5406zl Vlan setup

Hi,

You are using link in vlan 1 B21 as connection between sites, but if You want to route You have to declare a network and ip addresses for that between sites.

Hi - sorry that's not the case. Vlan1 is not used therefore it doesn't need an IP address. The config could be tidied up to remove all mentions of it.

The important bits are further on in the config.

What's the default gateways of your servers and your clients?

Make sure they are set to the IP address allocated to the switch in the relevant VLAN.

Hi,

If the other switch is not a routing switch, then you will need to tagged all your vlan on the Inter-Switch Link.

Can you provide the Site A configuration ? I think that your configuration is not correct at that time.

Regards,

Hi,

if  routing is only provided on switch B, You should allow vlans 103 and 101 on link between switches.

Other switch is identical (they are a pair of 5406zl units)

Config is the same but with vlan details pretty much swapped.

Gateway on the servers is the relevant VLAN ip address. Funnily enough I didn't consider the same for the clients - that won't be a problem as DHCP would dish out the right gateway address. Will try that when I have access to the switches again.

hi,

If you do not use VRRP, then i think that your configuration is the problem.

Regarding the partial snapshot provided in this post port vlan configuration is very strange/confused.

Can you provide your entire configuration for these two sites  ?

Regards,

No worries. 

Only just heard of VRRP as you mention it now and looked it up. Would that provide any benefits? From the very little I've understood about it it wouldn't help our problem of cutting down broadcast traffic over the phsyical switches - or would it?

Not that it matters - there's no way in hell we're forking out that much for a premium licence - as impressed as I am with HP kit I find their licensing system pathetic.

Current configs as follows:

SITE A switch:

ip routing
ip udp-bcast-forward
vlan 1
name "DEFAULT_VLAN"
no ip address
exit
vlan 101
name "Site A Switches"
tagged B21
untagged A1-A24,B1-B13
ip address 192.168.3.9 255.255.255.0
ip helper-address 10.12.148.13
exit
vlan 102
name "Site B Switches"
ip address 192.168.2.9 255.255.255.0
tagged B21
exit
vlan 103
name "Servers"
tagged B21
untagged B14-B20
ip address 10.12.148.14 255.255.252.0
exit
snmp-server community "public" unrestricted
vlan 101
ip rip 192.168.3.9
exit
vlan 102
ip rip 192.168.2.9
exit
vlan 103
ip rip 10.12.148.14
exit

SITE B Switch

ip routing
ip udp-bcast-forward
vlan 1
name "DEFAULT_VLAN"
no ip address
exit
vlan 101
name "Site A Switches"
tagged B21
ip address 192.168.3.10 255.255.255.0
exit
vlan 102
name "Site B Switches"
ip address 192.168.2.10 255.255.255.0
tagged B21
untagged A1-A24,B1-B13
ip helper-address 10.12.148.16
exit
vlan 103
name "Servers"
tagged B21
untagged B14-B20
ip address 10.12.148.17 255.255.252.0
exit
snmp-server community "public" unrestricted
vlan 101
ip rip 192.168.3.10
exit
vlan 102
ip rip 192.168.2.10
exit
vlan 103
ip rip 10.12.148.17
exit

A bit tidied up from the last one, excuse any elementary mistakes.

Hi,

Thanks for your feedback, now i have a better understanding of what i expect regarding your situation.

Can you try something ?

- add ip helper-address in all vlans (but not vlan 103) at all switchs.

- on one switch (only one) remove all vlan ip address, beware to be sure that the corresponding address is not used by your users/servers/end-nodes. Otherwise configure the gateway address for the end-node to point to the same switch/vlan address for all sites/end-nodes.

Tell us if it is better.

If yes, and if you need LAN Layer 3 redundancy, one more time VRRP should be the best solution.

If you would like to continue using RIP for that you will need to be sure that all your end-nodes are using DHCP (ALL), then in case of failure you will need to change the gateway address manually for the corresponding scope and force the bindings to be updated (or configure a short binding period like 15mn beware of the relevant trafic growth for your server).

