Inter-VLAN Routing – How to Perform Inter-VLAN Routing on a ProCurve 2920

hproutingswitchvlan

I've been bashing my head against this for far to long. I'm hoping someone can help me out.

I'm rebuilding a clients network and this is my first kick at routing. I decided to keep things simple. We are using 3x HP ProCurve 2920's. Two of them service user connections and the third one will act as our router and be where our server and other network uplink to.

Here is my VLAN layout:

VLAN1 - Legacy / 192.168.11.0/24
VLAN10 - General Students / 10.0.0.0/23
VLAN11 - General Staff / 10.0.20.0/23
VLAN20 - Staff Wireless / 10.0.100.0/23
VLAN21 - Student Wireless / 10.0.120.0/23
VLAN22 - Public Wireless / 10.0.140.0/23
VLAN30 - Servers / 10.0.200.0/23
VLAN40 - Management / 10.0.220.0/23

VLAN1 is the existing flat network. I am trying not to disrupt network outages while I get things working so I've left it in place on the new ProCurves. VLAN1 is currently working just fine but I suspect that is because DHCP is still handing out the firewalls IP as the default gateway and not the new .254 address I've created.

Our firewall is a Cisco RV016 and is currently in gateway mode with RIP disabled. Once I get inter-VLAN routing working I suspect I either need to create a static route that points to the Cisco for 0.0.0.0/0.0.0.0 or enable RIP routing on the firewall. For now I want to get inter-VLAN routing work and I'll tackle the firewall after.

I've done the following on all three switches:

Enabled Routing
Defined VLANs
Configured tagging for the VLANs on the uplink ports

I've done the following on our routing switch:

Given each VLAN an IP address to act as the VLANs gateway (all end in .254)
Enabled RIPv2 on all VLANs (including VLAN1)

Here is the switch config of our routing switch:

; J9729A Configuration Editor; Created on release #WB.15.16.0008
; Ver #06:0c.fc.f3.ff.37.2d:e0

hostname "LKS-S-04"
module 1 type j9729a
trunk 45-46 trk1 lacp
trunk 47-48 trk2 lacp
sntp 300
sntp server priority 1 192.168.11.10
no telnet-server
time timezone -480
no web-management
ip routing
interface 45
   flow-control
   name "LKS-S-02:45"
   exit
interface 46
   flow-control
   name "LKS-S-02:46"
   exit
interface 47
   flow-control
   name "LKS-S-03:47"
   exit
interface 48
   flow-control
   name "LKS-S-03:48"
   exit
no snmp-server enable
oobm
   ip address 192.168.11.251 255.255.255.0
   ip default-gateway 192.168.11.1
   exit
router rip
   redistribute connected
   enable
   exit
vlan 1
   name "VLAN1 - School Scope (LEGACY)"
   untagged 1-44,A1-A2,B1-B2,Trk1-Trk2
   ip address 192.168.11.254 255.255.255.0
   ip rip 192.168.11.254
   exit
vlan 10
   name "VLAN10 - General Students"
   tagged Trk1-Trk2
   ip address 10.0.1.254 255.255.254.0
   ip helper-address 192.168.11.10
   ip rip 10.0.1.254
   exit
vlan 11
   name "VLAN11 - General Staff"
   tagged Trk1-Trk2
   ip address 10.0.21.254 255.255.254.0
   ip helper-address 192.168.11.10
   ip rip 10.0.21.254
   exit
vlan 20
   name "VLAN20 - Staff Wireless"
   tagged Trk1-Trk2
   ip address 10.0.101.254 255.255.254.0
   ip helper-address 192.168.11.10
   ip rip 10.0.101.254
   exit
vlan 21
   name "VLAN21 - Student Wireless"
   tagged Trk1-Trk2
   ip address 10.0.121.254 255.255.254.0
   ip helper-address 192.168.11.10
   ip rip 10.0.121.254
   exit
vlan 22
   name "VLAN22 - Public Wireless"
   tagged Trk1-Trk2
   ip address 10.0.141.254 255.255.254.0
   ip helper-address 192.168.11.10
   ip rip 10.0.141.254
   exit
vlan 30
   name "VLAN30 - Servers"
   tagged Trk1-Trk2
   ip address 10.0.201.254 255.255.254.0
   ip helper-address 192.168.11.10
   ip rip 10.0.201.254
   exit
vlan 40
   name "VLAN40 - Management"
   tagged Trk1-Trk2
   ip address 10.0.221.254 255.255.254.0
   ip helper-address 192.168.11.10
   ip rip 10.0.221.254
   exit
spanning-tree Trk1 priority 4
spanning-tree Trk2 priority 4
no tftp server
no autorun
no dhcp config-file-update
no dhcp image-file-update
password manager
password operator

