+ Post New Thread
Results 1 to 14 of 14
Wired Networks Thread, Getting VLANs to talk to each other? in Technical; This should be a simple issue to address but I can't seem to make it work. Scenario Two subnets: 10.20.30/22 ...
  1. #1

    Join Date
    Jan 2014
    Posts
    17
    Thank Post
    0
    Thanked 0 Times in 0 Posts
    Rep Power
    0

    Question Getting VLANs to talk to each other?

    This should be a simple issue to address but I can't seem to make it work.

    Scenario

    Two subnets:

    10.20.30/22 behind a HP 3500 switch connected to 192.168.1/24 subnet.

    The 3500 switch has two VLANs. VLAN2 has IP 10.20.28.1 containing ports 1 - 23 all untagged. VLAN1 has IP 192.168.1.250 and is just port 24 (fibre) untagged.

    Port 24 (fibre) on the 3500 is the uplink to a HP 2910 switch on port 28. All ports untagged in one VLAN. There is another 2910 switch uplinked via copper from the first 2910, all ports untagged on one VLAN. These 2910 switches carry 192.168.1/24 subnet clients.

    Internet gateway appliance is 192.168.1.1 linked to the first 2910 switch.

    I need two-way communication between all devices in both subnets and for all devices in the 10.20.30/22 to be able to access the Internet via 192.168.1.1 gateway. The aim is for the 10.20.30 subnet to host all DNS and DHCP + file storage. Most clients and all legacy servers will remain in the 192.168 subnet but they obviously need to be able to obtain DN resolution and DHCP from the 10.20.30 subnet devices.

    I have tried many configurations using IP Helper addresses, static routes etc but I cannot get the clients on 192.168 to see the DHCP or DN servers on 10.20.30. Neither can I get devices on 10.20.30 to get to the internet.

    Neither can I get server - client access from 192.168.1 to 10.20.30

    Curiously I can ping and tracert the gateway but not access it in a meaningful way.

    What do I need to reconfigure on the 3500 and / or 2910 switches in order to get cross-VLAN traffic running freely?

  2. #2

    Join Date
    Jan 2014
    Posts
    17
    Thank Post
    0
    Thanked 0 Times in 0 Posts
    Rep Power
    0
    If it's any help this is the config of the 3500 switch:


    module 1 type j86xxa
    timesync sntp
    stack commander " Switch1"
    stack auto-grab
    stack member 1 mac-address 001db3-49fa00
    stack member 2 mac-address 0026f1-8ccd40
    ip default-gateway 192.168.1.1
    ip route 0.0.0.0 0.0.0.0 192.168.1.1
    ip routing
    snmp-server community "public" unrestricted
    snmp-server contact "Administrator"
    router rip
    redistribute connected
    enable
    exit
    vlan 1
    name "DEFAULT_VLAN"
    no untagged 1-23
    untagged 24
    ip address 192.168.1.250 255.255.255.0
    exit
    vlan 2
    name "VLAN2"
    untagged 1-23
    ip address 10.20.28.1 255.255.252.0
    ip directed-broadcast
    exit
    spanning-tree
    no autorun
    no dhcp config-file-update
    no dhcp image-file-update
    password manager

  3. #3

    Join Date
    Sep 2008
    Location
    England
    Posts
    271
    Thank Post
    6
    Thanked 70 Times in 62 Posts
    Rep Power
    53
    I'm not an expert, but I think you need to add two more static routes - one route for each subnet, and keep the existing route for your gateway appliance. Then you will need to add a default gateway on your dhcp server (or on each client if you set them up locally). The default gateways for clients need to be either 192.168.1.250 (for any client starting 192.168.1.*) or 10.20.28.1 for any client on the other subnet. Something like:

    ip route 192.168.1.0/24 192.168.1.250
    ip route 10.20.30.0/22 10.20.28.1


    Also you will need some form of dhcp relay. I think these are the right commands for your switch:

    vlan1
    ip helper-address <ip-addr>
    exit
    vlan 2
    ip helper-address <ip-addr>
    exit


    You need to replace <ip-addr> with the IP address of your dhcp server. Your dhcp server will then need a scope set up for each vlan.

