Long-winded network post ahead! You have been warned.
As part of my network overhaul here at work, I wanted to transform our current semi-flat network in to a multi-teared, access controlled, dynamic network that could grow with the company. Our existing network has been plagued with broadcast storms caused by the rouge engineering DHCP server being accidentily connected to the office network. To do this I purchased new switch gear that supports L3 routing and VLANs. This new gear allows me to seperate our large broadcase domain in to smaller, department based broadast domains using VLANs and Inter-vlan routing. The existing network gear, while functional, lacked the capability of Inter-vlan routing and strugged under our daily office load with only two VLANs. I can't say I will miss the old Netgear switches, but they were barely able to support the traffic when we were a 30 person company and are unstable with the 70+ now.
Wanting to keep a fairly tight budget, I ended up choosing HP Procurve 2510 and 2520 POE switches for distribution and a 5406zl loaded with 1Gb modules for my core. The 2510/2520 are layer 2 gigabit switches and the 5406 is layer 3. If I had a larger budget, EDU discount, or was purchasing a huge lot of gear, I would probably have gone Cisco 3750G/2960G. The HP gear is very competitive, offering a lifetime warranty, lifetime support, and the cheapest 10G-baseT I could find. I have worked with HP in the past and have found it very simmilar to manage. The menu based cmd line interface makes it a breeze for the novice, but I still prefer the straight old cmd line.
My firewalls were a tough choice. I wanted something that could support 250+ VPN SSL vpn connections, a Gigabit Metro-E line, a 100Mb EDI line, and have enough throughoput to handle all of this. After looking at Forigate, Juniper, and Cisco, I ended up choosing four Cisco ASA 5515-x's. Each site will have two, setup in Active/Active serving up a maximum of 500 SSL VPN connections per site. I sacrificed the ability to load balance across two or more internet connections, but our EDI line makes up for that. These, at least for now should be able to handle everything we throw at them.
In the last few weeks, I setup all of the HP switch gear in a test enviroment, along with a ESXi host with multiple quad port nics. I wanted to simmulate having multiple machines across multiple switches to ensure my configs would work. Starting out, I got everything up and working. I could ping between Vlans, but I did not have a DHCP server to test ip helper-addresses or a internet connection. This week I added a Server 2008 R2 box and setup DHCP/AD/DNS and connected a spare Cisco ASA 5505 running 8.4. After a few hours of research through somewhat helpful posts, I came up with the following basics to using Inter-vlan routing on HP Procure switches with a Cisco ASA.
Helpful tips:
1) Your core must be a Layer 3 switch. In my lab it is the hp2910al-24g. It is not possible to do this without a L3 switch.
2) On the core, there should be no default gateway. I have seen this far to often as the problem in my research.
3) Enable ip routing on the core switch.
hp2910al-24g:# ip routing
4) Once you create additional VLAN's, only use the default VLAN for switch management if possible.
hp2910al-24g:# config
hp2910al-24g:# vlan 10
hp2910al-24g:(Vlan 10)#
5) Assign IP addresses to each VLAN- only on the core!
hp2910al-24g:(Vlan 10)# ip address 10.1.0.1/24
6) Assign a ip helper-address for your DHCP server to each VLAN on the core switch (except the one it natively lives on) and add each scope to the DHCP server.
hp2910al-24g:(Vlan 20)# ip helper-address 10.1.0.2
7) Be sure to TAG (tagged) the VLANS on your trunks (trk 1-24) to the distribution switches, and on the distribution back to the core. Otherwise only local traffic on the untagged ports will flow on the core.
hp2910al-24g:(Vlan 10)# tagged Trk1
8) Set a static route to your routers IP, (Replacing 10.1.0.1 with your routers IP.)
hp2910al-24g:#ip route 0.0.0.0 0.0.0.0 10.1.0.1
9) Set a static route on the ASA back to your core switch: (Where 10.0.0.0 255.0.0.0 is your inside subnet and 10.1.0.254 is the core switch. My router is plugged in to VLAN 10, which is 10.1.0.0- this must match! Your routers interal IP must be on the same subnet as the core switches VLAN IP.)
ciscoasa5505:#route Inside 10.0.0.0 255.0.0.0 10.1.0.254
10) ALWAYS use the IP of the VLAN as the DHCP default gateway- otherwise nothing will work!
Example: Vlan 20- IP 10.1.1.254
xptestbox:# ipconfig -a
IP:10.1.1.100
Subnet: 255.255.255.0
Gateway: 10.1.1.254
DNS:10.1.0.2
11) Restart everything once the configs are made and SAVED.
hp2910al-24g:#wr mem
12) Enjoy your working network!