and here is one of my client access switches

; J9729A Configuration Editor; Created on release #WB.15.16.0008
; Ver #06:0c.fc.f3.ff.37.2d:e0

hostname "LKS-S-02"
module 1 type j9729a
trunk 45-46 trk1 lacp
sntp 300
sntp server priority 1 192.168.11.10
no telnet-server
time timezone -480
no web-management
ip routing
interface 45
   flow-control
   name "LKS-S-04:45"
   exit
interface 46
   flow-control
   name "LKS-S-04:46"
   exit
no snmp-server enable
oobm
   ip address 192.168.11.253 255.255.255.0
   ip default-gateway 192.168.11.1
   exit
router rip
   no redistribute connected
   enable
   exit
vlan 1
   name "DEFAULT_VLAN"
   untagged 1-44,47-48,A1-A2,B1-B2,Trk1
   no ip address
   exit
vlan 10
   name "VLAN10 - General Students"
   tagged Trk1
   no ip address
   exit
vlan 11
   name "VLAN11 - General Staff"
   tagged Trk1
   no ip address
   exit
vlan 20
   name "VLAN20 - Staff Wireless"
   tagged Trk1
   no ip address
   exit
vlan 21
   name "VLAN21 - Student Wireless"
   tagged Trk1
   no ip address
   exit
vlan 22
   name "VLAN22 - Public Wireless"
   tagged Trk1
   no ip address
   exit
vlan 30
   name "VLAN30 - Servers"
   tagged Trk1
   no ip address
   exit
vlan 40
   name "VLAN40 - Management"
   tagged Trk1
   ip address 10.0.220.2 255.255.254.0
   exit
spanning-tree Trk1 priority 4
no tftp server
no autorun
no dhcp config-file-update
no dhcp image-file-update
password manager
password operator

If I give a client a static IP on any of the new VLANs it can ping it's default gateway regardless of which switch it's physically plugged into. It can't go any further than that.

Here is a 'show ip route' from the routing switch:

LKS-S-04(config)# show ip route

                                                                     IP Route Entries

  Destination        Gateway         VLAN Type      Sub-Type   Metric     Dist.
  ------------------ --------------- ---- --------- ---------- ---------- -----
  10.0.0.0/23        VLAN10 - Gen... 10   connected            1          0
  10.0.20.0/23       VLAN11 - Gen... 11   connected            1          0
  10.0.100.0/23      VLAN20 - Sta... 20   connected            1          0
  10.0.120.0/23      VLAN21 - Stu... 21   connected            1          0
  10.0.140.0/23      VLAN22 - Pub... 22   connected            1          0
  10.0.200.0/23      VLAN30 - Ser... 30   connected            1          0
  10.0.220.0/23      VLAN40 - Man... 40   connected            1          0
  127.0.0.0/8        reject               static               0          0
  127.0.0.1/32       lo0                  connected            1          0
  192.168.11.0/24    VLAN1 - Scho... 1    connected            1          0

and from a client access switch:

LKS-S-02(config)# show ip route

                                                                     IP Route Entries

  Destination        Gateway         VLAN Type      Sub-Type   Metric     Dist.
  ------------------ --------------- ---- --------- ---------- ---------- -----
  10.0.220.0/23      VLAN40 - Man... 40   connected            1          0
  127.0.0.0/8        reject               static               0          0
  127.0.0.1/32       lo0                  connected            1          0

The routes aren't being picked up by the client access switches is my guess but I thought the whole point of RIP was that it took care of that for me.

Any assistance would be greatly appreciated.

Update 1 – 2015-06-18 @ 15:24

I've disabled routing on the two user access switches and disabled RIP on my RS.

It looks like I can put myself on any of those VLANs and ping any of the other new VLANs gateways but not other hosts that are currently on the new VLANs.

I still cannot get out to the internet (even with a default route on the RS to my firewall) AND I cannot access my 192.168.11.0 legacy network with or with out a static route to it assigned to my RS.