    I might be completely wrong on all that though, so use with caution. I'm sure someone will be along soon with the right answer.
    Last edited by Chris_Cook; 19th February 2014 at 10:03 PM.

  4. #4

    Join Date
    Jan 2014
    Posts
    17
    Thank Post
    0
    Thanked 0 Times in 0 Posts
    Rep Power
    0
    Quote Originally Posted by Chris_Cook View Post
    I'm not an expert, but I think you need to add two more static routes - one route for each subnet, and keep the existing route for your gateway appliance. Then you will need to add a default gateway on your dhcp server (or on each client if you set them up locally). The default gateways for clients need to be either 192.168.1.250 (for any client starting 192.168.1.*) or 10.20.28.1 for any client on the other subnet. Something like:

    ip route 192.168.1.0/24 192.168.1.250
    ip route 10.20.30.0/22 10.20.28.1

    I might be completely wrong on that though, so use with caution. I'm sure someone will be along soon with the right answer.
    I do have those routes in the routing table though I've noticed it doesn't show in the config I posted. Also have the gateways in the DHCP servers.

    I also originally put the helper addresses in but subsequently took them out.

    I can ping the gateway from the switch so it knows the way but anything other than ICMP traffic doesn't get through.
    Last edited by worcestertech; 19th February 2014 at 10:07 PM.

  5. #5

    Join Date
    Dec 2008
    Posts
    12
    Thank Post
    0
    Thanked 1 Time in 1 Post
    Rep Power
    0
    I think you need to add a static route on your gateway to tell it that the 10.20.30/22 network is reachable through 192.168.1.250.

  6. #6

    Join Date
    Jan 2014
    Posts
    17
    Thank Post
    0
    Thanked 0 Times in 0 Posts
    Rep Power
    0
    Quote Originally Posted by east View Post
    I think you need to add a static route on your gateway to tell it that the 10.20.30/22 network is reachable through 192.168.1.250.
    I did do that on the 3500 switch and also on the 2910 it uplinks to. Also added a static route to reach 192.168.1/24 from 10.20.30/22 via 10.20.28.1 on the 3500. I also put in ip helper addresses. It didn't help...

    I'm not a switch expert and this is confusing the hell out of me.

    My biggest uncertainty is tagging. Do I need to tag port 24 (fibre) in both VLANs on the 3500 in order to get traffic from one VLANS to the other? All ports are currently untagged on all VLANs.

  7. #7

    Join Date
    Mar 2010
    Location
    Leeds
    Posts
    420
    Thank Post
    78
    Thanked 46 Times in 41 Posts
    Rep Power
    18
    I take it you have made port 24 and the other end of the link a trunk so it can carry the vlan's?

  8. #8

    Join Date
    Jan 2014
    Posts
    17
    Thank Post
    0
    Thanked 0 Times in 0 Posts
    Rep Power
    0
    Quote Originally Posted by jonnykewell1 View Post
    I take it you have made port 24 and the other end of the link a trunk so it can carry the vlan's?
    No.

    On a HP switch I understand port trunking to be another term for LACP?

    The only port options I can see are tagged and untagged in a particular VLAN. Should I enable tagging of the uplink port in both VLANs?

  9. #9

    Join Date
    Dec 2008
    Posts
    12
    Thank Post
    0
    Thanked 1 Time in 1 Post
    Rep Power
    0
    I meant on the internet gateway appliance. Can you not ping between computers on those two VLANs if they're connected to the 3500?

  10. #10

    Join Date
    Jan 2014
    Posts
    17
    Thank Post
    0
    Thanked 0 Times in 0 Posts
    Rep Power
    0
    Quote Originally Posted by east View Post
    I meant on the internet gateway appliance. Can you not ping between computers on those two VLANs if they're connected to the 3500?
    I misunderstood you, sorry.

    From the gateway (192.168.1.1) I can ping both gateway addresses on the 3500 although pinging 10.20.28.1 gives variable reliability - sometimes total loss, sometimes one or two packets are lost, sometimes 100% received.

    Cannot ping between clients on different subnets at all.

    From the 3500 I can ping both gateway addresses and the gateway appliance.

