VLAN access problem

Thank you for explaining why I dont need seperate routers. I removed the vlans from the firewall which caused vlan10 to not to be able to get to the internet. But after I added a route to the firewall for the vlan10 subnet I could get to the Internet.

Although I did not experienece any issue as i had it configured. I made the change so that if I did have any issues down the road  it wouldnt be because of the way I got it to work. Versus how it should be working!