HPE Community
HPE Aruba Networking & ProVision-based
1833059 Members
2538 Online
110049 Solutions
New Discussion

Re: VLAN problems on multiple Procurves

 
RThornton
Occasional Advisor

‎02-14-2013 06:23 PM

‎02-14-2013 06:23 PM

VLAN problems on multiple Procurves

Hi all,

     I am trying to fix some connectivity issues on a network that has 2 VLAN's setup on it, 1 for data and 1 for voice. This was configured before I took over and my client has had issues with the voice vlan.

    There are 4 Procurve switches with the vlan's configured on them. VLAN 1 is the Default vlan and is the data vlan. VLAN 2 is the voice network. All of the switches are trunked together back to a core switch that is doing inter vlan routing. I will do my best to try to explain the setup.

    2 of the switches(sw3 and sw4) are in one building (Bldg 2) trunked between ports 23 and 47. SW3 is trunked to SW1 between ports 49 and 9 over a fiber connection to another building(Bldg 1). SW1 is the core switch and it is trunked to SW2 in the same rack. I have included the running configs from the 4 switches.

    If I have an IP in the 192.168.1.0 /24 range from building 2 I can ping the gateway addresses on the core switch that are 192.168.1.1 and 192.168.80.1. If I have an IP in the 80 subnet I cannot ping the gateways.

There are a couple of things that I am questioning. Shouldn't the fiber ports that connect building 1 and building 2 be tagged for both vlan 1 and vlan 2? Also, does it make sense to have the IP Routing command on SW4? It seems to me that IP Routing should only be enabled on the core SW1. Any assistance you can give me with this would be greatly appreciated. Let me know what else you need for information. Thank you

 

Running configuration:   (SW1)

; J9565A Configuration Editor; Created on release #A.14.03

hostname "ProCurve Switch 2615-8-PoE"
ip default-gateway 192.168.1.4
ip routing
vlan 1
   name "DEFAULT_VLAN"
   untagged 1-8
   ip address 192.168.1.1 255.255.255.0
   tagged 9-10
   exit
vlan 2
   name "voice"
   ip address 192.168.80.1 255.255.255.0
   tagged 1-10
   exit
snmp-server community "public" unrestricted

--------------------------------------------------------------------------------------------------------------

Running configuration:    (SW2)

; J9022A Configuration Editor; Created on release #N.11.06

hostname "ProCurve Switch 2810-48G"
ip default-gateway 192.168.1.1
snmp-server community "public" Unrestricted

vlan 1
   name "DEFAULT_VLAN"
   untagged 1-43,45-48
   ip address 192.168.1.20 255.255.255.0
   tagged 44
   exit

vlan 2
   name "voice"
   no ip address
   tagged 1-48
   exit

----------------------------------------------------------------------------------------------------------------------------------

Running configuration:   (SW3)

; J4899B Configuration Editor; Created on release #H.10.38

hostname "ProCurve Switch 2650"
ip default-gateway 192.168.1.1
snmp-server community "public" Unrestricted
vlan 1
   name "DEFAULT_VLAN"
   untagged 1-46,49-50
   ip address 192.168.1.19 255.255.255.0
   tagged 47
   no untagged 48
   exit
vlan 2
   name "voice"
   tagged 1-50
   voice
   exit

---------------------------------------------------------------------------------------------------------------------------------------

Running config    (SW4)

hostname "ProCurve Switch 2610-24-PWR"
mirror-port 22
ip default-gateway 192.168.1.1
ip routing
snmp-server community "public" Unrestricted
vlan 1
   name "DEFAULT_VLAN"
   untagged 1-22,25-28
   ip address 192.168.1.25 255.255.255.0
   tagged 23-24
   exit
vlan 2
   name "voice"
   untagged 24
   ip address dhcp-bootp
   tagged 1-23,26-28
   voice
   exit
interface 8
   monitor
   exit

0 Kudos
5 REPLIES 5
LorenzoCastro
Frequent Advisor

‎02-14-2013 06:57 PM

‎02-14-2013 06:57 PM

Re: VLAN problems on multiple Procurves

Hello.  Seems like you have a bit of a mess there.... :)

 

Doesn't seem like you need ip routing enabled on sw4.  Also, you should be able to remove the ip default-gateway command on the core switch and use the ip route 0.0.0.0 0.0.0.0 192.168.1.4 default route command instead.  You also should match up your untagged ports between all your links.  I would use untag vlan 1 on all your uplink ports.  Then tag vlan 2, your voice vlan, on those same uplink ports.  That should allow tagged access all the way through your network on VLAN 2 to the core and should hopefully fix any issues you are having.  Also have to make sure that .4 has a route pointing back to your core network switch .1 for the VLAN 2 or 80.0 subnet.  HTH. 