  11. #11

    Join Date
    Dec 2009
    Location
    Minnesota
    Posts
    5
    Thank Post
    1
    Thanked 1 Time in 1 Post
    Rep Power
    0
    Not sure if you're still having this issue or not but I should be able to help if you still are as we're successfully doing essentially what you're attempting to do using two HP Procurve 3500yl.

    I see a couple of things that may be causing this not to work properly.

    1) You do not need static routes when the 'ip routing' directive is turned on as that directive enables dynamic routing. This means that the switch is building the route table based on any routing protocols you have turned on and based on networks it is directly connected to. Based on your description my guess is that you don't have any devices broadcasting route updates but I may be incorrect. If you DO have another device broadcasting route updates and both it and the 3500 think they are the router for the same network that is likely where your conflict is as the 3500 is currently configured to listen for RIP updates.

    2) If you want DHCP to work between subnets and VLANs you must add 'ip helper-address <DHCP Server IP>' to each VLAN that the DHCP server does not reside on. You will need to configure a scope for each subnet you'd like your DHCP server to hand out addresses for. Please note that the scope must match the address range used for the switch's IP address that the DHCP request entered the switch on (ie you must have a scope for 192.168.1.0/24 if the switch IP that the request originated on is 192.168.1.1/24). For this to work all clients and servers must be using the switch's IP address for their VLAN as their gateway; the default route on the switch will handle routing traffic to your edge device.

    3) As long as the 2910 switches serve no other VLANs besides the one assigned to the 192.168.1.0/24 network on the 3500 you should not need trunking or tagging enabled on those ports. In that configuration the 2910 switches would actually need no VLANs configured even. If you do have VLANs enabled on the 2910s however then you should enable trunking on any switch interlinks. This would need to be configured on both ends and VLAN numbers would have to match on all switches. You would then want the trunks tagged on all switches.

    4) You need a static route on 192.168.1.1 for the 10.20.28.0/24 network pointing to 192.168.1.250. Depending on what brand the 192.168.1.1 device is the command for this will be different but it should look something like 'ip route 10.20.28.0/24 gw 192.168.1.250'.

    If you make those changes everything SHOULD work. If not please post the configs of the 2910 switches as well so we can go through things in more detail .

  12. #12

    Join Date
    Dec 2009
    Location
    Minnesota
    Posts
    5
    Thank Post
    1
    Thanked 1 Time in 1 Post
    Rep Power
    0
    FYI on the 3500 you need to use the command 'show ip route' in order to see the routing table; 'show route' and 'show route-map' will not show you the info you need.

  13. #13

    Join Date
    Jan 2014
    Posts
    17
    Thank Post
    0
    Thanked 0 Times in 0 Posts
    Rep Power
    0
    Quote Originally Posted by AdonMalik View Post
    Not sure if you're still having this issue or not but I should be able to help if you still are as we're successfully doing essentially what you're attempting to do using two HP Procurve 3500yl...
    Hi Adon

    Many thanks for such a comprehensive answer and an offer to help further :-)

    Due to multiple time pressures I have cobbled together a "solution" that works but is not ideal for me. I do need to get the switches configured correctly.

    Anyway, at the moment I have this set up:

    The gateway device is a Watchguard XTM505 configured thusly:

    IP 192.168.1.1

    4 x interfaces configured, the first two being our leased lines and failover ADSL.
    3rd interface is "tagged" as the interface handling 192.168.1/24 traffic connected to one of the 2910 switches. Also "tagged" as a trusted interface.
    4th interface is "tagged" as the interface handling 10.20.28/22 traffic connected to the 3500 switch. Also "tagged" as a trusted interface.

    Watchguard is configured to send traffic to the appropriate interface and between interfaces depending on the request from the originating device. It has a static route set up to route 10.20.28/22 traffic to interface 4.

    Currently I have disconnected the fibre link, and hence the default VLAN (on the 3500) between the 3500 and 2910.

    The two DHCP (one on each subnet, although in reality there are two each working as failover clusters) servers are set up to give out the gateway address of the Watchguard device, either 192.168.1.1 or 10.20.30.1 depending on the subnet used for the originating DHCP request. These are the IP addresses of interface 3 and 4 respectively.

