Flat switch connecting to a vlan

[picnmix]

Hi,
I have a setup where I have two separate networks both are flat switches, in other words there are no vlan's just the default1 vlan.
I have a nice hp 2910 48 port layer switch which I want to connect to both networks. The first network was easy to setup, using the default vlan I assigned (untagged) the first 24 ports to "vlan1" and setup a trunk with two of the ports to another switch.

The second half of the switch has proved to be harder and I haven't got working. I assigned (untagged) ports 25-48 to a new vlan "vlan 200" setup two of the ports to be a trunk, made sure the trk (trk2) was part of vlan 200 and thought that would be it. But I cannot communicate to other switches. The switches it connects have no vlan (just the default vlan1) but being as I had the vlan200 ports untagged I thought there wouldn't be any extra "tags" to the packets and therefore work with a flat (no vlans) switch?

What am I missing?

 

[VinceWhirlwind]

First step: Can a host in the VLAN200 subnet on the 2910 communicate with another host on the VLAN200 subnet on a different switch?

Observation: By plugging your 2910 VLAN200 (untagged) interfaces into your other switch VLAN1 (untagged) interfaces, you are bridging the two VLANs. Not ideal. Sometimes this has to be done, (and I've done it in exactly the same circumstance you are doing: merging two foreign networks with each other) but it would be a bad design and could be confusing.

Suggestion: get rid of the "trunk". Connect the 2910 VLAN200 interface to your other switch using just one simple port, configured as VLAN 200 untagged. Address one problem at a time.

Prediction: I predict your problem is that you don't actually have your inter-VLAN routing setup. I can't remember if the 2910 is actually a Layer-3 switch or not. Supposing it is, you need a VLAN1 interface on it with the VLAN1 gateway address on it as well as a VLAN200 interface with the VLAN200 gateway address on it. Assuming you have actually given the switch an interface in both VLANs, in the correct subnet for each, I am supposing your hosts on both networks are configured with gateway addresses that are not the addresses you have put on the 2910. Therefore your ping from one device to another either doesn't know the path, or the reply doesn't know the path. You can fix this in a number of ways:
- give the two hosts that are trying to ping each other a static route with the logic of:
(VLAN1 Host) : VLAN200 subnet --> VLAN1 2910 interface IP address
(VLAN200 Host) : VLAN1 subnet --> VLAN200 2910 interface IP address.

- on your existing gateways, add a static route as above, pointing to the 2910 interface addresses

- migrate your gateway addresses from your existing gateways to you 2910

 

[cajuntank]

The 2910 switch is a layer 3 switch which you can do static routing and RIP1/RIP2. Enable "ip routing" on your 2910 so the two VLANs can "talk". You don't mention what your other switches are, so like Vince mentioned, I would keep it simple to start off on and do away with the trunk till you get things up and going like you like, then you can maybe introduce back the trunk if the other switch can do 802.3ad Link Aggregatgion Protocol (LACP) or if they are also HP switches and thus could also do HP trunking (not to be confused with Cisco trunking). HP trunking is proprietary to HP switches, so if the other switches are not HP, then you need to use the industry standard LACP.

Assign each VLAN interface a ip address, then like Vince mentioned, make that VLAN interface's IP address the gateway for you nodes on that particular VLAN subnet, and establish appropriate routes on other router/firewall/gateway devices needed to know how to get to other VLAN subnet created that the router/firewall/gateway is not already on (ie... if your firewall is on the same subnet as your VLAN 1, then there is no need to create a route to that subnet as it is already on it; but it will need to know how to get to your subnet that is VLAN200, so your route to that network will be the next hop for the firewall which is the 2910's VLAN 1 ip address). You won't have to create a route on the 2910 for VLAN 1 to talk to VLAN 200 as they are directly connected interfaces. The only route you need to create on the 2910 is to other subnets...say the Internet... so something like
ip route 0.0.0.0 0.0.0.0 192.168.1.1 (or whatever your network address of your ISP firewall/router)

If you are needing each of your switches downstream to do both VLANs, then you'll "tag" that uplink port under both VLAN interfaces (VLAN 1 is done like this by default, so you wouldn't really need to do it on that one). Then again, depending on your downstream switches manufacturer, you would tag that connecting port, create the same VLANs on those switches (basically doing the same as you did on the 2910 except for enable routing), and divy out the ports untagged (or whatever your manufacturer calls it) to the appropriate VLAN (if you have Cisco, you will trunk the port like you tag on a HP, and you will have an access port like you would untag on a HP). If the downstream switch will be purely in one VLAN subnet or the other, then just like Vince mentioned, just simply untag the uplink port on the 2910 that feeds to your downstream switch.