Example configs:
2910al-24g:
; J9145A Configuration Editor; Created on release #W.15.08.0012
; Ver #02:11.05:16
hostname "HP-E2910al-24G"
module 1 type j9145a
trunk 23-24 trk1 trunk
ip route 0.0.0.0 0.0.0.0 10.1.0.1
ip routing
snmp-server community "public" unrestricted
spanning-tree Trk1 priority 4
vlan 1
name "DEFAULT_VLAN"
no untagged 1-22
tagged Trk1
ip address 10.0.0.254 255.255.255.0
exit
vlan 10
name "VLAN10"
untagged 1-10
tagged Trk1
ip address 10.1.0.254 255.255.255.0
exit
vlan 20
name "VLAN20"
untagged 11-20
tagged Trk1
ip address 10.1.1.254 255.255.255.0
ip helper-address 10.1.0.2
exit
vlan 30
name "Vlan30"
tagged Trk1
ip address 10.20.30.254 255.255.255.0
ip helper-address 10.1.0.2
exit
vlan 99
name "VLAN99"
untagged 21-22
tagged Trk1
ip address 10.1.99.254 255.255.255.0
ip helper-address 10.1.0.2
exit
2510G-24:
hostname "00005- 2510-24g"
trunk 23-24 Trk1 Trunk
ip default-gateway 10.0.0.254
snmp-server community "public" Unrestricted
vlan 1
name "DEFAULT_VLAN"
ip address 10.0.0.253 255.255.255.0
tagged Trk1
no untagged 1-22
exit
vlan 10
name "VLAN 10"
tagged Trk1
exit
vlan 20
name "VLAN 20"
tagged Trk1
exit
vlan 99
name "Vlan 99"
tagged Trk1
exit
vlan 30
name "VLAN 30"
untagged 1-22
tagged Trk1
exit
spanning-tree Trk1 priority 4
Cisco ASA 5505:
route 10.0.0.0 255.0.0.0 10.1.0.254
Hope this helps someone out there!
VLANs for a new VOIP implementation. I have the interconnect kit between my HP 2910 AL switches and A sonicwall NSA 2400 as my firewall. Thank you for this concise post. Coming from a Cisco background the HP concepts are a bit different so it means a paradigm shift but this post definitely makes it easier. Will give it a shot in a test environment in the AM
ReplyDeleteVery good thank! i was having a hang up with my Sonicwall responding to my 2nd vlan until i read this. I added the route back to the Layer 3 Switch.
ReplyDeleteMarc do you have an email address i could ask you a few questions regarding this post?
ReplyDeleteim trying to add in a new switch to a hp environment and am running into a few issues, and it seems from your post here that you may be able to give me some advice.
thanks
Brian
ip default-gateway 199.95.137.20
ReplyDeleteip routing
vlan 1
name "DEFAULT_VLAN"
untagged 22-24,33-48,A1,Trk1,Trk3,Trk6-Trk7
ip address 199.95.137.13 255.255.255.0
tagged 21
exit
vlan 2
name "wireless"
ip address 192.168.3.11 255.255.255.0
tagged 21
ip route 192.168.3.0 255.255.255.0 199.95.137.20
snmp-server community "public" unrestricted
spanning-tree Trk1 priority 4
spanning-tree Trk3 priority 4
Spanning-tree Trk6 priority 4
spanning-tree Trk7 priority 4
------------------------------------
Extreme Networks 450e 24port:
hostname "extreme1"
vlan 1
name "DEFAULT_VLAN"
ip address 199.95.137.20 255.255.255.0
tagged port 21-22
vlan 2
name "wireless"
tagged port 21-22
untagged port 1-10
Sonicwall NSA 3500: connected to hp switch on port 25
traffic between firewall and 199.95.137.x network passes in and out without an issue as that was how the initial setup was, i added in the extreme switch behind the HP commander switch and connected to it via port 21 on both switches and tagged the port on both vlans on both switches
both switches have ipforwarding enabled.
here is the extreme info from show vlan and iproute
* X450e-24p.1 # sh vlan
-------------------------------------------------------------------------------------
Name VID Protocol Addr Flags Proto Ports Virtual
Default 1 199.95.137.20 /24 -----------T----------- ANY 1 /4 VR-Default
Mgmt 4095 ------------------------------------------- ANY 0 /1 VR-Mgmt
wireless 2 192.168.3.1 /24 ----------------------- ANY 2 /12 VR-Default
-------------------------------------------------------------------------------------
Total number of VLAN(s) : 3
* X450e-24p.2 # sh iproute
Ori Destination Gateway Mtr Flags VLAN Duration
#s Default Route 199.95.137.1 1 UG---S-um--f Default 1d:3h:10m:0s
#d 192.168.3.0/24 192.168.3.1 1 U------um--f wireless 1d:3h:10m:2s
s 192.168.3.0/24 199.95.137.13 1 UG---S-um--- Default 0d:4h:1m:31s
#d 199.95.137.0/24 199.95.137.20 1 U------um--f Default 0d:19h:18m:8s
can ping from 192.168.3.x network all the way to the firewall however cannot get out to the web
any suggestions would be fantastic
thanks
I also think i accidently changed the default Gateway on the HP,
ReplyDeletethat should be the Sonicwall firewall adress of 199.95.137.1 ?
right now its the extreme switches IP on vlan1
Very good thank
ReplyDeletehttps://vizvon.com/it-corner/network/hp-networking