Here is the new config for the RS:

; J9729A Configuration Editor; Created on release #WB.15.16.0008
; Ver #06:0c.fc.f3.ff.37.2d:e0

hostname "LKS-S-04"
module 1 type j9729a
trunk 45-46 trk1 lacp
trunk 47-48 trk2 lacp
sntp 300
sntp server priority 1 192.168.11.10
no telnet-server
time timezone -480
no web-management
ip route 0.0.0.0 0.0.0.0 192.168.11.1
ip route 192.168.11.0 255.255.255.0 192.168.11.1
ip routing
interface 45
   flow-control
   name "LKS-S-02:45"
   exit
interface 46
   flow-control
   name "LKS-S-02:46"
   exit
interface 47
   flow-control
   name "LKS-S-03:47"
   exit
interface 48
   flow-control
   name "LKS-S-03:48"
   exit
no snmp-server enable
oobm
   ip address 192.168.11.251 255.255.255.0
   ip default-gateway 192.168.11.1
   exit
vlan 1
   name "VLAN1 - School Scope (LEGACY)"
   no untagged 8-9
   untagged 1-7,10-44,A1-A2,B1-B2,Trk1-Trk2
   ip address 192.168.11.254 255.255.255.0
   exit
vlan 10
   name "VLAN10 - General Students"
   tagged Trk1-Trk2
   ip address 10.0.1.254 255.255.254.0
   ip helper-address 192.168.11.10
   exit
vlan 11
   name "VLAN11 - General Staff"
   tagged Trk1-Trk2
   ip address 10.0.21.254 255.255.254.0
   ip helper-address 192.168.11.10
   exit
vlan 20
   name "VLAN20 - Staff Wireless"
   tagged Trk1-Trk2
   ip address 10.0.101.254 255.255.254.0
   ip helper-address 192.168.11.10
   exit
vlan 21
   name "VLAN21 - Student Wireless"
   tagged Trk1-Trk2
   ip address 10.0.121.254 255.255.254.0
   ip helper-address 192.168.11.10
   exit
vlan 22
   name "VLAN22 - Public Wireless"
   tagged Trk1-Trk2
   ip address 10.0.141.254 255.255.254.0
   ip helper-address 192.168.11.10
   exit
vlan 30
   name "VLAN30 - Servers"
   tagged Trk1-Trk2
   ip address 10.0.201.254 255.255.254.0
   ip helper-address 192.168.11.10
   exit
vlan 40
   name "VLAN40 - Management"
   untagged 8-9
   tagged Trk1-Trk2
   ip address 10.0.221.254 255.255.254.0
   ip helper-address 192.168.11.10
   exit
vlan 99
   name "ROUTING"
   tagged Trk1-Trk2
   ip address 10.0.250.4 255.255.255.0
   exit
spanning-tree Trk1 priority 4
spanning-tree Trk2 priority 4
no tftp server
no autorun
no dhcp config-file-update
no dhcp image-file-update
password manager
password operator

and here is one of the client switches:

; J9729A Configuration Editor; Created on release #WB.15.16.0008
; Ver #06:0c.fc.f3.ff.37.2d:e0

hostname "LKS-S-02"
module 1 type j9729a
trunk 45-46 trk1 lacp
sntp 300
sntp server priority 1 192.168.11.10
no telnet-server
time timezone -480
no web-management
interface 45
   flow-control
   name "LKS-S-04:45"
   exit
interface 46
   flow-control
   name "LKS-S-04:46"
   exit
no snmp-server enable
oobm
   ip address 192.168.11.253 255.255.255.0
   ip default-gateway 192.168.11.1
   exit
vlan 1
   name "DEFAULT_VLAN"
   no untagged 47
   untagged 1-44,48,A1-A2,B1-B2,Trk1
   no ip address
   exit
vlan 10
   name "VLAN10 - General Students"
   tagged Trk1
   no ip address
   exit
vlan 11
   name "VLAN11 - General Staff"
   tagged Trk1
   no ip address
   exit
vlan 20
   name "VLAN20 - Staff Wireless"
   tagged Trk1
   no ip address
   exit
vlan 21
   name "VLAN21 - Student Wireless"
   tagged Trk1
   no ip address
   exit
vlan 22
   name "VLAN22 - Public Wireless"
   tagged Trk1
   no ip address
   exit
vlan 30
   name "VLAN30 - Servers"
   tagged Trk1
   no ip address
   exit
vlan 40
   name "VLAN40 - Management"
   untagged 47
   tagged Trk1
   ip address 10.0.220.2 255.255.254.0
   exit
vlan 99
   name "ROUTING"
   tagged Trk1
   ip address 10.0.250.2 255.255.255.0
   exit
spanning-tree Trk1 priority 4
no tftp server
no autorun
no dhcp config-file-update
no dhcp image-file-update
password manager
password operator

and routes on the RS:

  Destination        Gateway         VLAN Type      Sub-Type   Metric     Dist.
  ------------------ --------------- ---- --------- ---------- ---------- -----
  0.0.0.0/0          192.168.11.1    1    static               1          1
  10.0.0.0/23        VLAN10 - Gen... 10   connected            1          0
  10.0.20.0/23       VLAN11 - Gen... 11   connected            1          0
  10.0.100.0/23      VLAN20 - Sta... 20   connected            1          0
  10.0.120.0/23      VLAN21 - Stu... 21   connected            1          0
  10.0.140.0/23      VLAN22 - Pub... 22   connected            1          0
  10.0.200.0/23      VLAN30 - Ser... 30   connected            1          0
  10.0.220.0/23      VLAN40 - Man... 40   connected            1          0
  10.0.250.0/24      ROUTING         99   connected            1          0
  127.0.0.0/8        reject               static               0          0
  127.0.0.1/32       lo0                  connected            1          0
  192.168.11.0/24    VLAN1 - Scho... 1    connected            1          0

and from the firewall: https://img.fizi.ca/di/DMIC/firewallRoutes.png

and a sample static routes I've configured on the firewall to access the new VLANs: https://img.fizi.ca/di/24OO/staticRoutes.png

So close!

Update – 2015-06-18 @ 16:49

Progress. I found the error I made configuring the routes on the RV016. I should have set the gateway to 192.168.11.254 (the IP for VLAN 1 that resides on my RS). That looks like it fixed everything.

Best Answer

Your access switches operate at layer-2 -- they're "just switches". At layer-2, everything funnels back to the routing-switch. The routing switch then moves ("routes") traffic between vlans. All of this looks fine, so far.

The issue is, you cannot ping anything in 192.168.11.0/24 from any of the other VLANs? (i.e. the firewall and thus the path to the internet) That's because nothing else in the network knows about the other networks. Traffic is getting to 192.168.11.0/24, but the reply will follow the default route to the firewall, or if you ping the firewall, it's default towards the internet.

You should be able to talk to things in the other vlans from any of the new vlans, because they're default gateway is the routing-switch.

(also, I cannot recommend the use of RIP. EVER. Your network is tiny and (mostly) static, so it's unnecessary. The firewall is the only thing that needs to know about the other networks.)

Your ASA configuration:

route outside 0.0.0.0 0.0.0.0 172.16.1.1 1

This will provide a default route via the outside interface, but how will the ASA know how to reach subnets residing behind the Layer 3 Distribution Switch?

You'll need to add routes to the internal subnets via the inside interface using the Layer 3 Distribution Switch as the next-hop IP address.

ASA static routing example:

route inside 172.19.12.0 255.255.255.240 172.16.2.2
route inside 172.19.3.0 255.255.255.0 172.16.2.2
route inside 172.20.100.0 255.255.255.224 172.16.2.2

Your Cisco Router's configuration:

ip route 0.0.0.0 0.0.0.0 200.200.200.200

Additionally, how will your border router know how to reach subnets other than it's connected routes, and the catch all default route via the outside interface's next-hop address 200.200.200.200?

Router static routing example:

ip route 172.19.12.0 255.255.255.240 172.16.1.10
ip route 172.19.3.0 255.255.255.0 172.16.1.10
ip route 172.19.100.0 255.255.255.224 172.16.1.10
ip route 172.16.2.0 255.255.255.224 172.16.1.10

Vlan – Setting up PIM Sparse mode

My questions are:

Should we setup on our core network switch OSPF with a router ID of 1.1.1.1 and then not set any OSPF settings on any other switch?

OSPF is not necessary for this implementation.

Would PIM Sparse Mode only need to be enabled on the core switches or on all of the switches in the network?

Pim-SM needs to be enabled on each L3 interface on which you want to allow the multicast traffic. For example, if you wish to contain the traffic to Vlans 15 and 14, you would have to do the following on your core:

configure
ip multicast
ip igmp
ip pim sparse
interface vlan 14
ip igmp
ip pim
interface vlan 15
ip igmp
ip pim
exit

If you want the traffic to traverse all Vlans, then you will need the appropriate interface configuration under each Vlan. Your L2 switches will need IGMP snooping turned on (ideally on all interfaces via the global configuration).

configure
ip igmp snooping 
bridge multicast filtering

For a very basic multicast setup like this, these should be the only features that you would need.

Best Answer

Related Solutions

Cisco ASA Routing Issue

Your ASA configuration:

ASA static routing example:

Your Cisco Router's configuration:

Router static routing example:

Vlan – Setting up PIM Sparse mode

Related Topic