Comware

Hello everyone,

 

i’m an intern and i have to create one network for multiple entreprises.

 

Here what i have to do :

Create an VLAN for each entreprise, and have one VLAN that contains my DHCP server, my firewall, and a printer.

 

I have a switch HP A3600 (JG 304A).

 

For the DHCP service, i did a dhcp relay and it’s working : the right adress for the right VLAN (i also add the DHCP snooping security)

 

My two problems are about inter-vlan.

I would like that each vlan can access the printer, and to have a default route on the firewall.

 

But it’s seem that i can’t ping my firewall or my printer.

 

For the configuration :

vlan 20 : 192.168.20.230 /24

vlan 32 : 192.168.32.230 /24

 

my two computer that i use for test :

computer 1 : 192.168.20.1 /24 (vlan 20), gateway : vlan adress

computer 2 : 192.168.32.1 /24 (vlan 20), gateway : vlan adress

 

As for the routing table, i left it in default :

Destination         mask               protocol       Priority         Next hop               interface
 
127.0.0.0           255.0.0.0              Direct           0              127.0.0.1                InLoopBack0
127.0.0.1           255.255.255.255    Direct           0              127.0.0.1                InLoopBack0
192.168.20.0      255.255.255.0        Direct           0             192.168.20.230         Vlan-Interface20
192.168.20.230   255.255.255.255    Direct           0              127.0.0.1                 InLoopBack0
192.168.32.0      255.255.255.0        Direct          0               192.168.32.230        vlan-Interface32
192.168.32.230   255.255.255.255    Direct           0               127.0.0.1                InLoopBack0

 

 

From computer 1, i ping vlan 20 address, and the vlan 32 address but not computer 2.

Same thing if i’m on computer 2. (for précision : both computer can ping each other on the same network)

I try to add ACL, but no result.

 

If anyone has ideas, i’m more than welcome to try.

Thank in advance,

 

#routingvlaninterinter-vlanACL

You need default gateways, if you want to do intervlan routing.

Who is the gateway for all those vlans? is the gateway configured on your computers?

on the DHCP server i have the vlan address on the switch as gateway.

so for an ip address 192.168.32.5 i have for gateway 192.168.32.230

on the switch i execute the command : ip route-static 192.168.20.254 255.255.255.0

witch is my firewall (the internet acces is above).

 

 

Is it possible to show your switch config?

Here my config so far :

i delete all my test of acl, so there is no mention here  :

#
version 5.20.99, Release 2108P01
#
sysname A3600-SW-01
#
super password level 3 cipher
#
dhcp relay server-group 1 ip 192.168.20.200
#
irf mac-address persistent timer
irf auto-update enable
undo irf link-delay
#
domain default enable system
#
telnet server enable
#
password-recovery enable
#
vlan 1
description default
name default
#
vlan 20
description Infrastructure
name Infrastructure
#
vlan 31
description Bureau_1
name Bureau_1
#
vlan 32
#
domain system
access-limit disable
state active
idle-cut disable
self-service-url disable
#
user-group system
group-attribute allow-guest
#
local-user admin
password cipher $c$3$wSI0s4KurNK0n2TORCsI4QWb+LN+U379AknLPqs=
authorization-attribute level 3
service-type ssh telnet terminal
service-type web
#
cwmp
undo cwmp enable
#
interface NULL0
#
interface Vlan-interface1
ip address 192.168.80.230 255.255.255.0
dhcp select relay
dhcp relay server-select 1
#
interface Vlan-interface20
ip address 192.168.20.230 255.255.255.0
dhcp select relay
dhcp relay server-select 1
#
interface Vlan-interface31
ip address 192.168.31.230 255.255.255.0
dhcp select relay
dhcp relay server-select 1
#
interface Vlan-interface32
ipv6 address auto link-local
ip address 192.168.32.230 255.255.255.0
dhcp select relay
#
interface Ethernet1/0/1
port link-mode bridge
#
interface Ethernet1/0/2
port link-mode bridge
dhcp-snooping trust
#
#
interface Ethernet1/0/5
port link-mode bridge
port access vlan 20
#
interface Ethernet1/0/6
port link-mode bridge
port access vlan 31
#
interface Ethernet1/0/7
port link-mode bridge
port access vlan 32
#
interface Ethernet1/0/24
port link-mode bridge
#
interface GigabitEthernet1/0/25
port link-mode bridge
port link-type trunk
port trunk permit vlan 1 20 31 to 32
#
interface GigabitEthernet1/0/26
port link-mode bridge
port link-type trunk
port trunk permit vlan 1 20 31 to 32
#
interface GigabitEthernet1/0/27
port link-mode bridge
#
interface GigabitEthernet1/0/28
port link-mode bridge
#
nqa entry imclinktopologypleaseignore ping
type icmp-echo
destination ip 10.10.255.254
frequency 270000
#
dhcp-snooping
#
ip route-static 192.168.20.0 255.255.255.0 192.168.20.254
#
snmp-agent
snmp-agent local-engineid 800063A20344319205D145
snmp-agent community read public
snmp-agent community write private
snmp-agent sys-info contact DSI
snmp-agent sys-info location laFabrik
snmp-agent sys-info version v2c v3
snmp-agent target-host trap address udp-domain 10.10.10.30 params securityname public v2c
#
dhcp enable
#
nqa schedule imclinktopologypleaseignore ping start-time now lifetime 630720000
#
ssh server enable
ssh user admin service-type all authentication-type password
#
load xml-configuration
#
load tr069-configuration
#
user-interface aux 0
authentication-mode password
set authentication password cipher $c$3$f4vRjPo6qwxklSwRKXu9XxrgrmRpLHDSAHSzs3g=
user-interface vty 0 4
authentication-mode scheme
protocol inbound ssh
user-interface vty 5 15
#
return