    This setup works but it's not the best way of doing it; I want to be rid of Watchguard doing the routing and let the switches handle it.

    The 3500 currently has this in the routing table:

    Attachment 23122

    VLAN1 (default_vlan) contains the fibre uplink port only which has 192.168.1.250 configured on it. All other ports are on the default VLAN. All ports untagged, no trunk ports.

    The appropriate part of the config is:

    IP Default gateway 192.168.1.1
    IP Route 0.0.0.0 0.0.0.0 192.168.1.1
    IP Route 192.168.1.0 255.255.255.0 192.168.1.1
    IP Routing
    Router RIP

    VLAN1
    Name default_vlan
    no untagged 1-23
    untagged 24
    IP Address 192.168.1.250.255.255.255.0

    VLAN2
    untagged 1-23
    IP Address 10.20.28.1 255.255.252.0
    IP directed-broadcast
    IP Helper address 192.168.1.2
    IP Helper address 192.168.1.5

    Spanning Tree




    Both 2910's have this in the routing table:

    2910_1_route.PNG

    Both 2910's have only the default VLAN configured. No tagged or trunked ports. IP Gateway 192.168.1.250, IP Route 0.0.0.0 0.0.0.0 192.168.1.1, ip routing on.

    We do not have any devices broadcasting routing information.

    I did originally have a static route set on Watchguard pointing to 192.168.1.250 but this has now been removed.

    So... I should turn off RIP and go with static routes + IP helper addresses + static route on Watchguard? Or leave ip routing configured and remove the static routes?
    Last edited by worcestertech; 2nd March 2014 at 05:35 PM.

  14. #14

    Join Date
    Dec 2009
    Location
    Minnesota
    Posts
    5
    Thank Post
    1
    Thanked 1 Time in 1 Post
    Rep Power
    0
    Ok I think I'm grasping your layout now so here are my thoughts currently:

    1. My understanding is that the WatchGuard XTM505 is a UTM/NGF device. Now I'm not very familiar with the WatchGuard product line and feature set so it may not have this capability but I'll give it here as an option just in case. On some UTM devices you can segregate ports into essentially discrete virtual appliances (it's called VDOMs on FortiGate products). If your WatchGuard has a similar capability you wouldn't necessarily need to remove routing from taking place on that device and would potentially be able to have more fine grained control of traffic between subnets if you enabled VDOMs. Now this is a lot of extra configuration and would put additional load on the WatchGuard so before attempting to do that I'd advise you thoroughly go through the documentation for your WatchGuard to make sure everything will work how intended and be within your device's capability to handle the extra load. I can help you rough out at least a framework of how this would work if that's the route you want to pursue.

    2. Now in the scenario of having the 3500 as your router you only need IP Routing enabled on the 3500; it should be disabled on the 2910's with the 'no ip routing' command so that it doesn't get in the way of what you're trying to do. The ip routing directive turns each switch it's enabled on into a router so it gets in the way here since you only want the 3500 to be acting as a router. As I recall trunking is not required for this config to work but I have it enabled for the sake of making future expansion of our network easier to accomplish; it wouldn't hurt to enable it for each link however. Additionally you'll notice in the config files that follow that I have all of our VLANs configured on both switches even if only the Trunk is a member; again this was done for ease of future expansion and shouldn't be required. However it is critical to make sure that all of your VLAN numbers match between switches. It appears you've already done this but just keep in mind if the VLAN numbers don't match then this won't work correctly as the switches will get confused. Also you shouldn't need the IP Default Gateway configured either since you have a static route that does the same thing. You will need a static route on the WatchGuard for the subnet on the 3500 as we talked about previously.

