Re: Procurve VLANs and Routing Issues

Nigel Lawson · ‎02-11-2009

Hi,

I'm new to configuring switches, but am getting to grips with it quickly. I've hit an issue with using VLANs. Here's what I have and what I want to achieve.

I have a procurve 2824 which I'm using as a router to pass traffic to a cisco gateway/router. The cisco box and the 2824 are connected via fibre on port 24 of the 2824. I have a procurve 2524 switch connected to the 2824 also.

On the 2824 I have setup a default route to the cisco box. I have given the 2824 an IP address on a private subnet. If I attach a PC to the switch and assign it an IP address the same subnet as the 2824 and use the 2824 as the PCs default gateway, I have access to the internet and all works fine.

Next I decide to add some VLANs. I set up a VLAN, called VLAN78. I give it an IP address (different subnet to the main IP address of the 2824). Now I find that I can only get a PC on this port to work if set the port to 'Untagged' on the switch (setting the PC IP to the same subnet as VLAN78 and using VLAN78 IP as the gateway).

So next I decide to connect the 2524 and see what I can get working. I've found that the 2524 will only route traffic from machines that are on the same subnet as itself. I have set the connecting ports of the two switches (2824 and 2524) to be tagged on all VLANs within them (the 2824 has 3 VLANs and the 2524 just has the default_vlan). This part seems to be working, but like I say, the 2524 will only route traffic to the same subnet as itself.

What I ideally want is VLANs on the 2824 which can communicate between themselves, and then also work from any connected switches, etc. - basically NOT port-based VLANs - to be able to connect a machine on one of the VLANs defined in the 2824, but on any port without configuring the port as 'Untagged' manually per port.

As I said before, it seems tagging is working on the 2824, but the 2524 will only route PCs that are on the same subnet as itself. If I setup VLANs on the 2524, then I have to manually assign each port to it's relevant VLAN. Not acceptable.

Is there a way to do this on the kit I have?

cenk sasmaztin · ‎02-11-2009

please send me 2824 and 2524 switch show run print

cenk

Nigel Lawson · ‎02-11-2009

I'll create a new post tomorrow and attach them...

Nigel Lawson · ‎02-12-2009

Ok, here's the configs of both switches. Just a quick bit of info. Port 19 of the 2824 is linked to port 1 on the 2524. Port 24 of the 2824 is the fibre link to the cisco box. All other ports are to have PCs attached (if possible).

Cheers,
Nigel

cenk sasmaztin · ‎02-12-2009

; J4903A Configuration Editor; Created on release #I.10.70
hostname "ProCurve Switch 2824"
ip routing
snmp-server community "public" Unrestricted
vlan 1
name "DEFAULT_VLAN"
untagged 1-23
ip address 192.168.77.240 255.255.255.0
no untagged 24
exit
vlan 78
name "VLAN78"
ip address 192.168.78.240 255.255.255.0
tagged 19
ip proxy-arp
exit
vlan 172
name "VLAN172"
untagged 24
ip address 172.17.2.38 255.255.255.0
exit
ip route 0.0.0.0 0.0.0.0 172.17.2.37

********************************************************

J4813A Configuration Editor; Created on release #F.05.69

hostname "HP ProCurve Switch 2524"

snmp-server community "public" Unrestricted
vlan 1
name "DEFAULT_VLAN"
untagged 1-26
ip address 192.168.77.241 255.255.255.0
exit

********************************************************
you can must be on write cisco box static routing command
192.168.0.0 255.255.255.0 172.17.2.38

*********************************************************
2524 only l2 switch 2824 main routing switch
2524 to 2824 uplink port must be vlan 1 untag member all other vlan tag member

all vlan member ip address must be vlan network range and default gateway address must be vlan ip address 2824 switch

2524 switch vlan 1 ip address for only managemet 2524 switch vlan 1 member pc default gateway address must be 2824 switch vlan 1 ip address

if you want create vlan 78 or 172 on 2524 switch no need ip address this vlan
this vlan member default gateway address must be 2824 vlan 78 and 172 ip address

good luck

cenk

cenk sasmaztin · ‎02-12-2009

for example I create vlan 78 on 2524 switch

; J4903A Configuration Editor; Created on release #I.10.70
hostname "ProCurve Switch 2824"
ip routing
snmp-server community "public" Unrestricted
vlan 1
name "DEFAULT_VLAN"
untagged 1-23
ip address 192.168.77.240 255.255.255.0
no untagged 24
exit
vlan 78
name "VLAN78"
ip address 192.168.78.240 255.255.255.0
tagged 19
ip proxy-arp
exit
vlan 172
name "VLAN172"
untagged 24
ip address 172.17.2.38 255.255.255.0
exit
ip route 0.0.0.0 0.0.0.0 172.17.2.37

********************************************************

J4813A Configuration Editor; Created on release #F.05.69

hostname "HP ProCurve Switch 2524"

snmp-server community "public" Unrestricted
vlan 1
name "DEFAULT_VLAN"
untagged 11-26
no untagged 1-10
ip address 192.168.77.241 255.255.255.0
exit

vlan 78
name "VLAN78"
untagged 1-10
tagged 19
exit

vlan 78 and vlan 1 member pc default gateway address must be 2824 vlan ip address

**for example 2524 switch vlan 78 member pc

ip address 192.168.78.22 255.255.255.0
default gateway 192.168.78.240

cenk

Nigel Lawson · ‎02-12-2009

The configuration you have given me for the 2524 does not work how I would like it to. Basically, if I run that config on my 2524, I find I can put 77 subnet machines on ports 11-26 and they work fine. I can then put 78 subnet machines on ports 1-10 and they work fine. But if I put a 77 machine on ports 1-10 or a 78 machine on ports 11-26, no traffic will flow.

