HP Procurve 2910 Inter VLAN routing partially working

Question

I'm in the middle of slowly trying to solve my inherited ip range issue.

Currently everything is on 100.100.100.x. I am slowly moving things over to a 10.12.x.x range. Currently my Watchguard firewall on 100.100.100.222 is doing my for users, I want to change so the Procurve on 100.100.100.79 does the routing instead.

The first stage has been to set up a second connection to the firewall on VLAN 99 10.12.99.1 so internet access works and I've got it working on VLAN 123.

Here is my vlan setup.

VLAN ID Name                 | Status     Voice Jumbo
------- -------------------- + ---------- ----- -----
1       DEFAULT_VLAN         | Port-based No    No
20      ISCSI                | Port-based No    No
99      DMZ                  | Port-based No    No
121     Client_PCs           | Port-based No    No
122     Production           | Port-based No    No
123     Servers              | Port-based No    No

I can ping between VLAN 1 and 123. I can't ping between VLAN 122 and 123.

Here is my running config ; J9145A Configuration Editor; Created on release #W.14.38

hostname "AKS-BROX-SW2"
module 1 type J9145A
interface 24
   name "LINK TO FP"
exit
trunk 19-22 Trk1 LACP
trunk 6-9 Trk2 LACP
ip default-gateway 100.100.100.222
ip routing
vlan 1
   name "DEFAULT_VLAN"
   untagged 1-3,5,10,24,Trk1-Trk2
   ip address 100.100.100.79 255.255.255.0
   no untagged 4,11-18,23
   exit
vlan 20
   name "ISCSI"
   untagged 11-18
   ip address 172.16.230.253 255.255.255.0
   tagged Trk1
   exit
vlan 121
   name "Client_PCs"
   ip address 10.12.1.254 255.255.255.0
   tagged Trk2
   exit
vlan 122
   name "Production"
   ip address 10.12.2.254 255.255.255.0
   tagged 1-2,5,10-11,Trk2
   exit
vlan 123
   name "Servers"
   ip address 10.12.3.254 255.255.255.0
   tagged 1-2,4-5,10-11,Trk2
   exit
vlan 99
   name "DMZ"
   untagged 23
   ip address 10.12.99.254 255.255.255.0
   exit
fault-finder bad-driver sensitivity high
fault-finder bad-transceiver sensitivity high
fault-finder bad-cable sensitivity high
fault-finder too-long-cable sensitivity high
fault-finder over-bandwidth sensitivity high
fault-finder broadcast-storm sensitivity high
fault-finder loss-of-link sensitivity high
fault-finder duplex-mismatch-HDx sensitivity high
fault-finder duplex-mismatch-FDx sensitivity high
timesync sntp
sntp unicast
sntp server priority 1 192.146.137.13 3
ip route 0.0.0.0 0.0.0.0 10.12.99.1
ip route 10.12.1.0 255.255.255.0 10.12.99.1
ip route 10.12.2.0 255.255.255.0 10.12.99.1
ip route 10.12.3.0 255.255.255.0 10.12.99.1
ip route 100.100.100.0 255.255.255.0 10.12.99.1
snmp-server community "snmp-public" operator
snmp-server community "monitor" operator
spanning-tree
spanning-tree 4 path-cost 41000
spanning-tree Trk1 priority 4
spanning-tree Trk2 priority 4
spanning-tree priority 7
no autorun
password manager

And last but not least the routing...

                               IP Route Entries

  Destination        Gateway         VLAN Type      Sub-Type   Metric     Dist.
  ------------------ --------------- ---- --------- ---------- ---------- -----
  0.0.0.0/0          10.12.99.1      99   static               1          1
  10.12.1.0/24       Client_PCs      121  connected            1          0
  10.12.2.0/24       Production      122  connected            1          0
  10.12.3.0/24       Servers         123  connected            1          0
  10.12.99.0/24      DMZ             99   connected            1          0
  100.100.100.0/24   DEFAULT_VLAN    1    connected            1          0
  127.0.0.0/8        reject               static               0          0
  127.0.0.1/32       lo0                  connected            1          0
  172.16.230.0/24    ISCSI           20   connected            1          0

I can't get VLAN 122 and VLAN 123 to talk to each other, so I assume the route is wrong, but if I try to add a route...

ip route 10.12.2.0/24 10.12.3.254

I get this error. 10.12.3.254 can not be switch IP address and route gateway at the same time.

I must have something configured wrongly, but I can't work out what it is.

Thanks

Answer 1

A 2910 with activated ip routing routes from and to any VLAN that it has an IP address assigned in.

So, if a node can't reach one VLAN subnet from another it's likely not in the correct VLAN.

ip route 10.12.2.0/24 10.12.3.254 can't work since 10.12.2.0/24 is already connected locally and 10.12.3.254 is the switch itself - you can't tell it to route back to itself.

Additionally,

ip route 0.0.0.0 0.0.0.0 10.12.99.1
ip route 10.12.1.0 255.255.255.0 10.12.99.1
ip route 10.12.2.0 255.255.255.0 10.12.99.1
ip route 10.12.3.0 255.255.255.0 10.12.99.1
ip route 100.100.100.0 255.255.255.0 10.12.99.1

don't make sense. All these subnets are local and can't be routed elsewhere.

btw: firmware version 14.38 is ancient (before 2011 when we bought 2910s)...

PS: You're binding IP addresses to all VLANs, including iSCSI and DMZ - as stated above, the 2910 will route into and out of all these networks which is most surely not intended. You'll need to either remove these IP addresses and route/filter between these VLANs elsewhere or configure ACLs that allow the traffic you want while filtering everything else. Note that the 2910 doesn't allow VLAN ACLs, only port ACLs.