thank for your contribution

---

---

 

Your config seems ok.

Note that your static route does nothing, you should create e default route 0.0.0.0 0 192.168.20.254

Try to diasble firewall on your computers and check if you can reach the gateways.

 

 if i understand correctly, on level 3 switch,, all routing operation are done as default ?

If so, why can't i reach my second computer with a ping ? Specially if i access the vlan address....

i just don't understand how i wan access the vlan interface, but not the network.

thank for your advise on default route, i'll try it tomorrow (today i work on something else)

can you see arp entries for your computers?

hello

i have the same result with no windows firewall.

Yes i can see the arp table.

i've tried to reset to default-configuration, but nothing change.

i think i'm going to try another switch.

My main goal is to change the current configuration : all inter-vlan routing are done by the firewall (except for the printer, which is a new demand). Same for DHCP relay. It's working, but it's far from perfect.

 

 

---

@MikaelBoyer wrote: My main goal is to change the current configuration : all inter-vlan routing are done by the firewall (except for the printer, which is a new demand). Same for DHCP relay. It's working, but it's far from perfect.

---

If that is your main goal then you simply need to remove IP Addresses assigned to your VLANs defined on the Switch and tag (permit) them to the uplink to your Firewall (so the uplink port from your Switch and your Firewall become a Trunk port in Comware jargon...so a port which carries multiple - tagged - VLAN Ids and just one - default - untagged VLAN). Your Firewall need to become responsible for your inter-VLANs routing by enabling it (basically you need to define all required VLAN Ids on downlink interface to your Switch) by means of its configuration (Routing+Access rules...I figure). At this point your L3 Switch acts as a pure L2 Switch and you need only to worry about untagging relevant ports to their VLAN Id (to the VLAN Id they need to belong). Clients need to use the Firewall's VLAN IP Addresses (you have defined) as their default gateway.

Another approach would require you to define a "transport VLAN" with IP Routing enabled on your Switch...then communications between your L3 Switch and your Firewall should happen by using this "transport VLAN" only (but this is not your main goal scenario).

---

@MikaelBoyer wrote: if i understand correctly, on level 3 switch,, all routing operation are done as default ?

Yes, as long as there is a VLAN Id with an associated IP Address the IP Routing is automatically enabled and your Switch starts acting as a Layer 3 one.

Thank for your reply

I wasn't clear i think

right now all routing are done by the firewall

and i have 4 switchs Hp 2530 :  2 with 48 port, and 2 with 24 ports POE (for the Voip)

I wish to replace one the 48 port by a HP A3600, so that i can use the level 3 to do the inter-vlan routing (and yes, some ACL). 

On the 2530 i wasn't able to create a dhcp relay, but on the 3600 i succeed. Same thing the DHCP snooping.

With the config send before, i was able to ping all vlan interface, but not a device such as a computer (or a printer) in a another vlan.

I try to add rip routing, or ALC, but still, no ping, therefor, no routing it seems. 

The default gateway work thought.

I'm more used to cisco configuration (thanks packet tracer...), and what i didn't understand was why it didn't work, and why, on two HP device, it's not the same CLI command...

I had to finish my plan, so it will be for a another time i guess, but i'm really interested to know wher i was wrong, or what i forget.

The HP 3600 is Comware 5 NOS based, HP 2530 (now rebranded Aruba 2530) is actually driven by ArubaOS-Switch NOS based (rebranded by well known HP ProVision NOS)...that explain differences in CLI.

Enable ip routing on Comware 5 HP 3600, remove the initial static route and add, as suggested, the last resort route to your Firewall.

Inter-VLANs routing should work.