Post back if you have any follow up questions.

 

[picnmix]

Thanks for the replys thats some great information.
I have drawn a visio diagram to give a clearer picture. To clear up some points these two networks cannnot talk to each other them must be separate. each network has it's own firewall and internet access. I just want to use half the switch for one network and the other half for the other. The network on the left works fine without any problems what so ever. I think I may be looking in to this to much regarding the second network. So you are saying I need to add a default gateway for the second vlan? all of the machines connected to the switch will have a default gateway set on their network cards, do I still need the gateway?? is that whats stopping it working.

I have removed the trunk off vlan 200 and just connected it via a normal cat 5 cable.

I have included on the visio some of the script from the hp switches. All of the switches are HP all switches are layer3, even if they are not all configured as so.

Thanks for the help.

 

[cajuntank]

Your diagram is then a little confusing based on your statement of the two networks must be kept separate and not talk to each other, yet you have both networks using VLAN 1 and on the same subnet and reference using ip dns server on the second network to that of addresses on the first. If all you want to do is use some ports off of that middle switch in your diagram, then create two distinct VLANs (not using VLAN 1 which is your main problem here). Say VLAN 100 and VLAN 200. Divy out half the ports to VLAN 100 and back half to VLAN 200. Then that's it... don't worry about trying to pass that VLAN tag info to your other switches as you are not trying to use that as a layer 3 switch. You really need to look at creating a VLAN outside of VLAN 1 across your network anyway as best practice.

"all of the machines connected to the switch will have a default gateway set on their network cards" well then you'll never be able to communicate as they need that gateway of 192.168.2.1 based on your diagram, which again is a point of confusion as your config says one thing and your pictures show addressing of 172.16.x.x Your diagram is really disheveled and makes it really hard to read.

Just remember this main point which I think some of your problem stems. If you have ports on VLAN 1 on multiple switches and you connect those switches together, then by default, all ports on are untagged and tagged to pass layer 2 traffic. One of the many reasons not to use VLAN 1.

 

[VinceWhirlwind]

OK, so if you don't want them to communicate, then you need for the 2910 to NOT do IP routing.

As you have done, put half the 2910 ports in one VLAN, half in the other, and with IP routing NOT enabled, everything should work fine. None of your hosts need to be changed in any way: their default GW stays the same ( their existing firewall IP address).

 

[picnmix]

vinceWhirlwind - This is what I thought, but I couldn't get machines to talk to each other across the switches. I'm going to try again I must have missed something. Thanks

Cajuntank - sorry the diagram was rushed. Totally agree with you about moving off vlan1- wasn't my config and will be removed soon but for the time being it stays as it is.

So I am correct in saying that as long as the port/ports are untagged and only in one vlan they do not send over a tagged packet and therefore should work fine with non vlan switch

Thanks for the help

 

[VinceWhirlwind]

yes. untagged means no 802.1q tagging is happening at all - frames have no tag in them. The switch will treat them internally as belonging to whichever VLAN is default for the port they came into the switch on.

I thought Cajun was a bit hard on your diagram, but it doesn't look like any diagrams I've ever done:
1 - get the visio shapes representing the actual hardware you have
2 - when trying to illustrate the VLAN membership of port groups, don't point annotated arrows at them, actually draw a box around the group of ports and give this box a fairly transparent light highlight kind of colour. So you have a picture of the switch and half of it is highlighted pink, the other half highlighted in yellow. Pink is then labelled "VLAN100" and yellow is labelled "VLAN200"

There's a website somewhere called "rate my network diagram . com". Have a look at it for ideas. (Lots of the diagrams are rubbish, most of them are very very dated, but some are good).

 

[picnmix]

Hi Guys,
I still need some help on this. I still cannot get my switch on the second vlan to work I can't ping anything etc....

