Comware

I am having an issue with static routes on a HP ProCurve 8212zl and 5412zl.

I actually had the same symptoms while configuring ospf, but decided that OSPF was unnecessary and overly complex having only six L3 switches to route to and single paths to them.  This makes me believe there is an underlying issue causing the problem.

This is my first attempt at routing with HP ProCurve, as I come from mostly Cisco environments only previously implementing procurve at the access layer.

I have simplified the problem/environment by only connecting the:

CORE switch (8212zl)

1 remote site switch (5412zl) sitting next to the core switch, got tired of driving    lol

1 switch (2910al) to connect firewall at remote building (at old core, waiting on isp to move d-marc)

The problem I am experiencing is that traffic is not routed past the core to the firewall (or from the core to any remote device).  

Only the core can get out on the VLAN to the firewall.

CORE# sho run

Running configuration:

; J9091A Configuration Editor; Created on release #K.15.07.0008
; Ver #02:1b.2f:36

hostname "CORE"

module 1 type J9538A
module 2 type J9538A
module 6 type J9154A
module 7 type J9546A
module 8 type J9546A
module 11 type J9550A
module 12 type J9550A

trunk A4,B4 Trk1 Trunk    <------------------- Link to Site 1

ip routing

vlan 1

name "DEFAULT_VLAN"
untagged A2-A3,A5-A6,A8,B2-B3,B5-B8,F1-F2,K1-K24,L1-L23
no untagged A7,G1-G8,H1-H8,L24,Trk1,Trk6
no ip address
exit
vlan 10
name "EDGE"
untagged A7         <--------------------------------------------------Link to Firewall switch
ip address 192.168.10.1 255.255.255.0
exit
vlan 111
name "Site1"
untagged Trk1
ip address 172.16.1.1 255.255.255.0
exit
vlan 200
name "SERVERS"
untagged G1-G8,H1-H8
ip address 192.168.200.1 255.255.255.0
exit

ip route 0.0.0.0 0.0.0.0 192.168.10.10
ip route 192.168.1.0 255.255.255.0 172.16.1.10

interface F1
rate-limit all in kbps 100
exit
interface F2
rate-limit all in kbps 100
exit

snmp-server community "public" unrestricted

spanning-tree

spanning-tree Trk1 priority 4

CORE# sho ip route

IP Route Entries

Destination Gateway VLAN Type Sub-Type Metric Dist.
------------------ --------------- ---- --------- ---------- ---------- -----
0.0.0.0/0 192.168.10.10 10 static 1 1
127.0.0.0/8 rejectstatic 00
127.0.0.1/32lo0 connected 1 0
172.16.1.0/24 Site1 111 connected 1 0
192.168.1.0/24 172.16.1.10 111 static 11
192.168.10.0/24 EDGE 10 connected 1 0
192.168.200.0/24 SERVERS200connected10

---------------------------------------------------------------------------------------------

Site1-MDF# sho run

Running configuration:

; J8698A Configuration Editor; Created on release #K.15.07.0008
; Ver #02:1b.2f:36

hostname "Site1-MDF"
module 3 type J9538A
module 10 type J9550A

trunk C1,C3 Trk1 Trunk

ip routing

vlan 1
name "DEFAULT_VLAN"
no untagged C2,C4-C8,J1-J24,Trk1
no ip address
exit
vlan 111
name "Site1"
untagged Trk1
ip address 172.16.1.10 255.255.255.0
exit
vlan 11
name "Site1-Local"
untagged C2,C4-C8,J1-J24
ip address 192.168.1.2 255.255.255.0
exit

ip route 0.0.0.0 0.0.0.0 172.16.1.1

snmp-server community "public" unrestricted

spanning-tree
spanning-tree Trk1 priority 4

Site1-MDF# sho ip route

IP Route Entries

Destination GatewayVLAN Type Sub-Type Metric Dist.
------------------ --------------- ------------- ---------- ---------- -----
0.0.0.0/0 172.16.1.1111 static 11
127.0.0.0/8 reject static 0 0
127.0.0.1/32 lo0 connected 10
172.16.1.0/24 Site1 111 connected 1 0
192.168.1.0/24 Site1-Local11connected10

-------------------------------------------------------------------------------------------

CORE#
CORE# ping 192.168.10.1 (local interface)
192.168.10.1 is alive, time = 1 ms
CORE# ping 192.168.10.51 (switch between itself and firewall)
192.168.10.51 is alive, time = 2 ms
CORE# ping 192.168.10.10 (firewall)
192.168.10.10 is alive, time = 2 ms
CORE# ping 8.8.8.8 (google's public dns)
8.8.8.8 is alive, time = 71 ms
CORE#

Site1-MDF#
Site1-MDF# ping 192.168.10.1 (interface on core switch)
192.168.10.1 is alive, time = 2 ms
Site1-MDF# ping 192.168.10.51 (switch between core and firewall)
Request timed out.
Site1-MDF# ping 192.168.10.10 (firewall)
Request timed out.
Site1-MDF# ping 8.8.8.8 (google's public dns)
Request timed out.
Site1-MDF#

I am sure there is a simple answer to what I am doing wrong, as I am not too familiar with configuring procurve devices.

Thanks in advance.

Josh Kelly

I don't think you've got many problems with your ProCurve configuration.  Basically, your 192.168.10.0/24 devices have a missing or invalid route back to 172.16.1.0/24.  What is 192.168.10.10 - the 2910?  What does its routing table look like?  What does 192.168.10.51's routing table look like?  If there is a way to set the source interface of the ping on your 8200 (there doesn't seem to be one on my 3400), then try pinging with a source address of 172.16.1.1 - you should see the same results.

OSPF (or even RIP, since that's all the 2910 supports) should help a bit here, as long as the 8200, 5400, and 2910 all participate, because then you'll have complete knowledge of all internal routes on all devices.

192.168.10.1 is an interface on the core

192.168.10.51 is the 2910al

192.168.10.10 is the firewall/nat

the 2910 does not have routing enabled.  

It is basically acting as a fiber to copper media converter (temporary)

it has a basic configuration on it:

vlan 10
name "EDGE"
untagged (ALL)
ip address 192.168.10.51 255.255.255.0
exit

basic topology:

Site1-MDF ------------ CORE-------------------------------------------------2910--------Firewall/Nat

I have multiple 5412zl switches for remote sites.  i have disconnected them from the core and removed config for ease of troubleshooting.  i was having the same issue not routing from one site to any destination beyond the core, whether it be to the firewall and out or to another site.

"missing or invalid route back to"

I think you hit the nail on the head.

Now that ive had more time to think...

i believe i set the default-gateway of the 2910 to the firewall.  i just remoted in and looked at the firewall config and it points local subnets back to the old core's ip address, which is different from the new core's ip.

I was focussing too much on my routes to the destination i never thought to look at the routes back from the 2910 or the firewall.

when i was attempting to ping across sites i had other devices connected and was configuring ospf and was missing some configuration (i know that now after doing some research).

As far as implimenting a dynamic routing protocol is concerened, i feel that would be overkill for this particular situation (i have done large scale eigrp and ospf implimentations in the past. on cisco equipment).  There will be like 12 total routes, and static routing will be much easier for the eventual maintainer of this network to manage and manipulate.

I will be back on-site in the morning and see if this resolves it.

In the meantime, if you have any other sugesstions it would be great to hear them.

Thanks.

Josh Kelly

---

@joshkelly13 wrote:

"missing or invalid route back to"

I think you hit the nail on the head.

Now that ive had more time to think...

i believe i set the default-gateway of the 2910 to the firewall.  i just remoted in and looked at the firewall config and it points local subnets back to the old core's ip address, which is different from the new core's ip.

I was focussing too much on my routes to the destination i never thought to look at the routes back from the 2910 or the firewall.

---

It's amazing how easy it is to forget that routing is a one-way process, and that you have to do it all again in the opposite direction to make it work.  :-)

---

...

when i was attempting to ping across sites i had other devices connected and was configuring ospf and was missing some configuration (i know that now after doing some research).

As far as implimenting a dynamic routing protocol is concerened, i feel that would be overkill for this particular situation (i have done large scale eigrp and ospf implimentations in the past. on cisco equipment).  There will be like 12 total routes, and static routing will be much easier for the eventual maintainer of this network to manage and manipulate.

---

That's a call that only you can make with regards to your site.  After using dynamic routing i would never go back to static routes on a network like yours, given the number and size of the switches you've got.  Just adding a new VLAN on one of the 5400 switches would require the addition of specific routes on at least 2 other devices (the 8200 and the firewall).  But then again, i run multi-area OSPF on my home network... ;-)

---

@paulgear wrote:

  But then again, i run multi-area OSPF on my home network... ;-)

---

LMAO - you must have lots of toys at home then... ;)

It was the return routes on the firewall causing the issue.  

I am posting this message connected to Site1-MDF

Thanks so much for your help!!!

Josh Kelly

Not lots of toys, just a ProCurve 3400, a couple old Cisco routers, and some Linux VMs with Quagga.