There are other protocols like IRDP, but i don't know if it supported by the switchs and much more by all your end-nodes.

Bye.

Cheer's we will have a try. 

The whole idea of the operation is to cut out the broadcast traffic between the switches as they are on separate sites connected via single mode fiber and we don't have the ability to trunk (link aggregate) it. So we need to cut out data going unnecessarily over this link.

I think we already tried the ip-helper on all vlans except 103 but I can't remember the outcome. I'll give it another try.

Many thanks for the support so far.

As it stands now your configuration does nothing to stop broadcasts etc from traversing the link between the sites because you have just extended all your VLANs across the link.

If you are trying to cutdown on the traffic going across the link between sites then you really need to look at a dedicated VLAN linking the two sites and then route through this VLAN.

Assuming B21 is your site to site link

So site A would have

VLAN 101 (Site A devices) - 192.168.3.9 255.255.255.0 (Make sure port B21 is NOT in this VLAN)
VLAN 103 (Site A servers) - 10.12.148.14 255.255.252.0 (Make sure port B21 is NOT in this VLAN)
VLAN 999 (link to site B) - 10.0.0.1 255.255.255.252 - Untagged B21

So site B would have

VLAN 102 (Site B devices) - 192.168.2.10 255.255.255.0 (Make sure port B21 is NOT in this VLAN)

VLAN 104 (Site B servers) - 10.12.152.14 255.255.252.0 (NOTE: Different IP and VLAN to site A) (Make sure port B21 is NOT in this VLAN)

VLAN 999 (link to site B) - 10.0.0.2 255.255.255.252 - Untagged B21

You could either use RIP to advertise the routes between the switches or setup the correct static routes in the switches so each site knows how to get to the other sites subnets.

Also regarding the premium licensing for 5400zl series. Depending on the age and the model purchased you might already have the premium license. I can only comment on Australia but all v2 chassis (and some v1) and bundles can now only be purchased with the premium license already embeded in the switch. Run the command "show licenses" and see what is reported for your chassis.

Cheers, Mark - we basically wanted to get it to a working state and working from there up.

I didn't think about doing it like that - I will give that a try in new year (on holiday now)

I doubt we have premium licensing on the switches - I will also take a look but we got them for an absolute snip of a price!

Have a good christmas and many thanks for the support, both of you.

Hope everyone had a good christmas!

Just about to try out the above config. Amusingly, just did "show licenses" and we do indeed have premium licence! Happy days!

Is a proof that Santa Claus exists !

Indeed! Now reading up on VRRP as the more I read about it the more useful it sounds. Redundancy is never a bad thing!

Edit:

Argh. Can always find plenty of examples (including HP documentation, obviously) with regards to using VRRP in same-site setups however when splitting the sites and naturally avoiding cross link broadcast traffic things become infinitely blurrier. Can anyone help shed some light on using VRRP in this setup?

Righty,

Mark, I've been attempting the changes you specified with little to no luck.

Config currently looks something like:

SITE A:

hostname "SiteA"

ip routing

vlan 1

  name "DEFAULT_VLAN"

  no untagged A1-A24,B1-B24

  no ip address

  exit

vlan 101

  name "Site A Devices"

  untagged A1-A24,B1-B12

  ip helper-address 10.12.148.13

  ip helper-address 192.168.3.13

  ip address 192.168.3.9 255.255.255.0

  exit

vlan 103

  name "Site A Servers"

  untagged B13-B23

  ip helper-address 10.12.148.13

  ip helper-address 192.168.3.13

  ip address 10.12.148.14 255.255.252.0

  exit

vlan 999

  name "Link"

  untagged B24

  ip address 10.0.0.1 255.255.255.252

  exit

router rip

  enable

  exit

snmp-server community "public" unrestricted

vlan 101

  ip rip 192.168.3.9

  exit

vlan 103

  ip rip 10.12.148.14

  exit

vlan 999

  ip rip 10.0.0.1

  exit

*********

SITE B:

hostname "SiteB"

ip routing

vlan 1

  name "DEFAULT_VLAN"

  no untagged A1-A24,B1-B24

  no ip address

  exit

vlan 102

  name "Site B Devices"

  untagged A1-A24,B1-B12

  ip helper-address 10.12.148.16

  ip helper-address 192.168.3.16

  ip address 192.168.2.9 255.255.255.0

  exit

vlan 104

  name "Site A Servers"

  untagged B13-B23

  ip helper-address 10.12.148.16

  ip helper-address 192.168.3.16

  ip address 10.12.152.14 255.255.252.0

  exit

vlan 999

  name "Link"

  untagged B24

  ip address 10.0.0.2 255.255.255.252

  exit

router rip

  enable

  exit

snmp-server community "public" unrestricted

vlan 102

  ip rip 192.168.2.9

  exit

vlan 104

  ip rip 10.12.152.14

  exit

vlan 999

  ip rip 10.0.0.2

  exit

*******

B24 is now the link (just to make it easier for me to test and type!)

Each switch can ping eachother without an issue. I'm concentrating on getting one switch working atm, which is Site A.

So, Site A, if a machine is in the DEVICES vlan (101) it cannot get an IP address from the server. The switch can ping the server's 10.12.148.13 address but NOT its 192.168.3.13 address. A client plugged into DEVICES vlan with a static address can ping both switch addresses but not the server 192 address.

It appears as if routing isn't working - I suspect this is a matter of tagging though - beforehand I guess RIP worked through the common tagged ports. As all are untagged, where would I need to tag, if this is indeed the case? Would I need a physical link between them?

Perhaps as you have so few ip subnets it might be worthwhile starting off with just static routes in the two switches and see if it works.

Once you have that sorted then start looking at RIP. At least that way you might be able to narow down the issue.

So on the Site A switch the routes would be something like

ip route 192.168.2.0 255.255.255.0 10.0.0.2

ip route 10.12.152.0 255.255.252.0 10.0.0.2

and the Site B

ip route 192.168.3.0 255.255.255.0 10.0.0.1

ip route 10.12.148.0 255.255.252.0 10.0.0.1

Don't forget to set the correct default routes (ip route 0.0.0.0 0.0.0.0 ??.??.??.??)

As for VRRP with different sites there really isn't much you can do about it, the VLANs have to be able to traverse the link just in case the routing engine is down at one site the other has to be able to take over routing duties for that VLAN.

However when you think about, it in the case of just 2 sites with a single link then VRRP doesn't do much for you as if either switch is down then the link between the sites is likely to be down and there is no way for traffic from a VLAN at site A to traverse to the backup router at Site B anyway.

Glad that Santa had a nice "premium" present for you :)

Absolutely fantastic, Mark you are a lifesaver.

This has gone rather well - everything speaks to eachother as they should, clients can't speak to eachother which is great but can speak to servers and printers etc. It does mean we need to change the IP addresses on stations at the other site but that won't be a problem.

My last remaining concern is that we are connect to the internet via a Cisco router which we are not allowed to touch. It's IP is 10.12.148.1, and annoyingly sits on the other site.

Am I right, that with default route set as "ip route 0.0.0.0 0.0.0.0 10.12.148.1" that should allow us to continue as required?

One small thing is that this only works if we put a physical cable between the vlans (so one cable between the device and server vlans on each switch). I'm sure there's an easy way to negate that?

Thanks so much for the input, we've dived into this knowing next to nothing about the more advanced side of networking and your examples alone have gone a long way towards helping us understand static routes and the finer arts of vlans :)

Right, more testing and all is good.

I'd like to get rid of the cables linking the vlans though - I'm guessing this is something that RIP would resolve instantly?

Where would we start with RIP? The config I would imagine would be identical to what wasn't working previously.

Sorry been away for a few days.

Not sure what you mean about putting a cable between the VLANs. If your IP addressing is correct on the end devices and they are placed in the correct VLANs then the switches should handle routing between the different networks. You should not need to link the VLANs together physically.  

