HPE Community
Switches, Hubs, and Modems
1823914 Members
3219 Online
109667 Solutions
New Discussion юеВ

Re: VLANS and IP Routing

 
SOLVED
Go to solution
Jon Frazee
New Member

тАО06-23-2009 10:04 AM

тАО06-23-2009 10:04 AM

VLANS and IP Routing

Hi All,

I am a newbie to routing switchs and the HP ProCurve products.

I have 2 5406zl and 10 2510G-24 switches that I am going to be installing.

My firewall's IP is 172.16.0.1/12
I have configured the first 5406zl switch with IP 172.16.0.11/12 and default GW 172.16.0.1/12

I would like to setup 4 vlans
vlan 1 is the default 172.16.0.11/12
vlan 4 IP 172.16.4.11/22
vlan 8 IP 172.16.8.11/22
vlan 12 IP 172.16.12.11/22
vlan 16 IP 172.16.16.11/22

I would like all vlans to connect to the internet. I would like hosts on vlans 8, 12, and 16 to be able to connect with hosts on vlan 4 but not with each other.

I have attached my sh config file.

Is the IP scheme I have chosen going to work?
I have not configured any ports yet and was wondering about tagging and untagging.

I would appreciate any help.

Thanks,
Jon
0 Kudos
9 REPLIES 9
SjoerdvW
Advisor

тАО06-24-2009 01:46 AM

тАО06-24-2009 01:46 AM

Re: VLANS and IP Routing

Hello Jon,

First of all: you├в re using the wrong subnet mask on the default VLAN. Change this to (also) 255.255.252.0
This also brings up questions about you're firewalls subnet. Sure this is /12?

Furthermore, when this VLANS need to communicate with each other, you need to enable the routing functionality on this router by giving the command "IP routing". This switch will function as a router at this time.
Not sure if the default gateway is supported when you enable routing. so maybe you should create the next route:
ip route 0.0.0.0 0.0.0.0 172.16.0.1
You have to place you're firewall on a port that is untagged in VLAN 1 (for example port A1).

The infrastructure ports must be tagged in each VLAN (the ones connecting the switches). So on you're 2510 you also have to create the same VLAN's (you don't have to enable routing, or give the VLAN's an ip, only one in VLAN1 would be recommended for management purposes).

End stations ports must be "untagged" in the specific VLAN. The gateway for the end station is the IP of the VLAN you configured on the 5406. For example: an end station in VLAN 8 could have an IP of 172.16.5.1, subnetmask 255.255.252.0, gateway 172.16.4.11.

Ports can be untagged in only 1 VLAN (cause a end station can be in only 1 VLAN), and can be tagged in multiple VLANs (all traffic going over this infrastructure links must be tagged)

Try to get this up and running first.
The final thing you have to do is to block traffic. You have to use ACL's to block traffic on VLAN's.

Good luck!
0 Kudos
SjoerdvW
Advisor

тАО06-24-2009 02:16 AM

тАО06-24-2009 02:16 AM

Re: VLANS and IP Routing

Furthermore, since you have 2 5406: Take a look at the Primium Edge License (J8994A). This will enable the Virtual Router Redundancy Protocol.
At this moment, the switch with the ip routing enabled, is the single point of failure in you├в re design. Cause when this switch fails, the end stations would not be able to reach the gateway, and therefore can├в t communicate with devices out of there subnet scope. By enabeling (and configuring) VRRP, connecting the 2510├в s to both the 5406 and configuring spanning tree, you build in some redundancy / high availability
0 Kudos
Jon Frazee
New Member

тАО06-24-2009 05:44 AM

тАО06-24-2009 05:44 AM

Re: VLANS and IP Routing

Hi,

Thanks for your responses.

I configured my switch the way you suggested and I also changed the firewall to 172.16.0.1/22

I turned on routing on the switches and I created the route 0.0.0.0/0 172.16.0.1

I have a trunk of three fiber ports connecting the 2 5406s together. I have untagged vlan 1 and tagged the rest of the vlans for the trunk.

I also have a fiber port connecting one of the 2510s to one of the 5406s and tagged the port with all vlans.

I setup a test workstation on vlan 16 with an address of 172.16.16.30/22 and a GW of 172.16.16.11/22 (the IP of the vlan).

While the WS can ping all the vlans it cannot ping the GW at 172.16.0.1 and I can't get to the internet.

I have attached the startup config.

Thanks for the suggestion on the VRRP, I am looking into it.

Thanks again,
Jon
0 Kudos
Madde
New Member

тАО06-25-2009 05:49 AM

тАО06-25-2009 05:49 AM

Re: VLANS and IP Routing

Hello Jon,

where is your firewall connected? Have you tried to ping the firewall from the cli of the 5406 switch?

The next thing is did the firewall know the other networks? That means have you done routing entries on the firewall? Something like 172.16.8.0/22 over 172.16.0.11. The problem is that ping knows the way to the firewall but the firewall does not know the way back!
0 Kudos
Jon Frazee
New Member

тАО06-25-2009 06:10 AM

тАО06-25-2009 06:10 AM

Re: VLANS and IP Routing

Hi,

The firewall is on port d20 with vlan 1 untagged and the others tagged.

I can ping the firewall from the switch's CLI.

I haven't added anything to the firewall but I will try that.

Thanks,
Jon
0 Kudos
SjoerdvW
Advisor

тАО06-25-2009 11:35 PM

тАО06-25-2009 11:35 PM

Solution

Re: VLANS and IP Routing

Hello Jon,

Madde is right. You should create routes to the VLAns on the firewall.
Something like
ip route 172.16.4.0 255.255.252.0 172.16.0.11
ip route 172.16.8.0 255.255.252.0 172.16.0.11
etc.

You could try making one route covering all these VLAN's
ip route 172.16.0.0 255.255.0.0 172.16.0.11

You don't have to tag the other VLANs on this interface. (sure it's d20, you're config is showing d24).

0 Kudos
SjoerdvW
Advisor

тАО06-26-2009 12:37 AM

тАО06-26-2009 12:37 AM

Re: VLANS and IP Routing

Hello Jon,

For the blocking of traffic you need to use ACL's. The 2510G switch doesn't seem to support this.
Take a look at this document http://www.procurve.com/products/pdfs/4AA1-2960ENW.pdf page 33.
You could try creating the access list on the 5400 switch. This way you could block traffic between the VLAN's (cause they all pass this switch), but you could never block traffic within a VLAN.
0 Kudos
Jon Frazee
New Member

тАО06-26-2009 04:50 AM

тАО06-26-2009 04:50 AM

Re: VLANS and IP Routing

Thanks everyone.

I now have all vlans connected to the internet and each other.

I will work on the ACLs.

Jon
0 Kudos
Jon Frazee
New Member

тАО06-26-2009 04:51 AM

тАО06-26-2009 04:51 AM

Re: VLANS and IP Routing

It was the firewall that wasn't connecting back to the switch.
0 Kudos
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.