InterVLAN routing on a Procurve A5500

[startledmarmot]

Hey everyone, this is a scenario I'm not too familiar with and it's been driving me slightly insane.

We have two publicly routable gateways attached to our A5500 switch that are expecting untagged traffic.

We currently have VLAN 10 as the untagged VLAN for Gateway 1, and VLAN30 as a tagged vlan for Gateway 2. Since both gateways are requiring untagged traffic, I need to make sure all ingress traffic from Gateway 2 gets tagged as VLAN30, while all egress traffic gets untagged.

The tricky part is they must come over the same port so I can't just tag it that way. I get the feeling this will require some static routes or VLAN Interfaces on the switch, but I'm not sure where to start. Is what I want even possible?

Thanks for any help you can give!

 

[bmh.01]

You can't send two untagged vlans over the same port if that's what you mean? Its not a overly clear description.

 

[RocketTech]

VPN?

 

[startledmarmot]

Sorry for being unclear. Hopefully here's a better description.

We have two gateways -- 108.80.80.193 and 108.80.90.193 -- that are connected to a single ProCurve A5500. They both arrive over a single ethernet link to port 24, which is untagged in the management VLAN10. So if I have two servers, each can send untagged traffic to the appropriate gateway. No problem.

Unfortunately, we need all the traffic from 108.80.90.193 to then enter tagged VLAN 30. Similarly, all outbound traffic to 108.80.90.193 will be tagged as VLAN30 and it needs to exit through port 24 as untagged VLAN10.

We're not doing this for security or any other sane reason, only due to a bug in a certain piece of critical software.

 

[djflow195]

Did you check http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?lang=en&cc=us&taskId=120&prodSeriesId=5117468&prodTypeId=12883&objectID=c03131373?

Try "port hybrid vlan 10 30 untagged" under port 24.

You basically want traffic in VLAN 10 and VLAN 30 to go out port 24 untagged. If you IP vlan 10 108.80.80.193/XX and vlan 30 108.80.90.193/XX the switch should put the layer 3 traffic in the right VLAN inbound on port 24.

See "IP subnet-based VLAN configuration example" in the link above.

 

[startledmarmot]

I hadn't seen that - very helpful, thanks!

That got me extremely close. I'm now able to ping both gateways from their respective VLANs. But after a lot of twiddling and experimenting, the only issue is that inbound traffic isn't being mapped properly.

My scenario is the same as the example in "IP subnet-based VLAN" but reversed -- I have a lot of servers in tagged VLAN 10 and VLAN 30 on ports 1-23, but a single outbound/inbound untagged port 24.

Here's the current settings on port 24 (every other port has 10 & 30 as tagged):

interface GigabitEthernet1/0/24
port link-mode bridge
description INTERNETS
port link-type hybrid
port hybrid vlan 200 to 1024 tagged
port hybrid vlan 10 30 untagged
port hybrid ip-subnet-vlan vlan 10
port hybrid ip-subnet-vlan vlan 30

And here's the ip-subnet-vlan:

VLAN ID: 10
Subnet Index IP Address Subnet Mask
====================================================
0 108.80.80.192 255.255.255.192

VLAN ID: 30
Subnet Index IP Address Subnet Mask
====================================================
0 108.80.90.192 255.255.255.192

Any sage advice?

 

[TCM]

The question is, why do they arrive on a single wire? What connects these gateways to the wire? I bet it's a switch. Why doesn't that one do VLANs?

 

[RocketTech]

The question is, why do they arrive on a single wire? What connects these gateways to the wire? I bet it's a switch. Why doesn't that one do VLANs?

That was throwing me off too. I assign WANs to separate VLANs and trunk them. I assumed he was trying to send two untagged VLANs down a public WAN.

 

[startledmarmot]

The question is, why do they arrive on a single wire? What connects these gateways to the wire? I bet it's a switch. Why doesn't that one do VLANs?

We're colo'd in a large datacenter and I've requested our ISP to do exactly that. We have a single drop to our rack that routes all the gateways untagged, and that's causing the weirdness of the situation. Attempting to find a way around needing their help.

 

[TCM]

We're colo'd in a large datacenter and I've requested our ISP to do exactly that. We have a single drop to our rack that routes all the gateways untagged, and that's causing the weirdness of the situation. Attempting to find a way around needing their help.

Maybe you are already in a VLAN in their infrastructure that is transparent to you and they don't know about nested VLANs (QinQ). I wouldn't call them ISP then, though.

 

[djflow195]

These are not valid IP addresses:

VLAN ID: 10
Subnet Index IP Address Subnet Mask
====================================================
0 108.80.80.192 255.255.255.192

VLAN ID: 30
Subnet Index IP Address Subnet Mask
====================================================
0 108.80.90.192 255.255.255.192

 

[/usr/home]

Nvm

 

[TCM]

These are not valid IP addresses:

VLAN ID: 10
Subnet Index IP Address Subnet Mask
====================================================
0 108.80.80.192 255.255.255.192

VLAN ID: 30
Subnet Index IP Address Subnet Mask
====================================================
0 108.80.90.192 255.255.255.192

They identify the network. Noone claimed they were in use by a host.

 

[startledmarmot]

We managed to work it out with the network hosting guys -- the previous port was access only. They gave us a new cross-connect with VLAN 30 and VLAN10, so that solved our main issue of connectivity.

Now I'm still in need to do some inter-vlan routing. Currently everybody on the VLAN10 10.80.80.192/26 can't ping anybody on the VLAN30 10.80.90.192/26.

We'd like both sides to be able to talk to each other, but I'm unsure of how to accomplish this. I believe it requires setting up an interface?

 

[The Spyder]

Can you post the config?

Intervlan routing requires IP routing to be enabled. Each subnet must use the vlan IP as the default gateway.

 

[Wrench00]

Call HP support..
HP guys are very good.