RThornton
Occasional Advisor

‎02-15-2013 04:34 AM

‎02-15-2013 04:34 AM

Re: VLAN problems on multiple Procurves

Thank you for your response. I will remove the ip routing from SW4. I will also try your suggestion for the default route. Can you explain the difference is between the two commands? There is a static route on the Fortigate 110C for the 80 subnet.

So as long as the data is in VLAN 1 which is the default vlan all ports for that vlan should be untagged even on the uplinks? If I decide to move the data traffic out of the default vlan, as is usually suggested, do the ports then need to be tagged? Keep in mind that computers are connected to the network through the extra port on the IP phones.

 

0 Kudos
LorenzoCastro
Frequent Advisor

‎02-15-2013 07:02 AM - edited ‎02-15-2013 07:03 AM

‎02-15-2013 07:02 AM - edited ‎02-15-2013 07:03 AM

Re: VLAN problems on multiple Procurves

The ip default-gateway command would be used when the switch is operating in L2 mode and not providing routing services for any other hosts on your network, which switch4 doesn't look like it's doing or needs to do.  It functions the same as the default gateway does on your PC.   IP routing enables L3 functionality on your switch and the default route command tells your switch and others hosts using your switch for their default gateway, what host to route to for any networks for which it does not have a route in it's routing table, say a host on the internet. 

 

So as long as the data is in VLAN 1 which is the default vlan all ports for that vlan should be untagged even on the uplinks?

 

Not necessarily, however all ports must belong to at least one untagged vlan and for simplicity sake I just suggested using VLAN 1 for your uplinks as you only have two vlans.  You can use whatever vlan you want as untagged for the uplinks, just make sure they are the same on both sides.  In your case I would just stick with 1. 

 

 If I decide to move the data traffic out of the default vlan, as is usually suggested, do the ports then need to be tagged? Keep in mind that computers are connected to the network through the extra port on the IP phones.

 

If the ports are not tagged for the data vlan right now, they will not need to be tagged for the data vlan when you move them to another vlan, say vlan 3. They would be untagged members of vlan 3.  A port only needs to be tagged for a specific vlan if it is expecting to receive tagged traffic from a device on that port or needs to carry multiple vlans across it (your uplinks).  In your case data is being sent untagged and voice is being sent to the switchports tagged.

 

0 Kudos
RThornton
Occasional Advisor

‎02-15-2013 10:11 AM

‎02-15-2013 10:11 AM

Re: VLAN problems on multiple Procurves

Ok if some of these questions sound stupid to you but configuring switches this way is new to me. If the phones are in the .80 subnet and the computers are in the .1 subnet how does the switch know where to send the dhcp request from a phone? Does the phone need to have the vlan id in it? I know that when you configure an access point with multiple ssid's they have to be setup in separate vlans so it would make sense to me that the phones would need to be set up the same way. Otherwise I would think that a phone could get an IP address from either of the DHCP scopes.

I will be adding 2 new vlans for for access points. One vlan will need access to the .1 subnet but will be in the .50 subnet. The other (.60) will need access to the Internet and will not be allowed access to the internal network. Knowing this would you still recommend changing the ip routing command on the core switch(192.168.1.1)?

Thank you and sorry for so many questions.

0 Kudos
LorenzoCastro
Frequent Advisor

‎02-15-2013 12:46 PM

‎02-15-2013 12:46 PM

Re: VLAN problems on multiple Procurves

No worries, on the questions, not dumb at all.  I would recomend a little research through before you start making changes.  The HP routing and various config guides could probably help you catch up on the things you'll need to know.  Regarding the phones, they usually receive information from a DHCP server which directs them to a tftp or ftp server where they download their config, or something similar to that.  Also, the DHCP class options can provide vlan tagging enablement, vlan ID, etc.  Check the current DHCP configuration for this.  They also could be configured manually if it's a small environment, but hopefully that's not the case.  I'm guessing your DHCP server sits on VLAN1, so by default your phones probably boot up, request a DHCP address in the untagged vlan 1, receive info that directs them to a server and gives them the config mentioned above (vlan id 2).  Your environment could be a little different, so make sure to investigate.    

 

Regarding the core switch as long as it has ip routing enabled it will be able to route to any directly connected subnets that it hosts.  Again, you will have to make sure your vlans are working all the way through in order to get connectivity from say sw4.  You would also have to confirm that your hosts are using the correct default gateways.  If one host is pointing to your firewall and the FW does not have a route to say the new internal wireless network you will not be able to properly route.  Point hosts to the core switch's vlan ip addresses in their respective vlan and then have your default route on the core switch pointing to the firewall for internet access. 

 

For your guest wireless, you probably want to trunk another vlan all the way through and terminate that to an untrusted interface on your firewall where you can control access to other networks and or the internet.

 

I may not be on for the remainder of the day, but I'm sure someone else here can help you out if you have any more questions.  Be sure to check out the config guides, there's some good stuff in there.  Good luck!

The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.