HP Procurve 2920 - VLANs no route to Internet

[stanav]

Hello all,
I'm replacing an existing HP Procurve 5308XL switch with an HP Procurve 2920 switch (the 5308 is very old and starts to give intermitten problems. Some of the modules get errors and drop all connections. When this happens, the the switch needs to reboot to bring them back).

The SonicWall on 192.168.0.4 provides Internet access and is on VLAN 2.

This is the current config of the 5308 which I based on to configure the new 2920 switch

; J4819A Configuration Editor; Created on release #E.11.10

hostname "HP ProCurve Switch 5308xl" 
snmp-server location "Computer Room" 
max-vlans 32 
time timezone -5 
time daylight-time-rule Continental-US-and-Canada 
ip access-list standard "10" 
   permit 192.168.0.80 0.0.0.0 
   permit 192.168.0.95 0.0.0.0 
   permit 192.168.0.251 0.0.0.0 
   permit 192.168.0.88 0.0.0.0 
   permit 192.168.0.92 0.0.0.0 
   deny 0.0.0.0 255.255.255.255 log 
   exit 
ip access-list standard "20" 
   permit 192.168.0.80 0.0.0.0 
   permit 192.168.0.88 0.0.0.0 
   permit 192.168.0.95 0.0.0.0 
   permit 192.168.0.92 0.0.0.0 
   permit 192.168.0.251 0.0.0.0 
   permit 192.168.0.4 0.0.0.0 
   permit 10.0.60.1 0.0.0.0 
   deny 0.0.0.0 255.255.255.255 log 
   exit 
module 1 type J4907A 
module 2 type J4820A 
module 3 type J4820B 
module 4 type J4820A 
module 5 type J4820A 
module 6 type J4820A 
module 7 type J4820B 
interface A1 
   no lacp
exit
interface A2 
   no lacp
exit
interface A3 
   no lacp
exit
interface A4 
   no lacp
exit
interface A5 
   no lacp
exit
interface A6 
   no lacp
exit
interface A7 
   no lacp
exit
interface A8 
   no lacp
exit
interface A9 
   no lacp
exit
interface A10 
   no lacp
exit
interface A11 
   no lacp
exit
interface A12 
   no lacp
exit
interface A13 
   no lacp
exit
interface A14 
   no lacp
exit
interface A15 
   no lacp
exit
interface A16 
   speed-duplex 1000-full 
exit
interface B1 
   no lacp
exit
interface B2 
   no lacp
exit
interface B3 
   no lacp
exit
interface B4 
   no lacp
exit
interface B5 
   no lacp
exit
interface B6 
   no lacp
exit
interface B7 
   no lacp
exit
interface B8 
   no lacp
exit
interface B9 
   no lacp
exit
interface B10 
   no lacp
exit
interface B11 
   no lacp
exit
interface B12 
   no lacp
exit
interface B13 
   no lacp
exit
interface B14 
   no lacp
exit
interface B15 
   speed-duplex 100-full 
   no lacp
exit
interface B16 
   no lacp
exit
interface B17 
   no lacp
exit
interface B18 
   no lacp
exit
interface B19 
   no lacp
exit
interface B20 
   no lacp
exit
interface B21 
   no lacp
exit
interface B22 
   no lacp
exit
interface B23 
   no lacp
exit
interface B24 
   no lacp
exit
interface C1 
   no lacp
exit
interface C2 
   no lacp
exit
interface C3 
   no lacp
exit
interface C4 
   no lacp
exit
interface C5 
   no lacp
exit
interface C6 
   no lacp
exit
interface C7 
   no lacp
exit
interface C8 
   no lacp
exit
interface C9 
   no lacp
exit
interface C10 
   no lacp
exit
interface C11 
   no lacp
exit
interface C12 
   no lacp
exit
interface C13 
   no lacp
exit
interface C14 
   no lacp
exit
interface C15 
   no lacp
exit
interface C16 
   no lacp
exit
interface C17 
   no lacp
exit
interface C18 
   no lacp
exit
interface C19 
   no lacp
exit
interface C20 
   no lacp
exit
interface C21 
   no lacp
exit
interface C22 
   no lacp
exit
interface C23 
   no lacp
exit
interface C24 