I need to be able to put 77 and 78 machines on ANY port (except the link to the 2824 port) without defining which port belongs to which subnet.

Any more ideas?

cenk sasmaztin · ‎02-12-2009

my config is static vlan

if I true understand your need dynamic vlan on 2524 switch

for dynamic vlan configuration to be two method

use gvrp config

for gvrp config your need gvrp aware network interface card on pc

use 802.1x dynamic vlan config

needed install radius server on your system
each domain user dynamically appoint own vlan with radius remote active directory roles

cenk

Nigel Lawson · ‎02-12-2009

Hmm, so it seems I can't achieve a dynamic vlan with this equipment then?

It's odd as I have a very old Intel router in production that is handling VLANs fine by itself, with a number of HP procurve switches connected to it running just their simple config with one VLAN (default_vlan). And everything works fine there.

This is what I wanted to replicate on the 2824, but it seems it's not built for this.

Thanks for your help.

Pieter 't Hart · ‎02-12-2009

first thing to understand is the difference between routing and communication between vlan's.
using vlans is a way to sepparate traffic so only devices in the same vlan can communicate.

second
>>> I've found that the 2524 will only route traffic from machines that are on the same subnet as itself. <<<
thats just the point of subnetting, you need an ip-adress in the same subnet to communicate.
To communicate between two subnets, you need two ip-adresses (one in each subnet) or do this using another device (a router).

in your example if the 2524 is in subnet77/vlanX, including all ports, then all devices within subnet77 can communicate
- with eachother
- with the switch
- and the switch can route to the external router.

all subnet78 devices connected to the 2524 are connected to vlanX!!!! (not vlanY) and are able to communicate with eachother but not route to an external subnet.

The function you seem to need, I would describe this as "assigning a vlan based on ip-adress" is not commonly used (if possible at all).

you have the options of assigning a vlan based on
1) map a fixed vlan to a port
2) MAC-adress
3) user-authentication
4) configure the port to assign both tagged vlan's AND find a way to configure the connected host to use vlan"tagged" packets.
this depends on the driver of the networkcard.
this is sometimes an add-on (not in the standard driver)
Broadcomm calls this BACS (Broadcom Advanced Control Suite, which also allows teaming.

you don't need both switches to route.
you can assign one switch as the router between vlan's (and public router) and configure the link between the switches to pass both vlan's! (allready done that)
but you do have to make both vlan's known on the 2524, either port-based (PVID/untagged) or one of the other methods.

hth
Pieter

cenk sasmaztin · ‎02-12-2009

you are welcome Nigel

cenk

Nigel Lawson · ‎02-12-2009

@ Pieter

I want to use VLANs for monitoring. I'd like to have all VLANs and routing handled by the 2824 and then connect any number of switches and PCs to the 2824 and monitor activity of the individual subnets.

The Intel router I currently have seems to handle this without any problems. But I want to replace it as it really is getting on a bit and I fear it may fail any day now.

I did manage to achieve semi what I was after by adding multiple IP addresses to the default_vlan. So I assigned 192.168.77.240 and 192.168.78.240 to the default_vlan and all traffic routed perfectly and I could connect any PC to any port on the 2824 and the 2524. The only problem was when it came to logging, all traffic went through default_vlan so I couldn't view the activity of each subnet separately.

Any other ideas?

Pieter 't Hart · ‎02-12-2009

Hi Nigel,
I guess with the intel router you didn't use vlan's at all.
You used multiple subnet's on the same lan (sometimes called multinet).
All devices are connected at layer-2 and the intel router did it's job to link the subnets together at layer-3.
In this setup it's no different if you use hub's or switches. you only have a single lan.

when using vlan's you really separate traffic within the switch creating different lan's (not possible with common hubs).
after this you must do something extra to make the vlan's talk to one another (routing).

I'm not sure I understand your question about logging?
who is doing the logging and what do you want to log?

Nigel Lawson · ‎02-12-2009

Hi Pieter,

I use MRTG (http://oss.oetiker.ch/mrtg/) to create graphs for of the VLANs. A little more research shows that the VLANs on the Intel router are true VLANs, they appear to be very early implementation of VLANs.

I'll see what I can setup via SNMP on the 2824 and if that fails, I may have to look at the kit I'm trying to use and maybe get something different.

Cheers,
Nigel

Pieter 't Hart · ‎02-13-2009

Hello Nigel,
I'm familiar with mrtg (now use prtg for easier setup http://www.paessler.com/prtg/?ref=PRTGcopy).
As far as i know it reports on an "interface" basis.

A secondary ip-adress is not a seperate interface, so i think it will be a problem to monitor this separately.
the adresses assigned to a vlan are different interfaces, that will be no problem.

much depends on the MIB's.
so if you got an older setup it maye be a good idea to verify you use recent mibs for procurve switches.

regards,
Pieter

Categories

Company

Local Language

Forums

Discussions

Forums

Discussions

Discussions

Forums

Discussions

Forums

Discussions

Discussions

Forums

Forums

Discussions

Forums

Discussions

Forums

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Community

Resources

Other HPE Sites

Discussions

Forums

Blogs

Re: Procurve VLANs and Routing Issues

Procurve VLANs and Routing Issues