I'm in the middle of slowly trying to solve my inherited ip range issue.
Currently everything is on 100.100.100.x. I am slowly moving things over to a 10.12.x.x range. Currently my Watchguard firewall on 100.100.100.222 is doing my for users, I want to change so the Procurve on 100.100.100.79 does the routing instead.
The first stage has been to set up a second connection to the firewall on VLAN 99 10.12.99.1 so internet access works and I've got it working on VLAN 123.
Here is my vlan setup.
VLAN ID Name | Status Voice Jumbo
------- -------------------- + ---------- ----- -----
1 DEFAULT_VLAN | Port-based No No
20 ISCSI | Port-based No No
99 DMZ | Port-based No No
121 Client_PCs | Port-based No No
122 Production | Port-based No No
123 Servers | Port-based No No
I can ping between VLAN 1 and 123.
I can't ping between VLAN 122 and 123.
Here is my running config
; J9145A Configuration Editor; Created on release #W.14.38
hostname "AKS-BROX-SW2"
module 1 type J9145A
interface 24
name "LINK TO FP"
exit
trunk 19-22 Trk1 LACP
trunk 6-9 Trk2 LACP
ip default-gateway 100.100.100.222
ip routing
vlan 1
name "DEFAULT_VLAN"
untagged 1-3,5,10,24,Trk1-Trk2
ip address 100.100.100.79 255.255.255.0
no untagged 4,11-18,23
exit
vlan 20
name "ISCSI"
untagged 11-18
ip address 172.16.230.253 255.255.255.0
tagged Trk1
exit
vlan 121
name "Client_PCs"
ip address 10.12.1.254 255.255.255.0
tagged Trk2
exit
vlan 122
name "Production"
ip address 10.12.2.254 255.255.255.0
tagged 1-2,5,10-11,Trk2
exit
vlan 123
name "Servers"
ip address 10.12.3.254 255.255.255.0
tagged 1-2,4-5,10-11,Trk2
exit
vlan 99
name "DMZ"
untagged 23
ip address 10.12.99.254 255.255.255.0
exit
fault-finder bad-driver sensitivity high
fault-finder bad-transceiver sensitivity high
fault-finder bad-cable sensitivity high
fault-finder too-long-cable sensitivity high
fault-finder over-bandwidth sensitivity high
fault-finder broadcast-storm sensitivity high
fault-finder loss-of-link sensitivity high
fault-finder duplex-mismatch-HDx sensitivity high
fault-finder duplex-mismatch-FDx sensitivity high
timesync sntp
sntp unicast
sntp server priority 1 192.146.137.13 3
ip route 0.0.0.0 0.0.0.0 10.12.99.1
ip route 10.12.1.0 255.255.255.0 10.12.99.1
ip route 10.12.2.0 255.255.255.0 10.12.99.1
ip route 10.12.3.0 255.255.255.0 10.12.99.1
ip route 100.100.100.0 255.255.255.0 10.12.99.1
snmp-server community "snmp-public" operator
snmp-server community "monitor" operator
spanning-tree
spanning-tree 4 path-cost 41000
spanning-tree Trk1 priority 4
spanning-tree Trk2 priority 4
spanning-tree priority 7
no autorun
password manager
And last but not least the routing…
IP Route Entries
Destination Gateway VLAN Type Sub-Type Metric Dist.
------------------ --------------- ---- --------- ---------- ---------- -----
0.0.0.0/0 10.12.99.1 99 static 1 1
10.12.1.0/24 Client_PCs 121 connected 1 0
10.12.2.0/24 Production 122 connected 1 0
10.12.3.0/24 Servers 123 connected 1 0
10.12.99.0/24 DMZ 99 connected 1 0
100.100.100.0/24 DEFAULT_VLAN 1 connected 1 0
127.0.0.0/8 reject static 0 0
127.0.0.1/32 lo0 connected 1 0
172.16.230.0/24 ISCSI 20 connected 1 0
I can't get VLAN 122 and VLAN 123 to talk to each other, so I assume the route is wrong, but if I try to add a route…
ip route 10.12.2.0/24 10.12.3.254
I get this error.
10.12.3.254 can not be switch IP address and route gateway at the same time.
I must have something configured wrongly, but I can't work out what it is.
Thanks
Best Answer
A 2910 with activated
ip routing
routes from and to any VLAN that it has an IP address assigned in.So, if a node can't reach one VLAN subnet from another it's likely not in the correct VLAN.
ip route 10.12.2.0/24 10.12.3.254
can't work since 10.12.2.0/24 is already connected locally and 10.12.3.254 is the switch itself - you can't tell it to route back to itself.Additionally,
don't make sense. All these subnets are local and can't be routed elsewhere.
btw: firmware version 14.38 is ancient (before 2011 when we bought 2910s)...
PS: You're binding IP addresses to all VLANs, including iSCSI and DMZ - as stated above, the 2910 will route into and out of all these networks which is most surely not intended. You'll need to either remove these IP addresses and route/filter between these VLANs elsewhere or configure ACLs that allow the traffic you want while filtering everything else. Note that the 2910 doesn't allow VLAN ACLs, only port ACLs.