Based on the last configs you posted

At Site B

You would have any servers plugged in to ports B13-B23 and they would have IP addresses in the 10.12.152.0/255.255.252.0 subnet and would have their default gateway set to 10.12.152.14.

You would have any other devices plugged in to ports A1-A24,B1-B12  and they would have IP addresses in the 192.168.2.0/255.255.255.0 subnet and would have their default gateway set to 192.168.2.9.

As your internet link is at Site A then you could just set a default route on the Site B switch that points to the Site A switch. Command would be

ip route 0.0.0.0 0.0.0.0 10.0.0.1

At Site A

You would have any servers plugged in to ports B13-B23 and they would have IP addresses in the 10.12.148.0/255.255.252.0 subnet and would have their default gateway set to 10.12.148.14. You would also have your Internet router plugged in to one of these ports.

You would have any other devices plugged in to ports A1-A24,B1-B12 and they would have IP addresses in the 192.168.3.0/255.255.255.0 subnet and would have their default gateway set to 192.168.3.9.

As you internet link is at this site the default route for the Site A switch would be the Internet router. Command would be

ip route 0.0.0.0 0.0.0.0 10.12.148.1

If not using RIP you would also need to make sure that the Site A switch knows about the Site B subnets (which we've previously discussed)

ip route 192.168.2.0 255.255.255.0 10.0.0.2

ip route 10.12.152.0 255.255.252.0 10.0.0.2

Your biggest problem however is the Internet router. It needs to know about all the other subnets in your network so it knows how to route traffic back in to your environment. It would need the following four routes added all pointing at the IP address of the Site A switch (10.12.148.14).

ip route 192.168.3.0 255.255.255.0 10.12.148.14

ip route 10.0.0.0 255.255.255.252 10.12.148.14

ip route 192.168.2.0 255.255.255.0 10.12.148.14

ip route 10.12.152.0 255.255.252.0 10.12.148.14

If you can't get direct access to this router then you will need to request that your ISP add them in.

Of course the other option is to get RIP working but you will find that you will still need to talk to your ISP (or whomever controls the router) to get RIP enabled and working on it as well.

No worries, hope it was for a break :)

The configs are identical to what you've specified, but something is ringing bells about the device gateways. Will double check those but I don't think that'd be hugely important as the devices were not even picking up DHCP addresses. 

Speaking to the ISP now about access to the router, I think they expect to make changes themselves on request however that's going to be daft. Testing will be a pain but I'm sure we're not the only ones to make changes on this scale.

I would like to get RIP working - do you have any suggestion, looking at  previous configs, as to why that might not have been working? It wouldn't surprise me if it's just a typo somewhere. Plenty of time to test, test, test though! :)

Just realised one thing which may be a pain.

The internet router on 10.12.148.1 is on Site B. We definitely can't change that IP address and changing IP's on both sites will be nothing short of a nightmare. Could just swap roles on the switches and keep the 148 range at site B and the 152 for site A.

Think it's time for me to play with RIP some more :D

Ok, ISP says we can have RIP enabled. Great, now just need to get it working.

With RIP enabled and verified with show ip rip it gives us:

RIP protocol :enabled

Auto-summary: enabled

Default metric: 1

Distance : 120

Route changes: 66

Queries: 0

RIP Interface information

IP Address         Status             Send mode           Recv mode     Metric    Auth

10.0.0.2               enabled            V2-only                 V2-only              1           none

10.12.152.14      enabled            V2-only                 V2-only              1           none

192.168.2.9        enabled            V2-only                  V2-only              1           none

RIP peer information

IP address     Bad routes    Last update timeout

10.0.0.1          0                      10

Thats the Site B unit. A is the same but vice versa.

But ignoring the two sites, it doesnt appear to be working between the vlans - so devices do not get a DHCP address nor when given a static IP do they communicate with the servers.

Inter-switch direct routing appears OK though - servers on one site can communicate with servers on the other.