HP Procurve 2610 - tagged traffic rejected by MAC OS and Linux OS c

[cpanti]

HP Procurve 2610 - tagged traffic rejected by MAC OS and Linux OS clients


In a hotel environment, I'm using a Zyxel VSG-1200V2 as a gateway.
The Zyxel VSG-1200V2 has a nice functionality that allows it to identify the room number and send the internet bill directly into the PMS (Property Management System).
This functionality is called "Port Location Mapping" and it is based on the 802.1q tagging.
The hotel is using HP Procurve (2524 or 2610) switches.
My problem is that the VSG1200 v2 can receive and recognize packets with VLAN tag, but it does not support sending back packets with VLAN tags. All packets that go out from VSG1200v2 are un-tagged.

Basically in order to be able to identify the location I need to create a VLAN for each room.
If the VSG answer is not tagged I need to use the default VLAN (1) for the reverse traffic.
For the Windows clients this is working, but for the MAC OS and some Linux OS clients it is not working.
After sniffing the traffic ... as a client ... I’ve realized that the incoming packages are VLAN tagged (with VLAN 1) and rejected by the OS.

I see two solutions to my problem:
1. if the packages sent by VSG will be tagged ... the reverse traffic will use the same VLAN and the client will receive them untagged (hard to get)
2. on the Procurve switch port 1,2,... (rooms) should never forward the VLAN tagging to their clients, even if the ports are appearing as tagged
(as far as I saw the Zyxel switches allows you to do this)

The best and the most secure solution is no. 1, but as it is hard to get I'm looking for solution 2.
And here I need your help.

The configuration of the HP switch is:
- port 1 is room 101 (VLAN 101) (port 1 untagged, port 24 tagged)
- port 2 is room 102 (VLAN 102) (port 1 untagged, port 24 tagged)
- port 24 is used as uplink (connected to LAN port of the VSG).
- default VAN 1 (VLAN 1) (port 24 untagged, port 1,2,3,... tagged)

Is there a way of setting the switch not to send the VLAN tag even if it is set as tagged?
Thanks and regards,
Catalin

 

[cpanti]

1. is not an option.
I have an official answer from Zyxel support team saying:
> I will add it as feature request to our PM if it can be modified in the future.
> Not each vendor switch has same behavior. Just like one vendor switch can support tag in and untag out but another vendor can't do it.
> So we can not help on it. We hope you can understand it.

Catalin

 

[VinceWhirlwind]

Upgrade to layer3 switches at the edge, and get them to route back to the Zyxel, which will send all the traffic to the Zyxel with no 802.1q tags.
Except I thought you needed the tags, so the Zyxel can identify which room the traffic is from?

The other way of doing it could be to get some asymmetric routing going - receive everything at the Zyxel the way you are doing now, but have the Zyxel send all traffic out a completely different interfcae to a layer3 switch or router which could feed the frames back into their correct VLANs and thus deliver them tagged back to the edge switches.

Alternatively, just get this working properly by getting a router that supports 802.1q properly.

 

[cpanti]

Hi Vince,

802.1q tags help the Zyxel router to identify the room.
Replacing the VSG-1200 with another router that supports 802.1q properly is definitely the best solution, but I need to find a router that also have a PMS interface (Fidelio in my case) ... and I couldn't find it so far.

Feeding the frames back into their correct VLAN sounds like a solution, but it's sounds very complicated. Not sure that it is possible, even with a L3 switch.


Basically all I need is an option to drop the 802.1q tags (MTU 1518 not 1522) on port X (room) ... even if the port is tagged into a VLAN.
I'm wondering how other switches can handle this.

Catalin

 

[VinceWhirlwind]

Feeding the frames back into their correct VLAN sounds like a solution, but it's sounds very complicated. Not sure that it is possible, even with a L3 switch."

No, I don't think so - this is how it would go:

- On the Zyxel, you have a default route pointing out an interface to a (new) layer3 switch.
- The link between Zyxel and L3 switch is a routed link, with a (unique) point-to-point subnet in use.
- The L3 switch therefore receives all this traffic untagged.
- The Layer3 switch has an IP-addressed interface in each VLAN.
- Therefore the L3 switch routes the traffic onto the correct VLAN (based on the IP address).
- The L3 switch trunks (tagged) VLANs back into your core switch (tagged).
- The core switch receives all the traffic tagged and on the correct VLANs therefore has no trouble trunking it back out to the correct edge on the correct VLAN.

It's bodgy, but very simple.

 

[cpanti]

SOLVED
I've replaced the HP Procurve switches with TP-LINK TL-SL3452.
TL-SL3452/TL-SL3428 switches allows you to configure a port as untagged in more than one VLAN.
Another solution is the Zyxel ES3148 switch ... but this switch is almost three times more expensive than the TP-LINK TL-SL3452 switch.