HPE Community
HPE Aruba Networking & ProVision-based
1834609 Members
3327 Online
110069 Solutions
New Discussion

Re: 4104gl Inter-VLAN routing clarification

 
shattoc
New Member

‎08-02-2013 10:37 AM - last edited on ‎08-04-2013 08:49 PM by

‎08-02-2013 10:37 AM - last edited on ‎08-04-2013 08:49 PM by

4104gl Inter-VLAN routing clarification

I have my VLAN routing working, but I'm seeking a way to clean it up a bit.

 

There are five devices involved in this predicament:

 

Router: 10.1.0.1/8

Firewall: 10.1.0.2/8

ProCurve: 10.1.0.50/8 with 0.0.0.0 static route to 10.1.0.1

    DEFAULT_VLAN: 10.1.0.50/8

    VLAN2: 172.16.4.1/24

Host1: 10.1.3.198/8 with default gw 10.1.0.1 or 10.1.0.2 (tested with both)

Host2: 172.16.4.3/24 with default gw 172.16.4.1

 

ip routing is enabled on the ProCurve and all VLAN ports in both VLANs are untagged.

 

The Firewall contains an ip route:

   ip route 172.16.4.0/24 via 10.1.0.50

It also includes a 1:1 NAT to expose 172.16.4.3 via a static public IP address.

 

The ProCurve includes the 0.0.0.0 static route to 10.1.0.1 so that 172.16.4.0/24 from the NAT pair can reach the internet.

 

The router forwards all internal packets to 10.1.0.2 as the next hop router. The only traffic it ever actually processes itself is internet-bound traffic.

 

In this configuration, if I ping from Host1 (10.1.3.198) to Host2 (172.16.4.3) no reply.

If I change the default gw on Host1 to be 10.1.0.50 and ping to Host2 I get replies.

If I change the default gw back to 10.1.0.1 or 10.1.0.2 on Host1 and add a static route for 172.16.4.0/24 packets via 10.1.0.50 I get replies (obviously).

 

What I would PREFER is that hosts on 10.0.0.0/8 with a default gw of 10.1.0.1 or 10.1.0.2 can send and receive packets to hosts in 172.16.4.0/8 without additional route configuration. It's not the end of the world, but if this can't be accomplished I have to change the default gw on all my servers and management machines to 10.1.0.50  because I'm moving a number of servers into VLAN2 and they need to be able to continue talking.

 

Just to throw one more kink into things...

 

We have a web filter at 10.1.0.3 that can have static routes added to it and can act as a gw. If I add a route to it:

    ip route 172.16.4.0/24 via 10.1.0.50

 

and then make 10.1.0.3 my default route on Host1, Host1 can reach it because 10.1.0.3 redirects packets bound for Host2 to 10.1.0.50. No other configuration needed. Yet, what appears to be virtually the same route on the firewall doesn't work.

 

I think the key here is I'm not understanding the DEFAULT_VLAN and VLAN2 routes in the routing table. My assumption was that once ip routing was enabled any traffic bound for 172.16.4.0/8 that hit 10.1.0.50 would be routed across the VLANs and vice versa (traffic that hit 172.16.4.1 bound for 10.0.0.0/8 would be sent to 10.1.0.50 which would then send it to the destination machine) but that doesn't seem to be happening.

 

Any ideas?

 

 

P.S. this thread has been moevd from Switches, Hubs, Modems (Legacy ITRC forum) to ProCurve / ProVision-Based. - Hp Forum moderator

0 Kudos
1 REPLY 1
Vince_Whirlwind
Trusted Contributor

‎08-05-2013 06:49 PM

‎08-05-2013 06:49 PM

Re: 4104gl Inter-VLAN routing clarification

You have hosts on the same subnet as 3 routers (routing switch, router, and firewall). This will cause confusion and asymmetric routing.

 

Re-draw your network design: your hosts on VLAN1 should have 1 default router. The connection from that router to other layer3 devices should be designed as point-to-point links.

 

"any traffic bound for 172.16.4.0/8 that hit 10.1.0.50 would be routed across the VLANs"

This is the bit you've got wrong - no traffic is bound for "172.16.4.0/8": individual packets are addressed with a destination IP of, say 172.16.4.45, and the host encapsulates that within a frame addressed to the MAC address of the device configured as its default gateway. Return traffic can thus take a different path because the *first* router with a leg in the desination subnet will encapsulate the return packet with a frame addressed to the MAC address of the destination device.

 

The bottom line is you shouldn't have multiple routers in a single subnet, except where it is a point-to-point link.

0 Kudos
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.