I thought I just had to set the ports to untagged and then connect to the other switch when I plug a machine in to one of the vlan 200 ports it doesn't talk to the machines.

rather than refer to the diagram or anything else that may confuse the setup. can I give you a senario to work from and show me the scritps.

three switches, 2 networks, 2 vlans, network 1 192.168.1.0/24, network 2 192.168.2.0/24
2 routers 192.168.1.254, 192.168.2.254
The networks should not communicate with each other.
switch 1 needs to be part of network 1 it should use the default vlan
switch 2 needs to be split so half the ports are part of network 1, half the ports are part of network2 this will be set to the second vlan, all ports will be untagged.
switch 3 needs to be part of network 2 it should be set to use the default vlan

switch 1
ip default-gateway 192.168.1.254
vlan 1
name "DEFAULT_VLAN"
untagged 1-48
ip address 192.168.1.1 255.255.255.0
exit

switch 2
vlan 1
name "DEFAULT_VLAN"
untagged 1-24
ip address 192.168.1.2 255.255.255.0
no untagged 25-48
eixt
vlan 2
name "second_vlan"
untagged 25-48
ip address 192.168.2.2 255.255.255.0
exit
ip route 0.0.0.0 0.0.0.0 192.168.1.254

switch 1
ip default-gateway 192.168.2.254
vlan 1
name "DEFAULT_VLAN"
untagged 1-48
ip address 192.168.2.1 255.255.255.0
exit



What am I doing wrong really can't see it
Please help


Thanks
Picnmix

 

[VinceWhirlwind]

I've bridged VLANs on Procurve switches, so even though switch 3 should really have all ports untagged in vlan2, it should work anyway.

What you haven't shown us here is which ports are patched to which ports. Can you just give us the list of patched ports?

 

[picnmix]

Hi thanks for the reply. Port 48 on switch 1 is connected to port 1 of switch 2. Port 48 of switch 2 is connected to port 1 of switch 3. Sorry just noticed I have a spelling mistake I've listed switch 1, switch 2, switch 1. It should be switch 1, switch 2, switch 3.

 

[cajuntank]

That looks fine, but my question is why do you have a ip route on switch 2? I know you are not showing your entire config, but are you sure you don't have "ip routing" turned on, on switch 2? If you did, and you have this 0.0.0.0 default route, this could be causing some of the issue.

 

[VinceWhirlwind]

Yeah, in fact the not-so-subtle giveaway is the fact the 2910 has IP addresses on both VLAN interfaces. Get rid of one of them and disable IP routing.

 

[picnmix]

Ahh ok,
but I won't be able to ping other switches machines from the switch if I do that, will I? It's not a big deal so long as the machine using the switch can communicate to other servers.

Is there a way to assign a default gateway for each vlan.

Thanks for the help guys, you've been great.


Cheers
picnmix

 

[cajuntank]

No, the use of the switch in your scenario you are wanting needs to operate only in layer 2 mode only. You can only specify on default-gateway for the switch itself, not it's interfaces (being VLANs in this sitation). Assigning the switch an IP address and setting a default gateway will allow it to be manageable from only one of the networks, not both. Again, layer 2 switch operation, not layer 3.

When you say you will not be able to ping other switches machines from the switch...I'm not quite sure I follow. If you have your gateway address defined correctly on your machines (which in looking back at your pdf, should be the one you have labeled HP Core switch for the network 1; then one of the switches on network 2 for "core" switch... again, never really did follow the 172.x.x.x. addressing you have labeled on the switches in network 2, but then 192.168.2.x setting on the config. It's like you wanted for the two networks to talk according to your config, but in essense, you really did not according to your posts).

Hope that helps.

 

[picnmix]

I'm still stuck.
I have removed the ip addresses from switch 2 and double and triple checked that ip routing is not on, I've removed static routes and anything else that had an ip address on it. I've even checked the menu system against my config to make sure.

I've checked over my cables and everything else I can think of but I still cannot get these working as layer 2, one thing I thought might be causing the problem is switch 3 has static routes, a default gateway and an ip address for the switch. Will this stop or have an effect on switch 2 and not allow it to communicate ??


Thanks
PicNMix

 

[cajuntank]

Maybe you should post your complete config from all three switches. You have made changes and seeing what you currently have might provide us with enough info to help you further.