   no lacp
exit
interface D1 
   no lacp
exit
interface D2 
   no lacp
exit
interface D3 
   no lacp
exit
interface D4 
   no lacp
exit
interface D5 
   no lacp
exit
interface D6 
   no lacp
exit
interface D7 
   no lacp
exit
interface D8 
   no lacp
exit
interface D9 
   no lacp
exit
interface D10 
   no lacp
exit
interface D11 
   no lacp
exit
interface D12 
   no lacp
exit
interface D13 
   no lacp
exit
interface D14 
   no lacp
exit
interface D15 
   no lacp
exit
interface D16 
   no lacp
exit
interface D17 
   no lacp
exit
interface D18 
   no lacp
exit
interface D19 
   no lacp
exit
interface D20 
   no lacp
exit
interface D21 
   no lacp
exit
interface D22 
   no lacp
exit
interface D23 
   no lacp
exit
interface D24 
   no lacp
exit
interface E1 
   no lacp
exit
interface E2 
   no lacp
exit
interface E3 
   speed-duplex 100-full 
   no lacp
exit
interface E4 
   no lacp
exit
interface E5 
   no lacp
exit
interface E6 
   no lacp
exit
interface E7 
   no lacp
exit
interface E8 
   no lacp
exit
interface E9 
   no lacp
exit
interface E10 
   no lacp
exit
interface E11 
   no lacp
exit
interface E12 
   no lacp
exit
interface E13 
   no lacp
exit
interface E14 
   no lacp
exit
interface E15 
   no lacp
exit
interface E16 
   no lacp
exit
interface E17 
   no lacp
exit
interface E18 
   no lacp
exit
interface E19 
   no lacp
exit
interface E20 
   no lacp
exit
interface E21 
   no lacp
exit
interface E22 
   no lacp
exit
interface E23 
   no lacp
exit
interface E24 
   no lacp
exit
interface F1 
   no lacp
exit
interface F2 
   no lacp
exit
interface F3 
   no lacp
exit
interface F4 
   no lacp
exit
interface F5 
   no lacp
exit
interface F6 
   no lacp
exit
interface F7 
   no lacp
exit
interface F8 
   no lacp
exit
interface F9 
   no lacp
exit
interface F10 
   no lacp
exit
interface F11 
   no lacp
exit
interface F12 
   no lacp
exit
interface F13 
   no lacp
exit
interface F14 
   no lacp
exit
interface F15 
   no lacp
exit
interface F16 
   no lacp
exit
interface F17 
   no lacp
exit
interface F18 
   no lacp
exit
interface F19 
   no lacp
exit
interface F20 
   no lacp
exit
interface F21 
   no lacp
exit
interface F22 
   no lacp
exit
interface F23 
   no lacp
exit
interface F24 
   no lacp
exit
sntp server 192.168.0.251 
ip routing 
ip udp-bcast-forward 
ip timep manual 192.168.0.251 
snmp-server community "public" 
vlan 1 
   name "DEFAULT_VLAN" 
   forbid A15-A16 
   untagged A8 
   no ip address 
   no untagged A1-A7,A9-A16,B1-B24,C1-C24,D1-D24,E1-E24,F1-F24,G1-G24 
   exit 
vlan 2 
   name "Core LAN" 
   forbid A15 
   untagged A3,A5-A7,A9,A11-A14,B2,B4,B8,B10-B12,B14-B16,B18,B21-B24,C1-C3,C5,C7-C12,C14,C20-C23,D1-D2,D6,D8-D11,D14-D17,D21,D24,E2,E4,E7-E8,E10,E12-E17,E19-E20,E23-E24,F1,F3,F5-F11,F13,F15-F20,F22,G1-G24 
   ip address 192.168.0.254 255.255.255.0 
   ip forward-protocol udp 10.0.40.255 59152 
   ip forward-protocol udp 10.0.40.255 59153 
   ip forward-protocol udp 10.0.41.255 59153 
   ip forward-protocol udp 10.0.41.255 59152 
   tagged A16 
   exit 
vlan 4 
   name "Graphics Dpt" 
   forbid A15-A16 
   untagged D23,E18 
   ip address 192.168.129.254 255.255.255.0 
   ip helper-address 192.168.0.251 
   tagged A4 
   exit 
vlan 11 
   name "Fios" 
   forbid A16 
   untagged A10 
   no ip address 
   tagged A15 
   exit 
vlan 21 
   name "VoIP" 
   forbid A15-A16 
   untagged F2,F12 
   ip address 192.168.21.254 255.255.255.0 
   tagged E5 
   exit 
vlan 40 
   name "Credit Dept" 
   forbid A15-A16 
   ip address 10.0.40.254 255.255.255.0 
   ip helper-address 192.168.0.251 
   ip forward-protocol udp 192.168.0.255 59152 
   ip forward-protocol udp 192.168.0.255 59153 
   ip forward-protocol udp 10.0.41.255 59152 
   ip forward-protocol udp 10.0.41.255 59153 
   tagged A1 
   exit 
vlan 41 
   name "Warehouse" 
   forbid A15 
   untagged F24 
   ip address 10.0.41.254 255.255.255.0 
   ip helper-address 192.168.0.251 
   ip forward-protocol udp 192.168.0.255 59152 
   ip forward-protocol udp 192.168.0.255 59153 
   tagged A16 
   exit 
vlan 42 
   name "Building C" 
   forbid A16 
   ip address 10.0.42.254 255.255.255.0 
   ip helper-address 192.168.0.251 
   ip forward-protocol udp 192.168.0.255 59152 
   ip forward-protocol udp 192.168.0.255 59153 
   tagged A15 
   exit 
vlan 43 
   name "Executive" 
   forbid A15-A16 
   untagged B1,C16,C18-C19,D7,D20,E22,F21 
   ip address 10.0.43.254 255.255.255.0 
   ip helper-address 192.168.0.251 
   ip forward-protocol udp 192.168.0.255 59152 
   ip forward-protocol udp 192.168.0.255 59153 
   exit 
vlan 44 
   name "Office" 
   forbid A15-A16 
   untagged B3,B5-B7,B9,B13,B17,B19-B20,C4,C6,C15,C17,C24,D3-D5,D12-D13,D18-D19,D22,E1,E6,E9,E11,E21,F4,F14,F23 
   ip address 10.0.44.254 255.255.255.0 
   ip helper-address 192.168.0.251 
   exit 
vlan 45 
   name "Test VLAN" 
   forbid A15-A16 
   untagged E3 
   ip address 10.0.45.254 255.255.255.0 
   ip helper-address 192.168.0.251 
   ip forward-protocol udp 192.168.0.255 59152 
   ip forward-protocol udp 192.168.0.255 59153 
   exit 
vlan 50 
   name "VPN Users" 
   forbid A15-A16 
   ip address 10.0.50.254 255.255.255.0 
   ip helper-address 192.168.0.251 
   exit 
vlan 255 
   name "Mgt VLAN" 
   ip address 10.255.255.1 255.255.255.128 
   ip address 10.0.255.1 255.255.255.128 
   tagged A1-A2,A4,A15-A16,E5 
   exit 
vlan 60 
   name "wweavers" 
   forbid A15-A16 
   untagged C13 
   ip address 10.0.60.254 255.255.255.0 
   exit 
vlan 46 
   name "Restricted" 
   forbid A16 
   ip address 10.0.46.254 255.255.255.0 
   ip helper-address 192.168.0.251 
   tagged A15 
   exit 
vlan 55 
   name "Boiler" 
   forbid A15 
   ip address 10.0.55.254 255.255.255.0 
   ip helper-address 192.168.0.251 
   tagged A16 
   exit 
vlan 56 
   name "Maintenance" 
   forbid A15 
   ip address 10.0.56.254 255.255.255.0 
   ip helper-address 192.168.0.251 
   tagged A16 
   exit 
fault-finder bad-driver sensitivity high 
fault-finder bad-transceiver sensitivity high 
fault-finder bad-cable sensitivity high 
fault-finder too-long-cable sensitivity high 
fault-finder over-bandwidth sensitivity high 
fault-finder broadcast-storm sensitivity high 
fault-finder loss-of-link sensitivity high 
fault-finder duplex-mismatch-HDx sensitivity high 
fault-finder duplex-mismatch-FDx sensitivity high 
ip authorized-managers 10.0.45.1 
ip authorized-managers 192.168.0.80 
ip authorized-managers 192.168.0.95 
router rip
   no auto-summary
   exit
vlan 2
   ip rip
   exit
vlan 4
   ip rip
   exit
vlan 40
   ip rip
   exit
vlan 41
   ip rip
   exit
vlan 42
   ip rip
   exit
vlan 43
   ip rip
   exit
vlan 44
   ip rip
   exit
vlan 45
   ip rip
   exit
vlan 46
   ip rip
   exit
vlan 50
   ip rip
   exit
vlan 55
   ip rip
   exit
vlan 56
   ip rip
   exit
vlan 255
   ip rip
   exit
password manager

And this is the config of the 2920 switch that is to replace the 5308:

; J9728A Configuration Editor; Created on release #WB.15.12.0015
; Ver #05:18.41.ff.35.0d:9b

hostname "SW1-HP-2920-48G"
module 1 type j9728a
timesync sntp
sntp unicast
sntp 300
sntp server priority 1 192.168.0.251
time daylight-time-rule continental-us-and-canada
time timezone -300
ip access-list standard "10"
     10 permit 192.168.0.92 0.0.0.0
     20 permit 192.168.0.122 0.0.0.0
     30 permit 192.168.0.123 0.0.0.0
     40 permit 192.168.0.251 0.0.0.0
     50 deny 0.0.0.0 255.255.255.255 log
   exit
ip access-list standard "20"
     10 permit 192.168.0.92 0.0.0.0
     20 permit 192.168.0.122 0.0.0.0
     30 permit 192.168.0.123 0.0.0.0
     40 permit 192.168.0.251 0.0.0.0
     50 permit 192.168.0.4 0.0.0.0
     60 permit 10.0.60.1 0.0.0.0
     70 deny 0.0.0.0 255.255.255.255 log
   exit
ip authorized-managers 10.0.45.1 255.255.255.255 access manager
ip authorized-managers 192.168.0.68 255.255.255.255 access manager
ip authorized-managers 192.168.0.35 255.255.255.255 access manager
ip authorized-managers 192.168.0.118 255.255.255.255 access manager
ip authorized-managers 192.168.0.122 255.255.255.255 access manager
ip authorized-managers 192.168.0.123 255.255.255.255 access manager
ip authorized-managers 192.168.0.200 255.255.255.255 access manager
ip authorized-managers 10.0.44.20 255.255.255.255 access manager
ip timep manual 192.168.0.251
ip route 0.0.0.0 0.0.0.0 192.168.0.4
ip route 10.0.40.0 255.255.255.0 192.168.0.4
ip route 10.0.41.0 255.255.255.0 192.168.0.4
ip route 10.0.42.0 255.255.255.0 192.168.0.4
ip route 10.0.43.0 255.255.255.0 192.168.0.4
ip route 10.0.44.0 255.255.255.0 192.168.0.4
ip route 10.0.45.0 255.255.255.0 192.168.0.4
ip route 10.0.46.0 255.255.255.0 192.168.0.4
ip route 10.0.55.0 255.255.255.0 192.168.0.4
ip route 10.0.56.0 255.255.255.0 192.168.0.4
ip route 192.168.0.0 255.255.255.0 192.168.0.4
ip route 192.168.129.0 255.255.255.0 192.168.0.4
ip routing
ip udp-bcast-forward
snmp-server community "public" unrestricted
snmp-server contact "myemail@domain.com" location "Computer Room."
oobm
   ip address dhcp-bootp
   exit
router rip
   no auto-summary
   redistribute connected
   exit
vlan 1
   name "DEFAULT_VLAN"
   no untagged 1-16,18-22,25-48
   untagged 17,23-24,A1-A2,B1-B2
   no ip address
   forbid 47-48
   exit
vlan 2
   name "Core LAN"
   untagged 2-16
   tagged 48
   ip address 192.168.0.254 255.255.255.0
   ip forward-protocol udp 10.0.40.255 59152
   ip forward-protocol udp 10.0.40.255 59153
   ip forward-protocol udp 10.0.41.255 59152
   ip forward-protocol udp 10.0.41.255 59153
   ip rip 192.168.0.254
   forbid 47
   exit
vlan 4
   name "Graphics Dept"
   untagged 19-20
   tagged 45
   ip address 192.168.129.254 255.255.255.0
   ip helper-address 192.168.0.251
   ip rip 192.168.129.254
   forbid 47-48
   exit
vlan 11
   name "Fios"
   untagged 21
   tagged 47
   no ip address
   forbid 48
   exit
vlan 21
   name "VoIP"
   untagged 22
   tagged 44
   ip address 192.168.21.254 255.255.255.0
   forbid 47-48
   exit
vlan 40
   name "Credit Dept"
   untagged 40
   tagged 46
   ip address 10.0.40.254 255.255.255.0
   ip helper-address 192.168.0.251
   ip forward-protocol udp 10.0.41.255 59152
   ip forward-protocol udp 10.0.41.255 59153
   ip forward-protocol udp 192.168.0.255 59153
   ip forward-protocol udp 192.168.0.255 59152
   ip rip 10.0.40.254
   forbid 47-48
   exit
vlan 41
   name "Warehouse"
   untagged 41
   tagged 48
   ip address 10.0.41.254 255.255.255.0
   ip helper-address 192.168.0.251
   ip forward-protocol udp 192.168.0.255 59152
   ip forward-protocol udp 192.168.0.255 59153
   ip rip 10.0.41.254
   forbid 47
   exit
vlan 42
   name "Building C"
   untagged 42
   tagged 47
   ip address 10.0.42.254 255.255.255.0
   ip helper-address 192.168.0.251
   ip forward-protocol udp 192.168.0.255 59152
   ip forward-protocol udp 192.168.0.255 59153
   ip rip 10.0.42.254
   forbid 48
   exit
vlan 43
   name "Executives"
   untagged 25-36
   ip address 10.0.43.254 255.255.255.0
   ip helper-address 192.168.0.251
   ip forward-protocol udp 192.168.0.255 59152
   ip forward-protocol udp 192.168.0.255 59153
   ip rip 10.0.43.254
   forbid 47-48
   exit
vlan 44
   name "Office"
   untagged 37
   ip address 10.0.44.254 255.255.255.0
   ip helper-address 192.168.0.251
   ip rip 10.0.44.254
   forbid 47-48
   exit
vlan 45
   name "Test VLAN"
   untagged 1
   ip address 10.0.45.254 255.255.255.0
   ip helper-address 192.168.0.251
   ip forward-protocol udp 192.168.0.255 59152
   ip forward-protocol udp 192.168.0.255 59153
   ip rip 10.0.45.254
   forbid 47-48
   exit
vlan 46
   name "Restricted"
   untagged 18
   tagged 47
   ip address 10.0.46.254 255.255.255.0
   ip helper-address 192.168.0.251
   ip rip 10.0.46.254
   forbid 48
   exit
vlan 50
   name "VPN Users"
   ip address 10.0.50.254 255.255.255.0
   ip helper-address 192.168.0.251
   ip rip 10.0.50.254
   forbid 47-48
   exit
vlan 55
   name "Boiler"
   untagged 38
   tagged 48
   ip address 10.0.55.254 255.255.255.0
   ip helper-address 192.168.0.251
   ip rip 10.0.55.254
   forbid 47
   exit
vlan 56
   name "Maintenance"
   untagged 39
   tagged 48
   ip address 10.0.56.254 255.255.255.0
   ip helper-address 192.168.0.251
   ip rip 10.0.56.254
   forbid 47
   exit
vlan 60
   name "wweavers"
   untagged 43
   ip address 10.0.60.254 255.255.255.0
   forbid 47-48
   exit
vlan 255
   name "Mgt VLAN"
   tagged 44-48
   ip address 10.255.255.1 255.255.255.128
   exit

However, with the new 2920 switch:

- Only devices on VLAN 2 (192.168.0.0/24) subnet can ping the SonicWall 192.168.0.4 and access the Internet.

- Devices on other VLAN's cannot get to the Internet and cannot ping the SonicWall 192.168.0.4

- Devices on other VLANs can ping VLAN 2's gateway 192.168.0.254 and other devices on VLAN 2 as well (just not the SonicWall).

- It seems to me that the switch is not routing traffic to 192.168.0.4 from other VLANs or the SonicWall is blocking traffic from other VLAN's on this new switch.

I don't have much experience with programming switches, and I'm stuck with this for weeks now trying to solve it without knowing what to look for.
So anyone here who can spot what I'm doing wrong, please help. If you need more information, just let me know.

Thank you in advance.
Stanav.

 

[kevnich2]

Does your sonicwall have any dynamic routing or are you using static routing in the sonicwall? Verify in the sonicwall that their are route's to the other vlan's/subnets, otherwise the sonicwall won't know where to send the traffic to.

 

[stanav]

Does your sonicwall have any dynamic routing or are you using static routing in the sonicwall? Verify in the sonicwall that their are route's to the other vlan's/subnets, otherwise the sonicwall won't know where to send the traffic to.

Thanks for your suggestion. Sonicwall has rip enabled but no static routes for the VLANs. What I don't get is that it works flawlessly with the HP 5803XL switch but not with the new HP 2920 switch that replaces the 5308, although the switch configuration very much the same.
Routing between VLAN's is done on the switch and it works correctly. The problem is only VLAN2 (which the SonicWall is on) can access to the Internet. Devices on other VLANs can access servers on VLAN2, but not the SonicWall and thus they can't get to the Internet. Do you have any other suggestions?

 

[sdifox]

Don't know if it matters but the time zones are different.

 

[dailow]

While I'm not familiar with HP Procurve devices, it looks like the old 5308 wasn't doing any static routing and relied on RIP to exchange routes with the Sonicwall.

Is the Sonicwall learning RIP routes from the 2920?
If it is, then the 2920 is blackholing the routes.
Try removing the static routes from the 2920 and see if that works.

 

[stanav]

While I'm not familiar with HP Procurve devices, it looks like the old 5308 wasn't doing any static routing and relied on RIP to exchange routes with the Sonicwall.

Is the Sonicwall learning RIP routes from the 2920?
If it is, then the 2920 is blackholing the routes.
Try removing the static routes from the 2920 and see if that works.

Thank you for the suggestion. This sounds very promising. And yes, I notice the old 5308 doesn't have any static routes. I will try your suggestion of removing the static routes on the 2920 after the new year when things slow down and see if that works. Right now, I can't afford to have the 5308 taken down to put in the 2920.

 

[stanav]

Don't know if it matters but the time zones are different.

Thanks for pointing that out, but I doubt that it matters. The person before me configured the 5308 switch and probably he was mistaken the unit for timezone is in hours instead of minutes, thus the -5 (instead of -300 as mine).