    The only two static routes you should need in this config are:

    a) a static route on the WatchGuard telling it to sent all traffic for 10.20.28.0/22 to the 3500 IP that's on the same subnet as the WatchGuard (ie ip route 10.20.28.0 255.255.252.0 <3500 IP>)
    b) a static route on the 3500 telling all traffic destined to any place that is not directly connected to the 3500 to be sent to the WatchGuard IP (ie ip route 0.0.0.0 0.0.0.0 <WatchGuard IP>)

    Here are the pertinent sections of our two 3500 switches for your reference I still have a bit of config cleanup to do so please ignore the parts that are a bit messy :

    Core Switch (acting as router):

    trunk 27-30 trk1 trunk
    trunk 31-34 trk2 trunk
    trunk 48 trk3 lacp
    no telnet-server
    ip route 0.0.0.0 0.0.0.0 172.16.10.3
    ip routing
    router rip
    redistribute connected
    enable
    exit
    vlan 1
    name "DEFAULT_VLAN"
    no untagged 1-26,35-47,Trk1-Trk3
    no ip address
    forbid 1-25,35-39,41-47
    exit
    vlan 2
    name "Data"
    untagged 18,25,37,42-45,47
    tagged 46,Trk1-Trk3
    ip address 192.168.100.10 255.255.255.0
    ip igmp
    exit
    vlan 3
    name "External"
    untagged 26
    tagged Trk1-Trk2
    no ip address
    exit
    vlan 10
    name "Voice"
    tagged 1-17,36,39,41,46,Trk3
    no ip address
    exit
    vlan 20
    name "Servers"
    untagged 20
    tagged Trk1-Trk3
    ip address 172.16.10.1 255.255.255.224
    exit
    vlan 21
    name "Management"
    tagged Trk1-Trk3
    ip address 172.16.10.33 255.255.255.240
    exit
    vlan 22
    name "Printers"
    untagged 3,39
    tagged Trk3
    ip address 172.16.10.49 255.255.255.240
    exit
    vlan 23
    name "RJ45_Ports"
    untagged 1-2,4-17,36,40-41
    tagged Trk3
    ip address 172.16.12.1 255.255.254.0
    ip helper-address 172.16.10.6
    exit
    vlan 24
    name "Wireless"
    untagged 19,21-24,35,38
    tagged Trk3
    ip address 172.16.14.1 255.255.254.0
    ip helper-address 172.16.10.6
    ip rip 172.16.14.1
    exit
    spanning-tree Trk1 priority 4
    spanning-tree Trk2 priority 4
    spanning-tree Trk3 priority 4

    Slave Switch (extending subnets to more ports):

    trunk 48 trk3 lacp
    no telnet-server
    vlan 1
    name "DEFAULT_VLAN"
    no untagged 1-47,Trk3
    no ip address
    exit
    vlan 2
    name "DATA"
    untagged 1,4,6-14,19,23,25-26,30-35,39-40,43-45,47
    tagged Trk3
    ip address 192.168.100.20 255.255.255.0
    exit
    vlan 10
    name "VOICE"
    tagged 1-17,19,22-23,25-47,Trk3
    no ip address
    exit
    vlan 20
    name "Servers"
    tagged Trk3
    ip address 172.16.10.2 255.255.255.224
    exit
    vlan 21
    name "Management"
    tagged Trk3
    ip address 172.16.10.34 255.255.255.240
    exit
    vlan 22
    name "Printers"
    tagged Trk3
    ip address 172.16.10.50 255.255.255.240
    exit
    vlan 23
    name "RJ45_Ports"
    untagged 2-3,15-17,22,27-28,36-38,41-42,46
    tagged Trk3
    ip address 172.16.12.2 255.255.254.0
    exit
    vlan 24
    name "Wireless"
    untagged 5,18,20-21,24,29
    tagged Trk3
    ip address 172.16.14.2 255.255.254.0
    exit
    spanning-tree Trk3 priority 4

    Hope that helps you get this working.

SHARE:
+ Post New Thread

Similar Threads

  1. Replies: 18
    Last Post: 14th January 2014, 03:20 PM
  2. [Video] AI vs. AI. Two chatbots talking to each other.
    By mattx in forum Jokes/Interweb Things
    Replies: 0
    Last Post: 3rd September 2011, 08:45 AM
  3. urgent Reporter wants techies to talk to.
    By russdev in forum General Chat
    Replies: 2
    Last Post: 7th October 2007, 01:58 PM
  4. Get Exchange Server talking to the outside world.
    By OverWorked in forum How do you do....it?
    Replies: 7
    Last Post: 5th September 2006, 10:16 PM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •