HP ProCurve - Access device on a different subnet

[Daedroth]

I have a bit of a dilemma at the moment, so here's some background:

 

Back in summer 2015, we had a third party contractor replace our wired and wireless networks, server infrastructure and a bunch of other things. Included in this was redesigning the network from scratch.

Our old network was on the 10.122.xxx.xxx IP range.

Our new network is on the 10.22.xxx.xxx IP range.

 

There is now nothing on 10.122.xxx.xxx, except for our IPT phone system, which has a controller on a static IP of 10.122.40.10, along with access points for the phones, also with static IP addresses in that range. However, the IPT system is not owned or controlled by us, it is leased and supported by a contractor, who charge for callouts.

 

Our main VLAN is 10.22.100.0/22 - however I cannot ping 10.122.40.10.

 

The contractor who upgraded our network created 'VLAN 40' on 10.22.40.0/24, with DHCP disabled (by design - as it causes major issues with our phone access points when it is enabled).

 

I have Port 4 on an edge switch untagged on VLAN 40. When I connect a laptop and set a static IP address of 10.122.40.50 (yes, that is 10.122.xxx.xxx - not 10.22.xxx.xxx), I can ping 10.122.40.10 and connect to its web interface.

 

My problem is that I do not always have physical access to that switch, as the cab is in a meeting room. Is it possible for me to access that web interface from any machine on VLAN 100? If so, how would I go about getting it to work?

 

Edit:

Upon checking the switch, it is true that port 4 of the edge switch is on VLAN, however I cannot determine the IP address range of that VLAN...I'm not sure how. I can ping 10.22.40.1 from my own workstation on VLAN 100, so it appears that VLAN 40 is configured as designed by the contractor. I just don't understand how a device on VLAN 40 is configured with 10.122.xxx.xxx instead of 10.22.xxx.xxx and still work.

 

Some steps that I have done:

1) Connected laptop to P4 on the edge switch. Configured the following IPV4 information:

Static IP: 10.122.40.50

Subnet: 255.255.0.0

Default Gateway: 10.122.40.1

I can successfully ping and connect to the IPT controller.

Note: The Ethernet controller displayed in 'Network Connections' shows this network as an 'Unrecognized network'.

 

2) Connected the same laptop to the same P4 on the same edge switch and configured the following IPV4 information:

Static IP: 10.22.40.50

Subnet: 255.255.0.0

Default Gateway: 10.22.40.1

I cannot ping or connect to the IPT controller.

Note: The Ethernet controller displayed in 'Network Connections' shows this network as recognized and shows our domain name.

 

Wondering if I can get any input from @BudManto query his knowledge?!

Edited June 21, 2017 by Daedroth

[+BudMan MVC]

A vlan doesn't care what IP address is on it.. It is just an isolation of the layer 2 network.

 

You could run as many different layer 3 networks on top of that layer 2 as you want - this is really really bad design to run more than 1 layer 3 on the same layer 2.. But I see it done all the time by people that don't know any better.  If your on the same layer 2 there is no isolation.  Having devices on ip range A and other on range B does not "isolate" them from each other.

 

It would be very helpful to draw this out..

  On 21/06/2017 at 13:11, Daedroth said:

with DHCP disabled (by design - as it causes major issues with our phone access points when it is enabled).

 

Expand  

This seems odd.. Makes no sense that you would need to disable dhcp on a layer 2 - unless your going to run more than 1 layer 3 on it.  Then yes running a dhcp server would cause you all kinds of problems since any device on that layer 2 could get an address from that dhcp server.  To do multiple layer 3 on the same layer 2 with dhcp would require all devices to have reservations and your dhcp servers scopes would have to be set to not hand out any address that are not reserved, etc..

 

Can you please draw up this network - and and then we can dive in and correct any such nonsense like multiple layer 3 on the same L2.. It really really is BAD practice to do such a thing!!  And defeats any sort of security you might can by network segmentation..  Why not just run them all on the same layer 3, etc.

 

A /22 is a really large vlan - do you really have that many hosts on the same broadcast domain.  A /22 = 1022 hosts, that is a lot of broadcast and multicast on the wire unless your devices have been setup to not do the default noise they pump on the wire.. Window machines are broadcast/multicast noise makers!!!  Then add in the ipv6 on top of that and it gets nuts with that many devices on the same broadcast domain.

 

  Quote

Our main VLAN is 10.22.100.0/22 - however I cannot ping 10.122.40.10.

Expand  

 

What would be doing the routing between these networks?  Are you saying they are all on the same layer 2?

[Daedroth]

  On 21/06/2017 at 14:36, BudMan said:

This seems odd.. Makes no sense that you would need to disable dhcp on a layer 2 - unless your going to run more than 1 layer 3 on it.  Then yes running a dhcp server would cause you all kinds of problems since any device on that layer 2 could get an address from that dhcp server.  To do multiple layer 3 on the same layer 2 with dhcp would require all devices to have reservations and your dhcp servers scopes would have to be set to not hand out any address that are not reserved, etc..

Expand  

I'm not exactly sure why, but when DHCP is enabled (which is controlled by our DCs) it completely crashed the phone system. As soon as DHCP was disabled, it started working again...so it stayed off and has been off since.

 

  8 minutes ago, BudMan said:

Can you please draw up this network - and and then we can dive in and correct any such nonsense like multiple layer 3 on the same L2.. It really really is BAD practice to do such a thing!!  And defeats any sort of security you might can by network segmentation..  Why not just run them all on the same layer 3, etc.

Expand  

I'll try and draw it out tomorrow as I'll be finishing shortly and won't get a chance this evening.

  8 minutes ago, BudMan said:

 

A /22 is a really large vlan - do you really have that many hosts on the same broadcast domain.  A /22 = 1022 hosts, that is a lot of broadcast and multicast on the wire unless your devices have been setup to not do the default noise they pump on the wire.. Window machines are broadcast/multicast noise makers!!!  Then add in the ipv6 on top of that and it gets nuts with that many devices on the same broadcast domain.

Expand  

We are a small school with ~400 computers, ~200 laptops, ~100 tablets. The contractor originally configured the network with multiple VLANs, depending on the device, utilizing 802.1x and device security groups in AD, configured into these:

All staff desktops that were members of 'Dot1xStaff' joined a specific VLAN

All staff WiFi devices that were connected to our Ruckus WiFi and also members of 'Dot1xStaff' joined a specific VLAN

All student desktops that were members of 'Dot1xStudent' joined a specific VLAN

All student WiFi devices that were connected to our Ruckus WiFi and also members of 'Dot1xStudent' joined a specific VLAN

Any 'Unathenticed' devices joined another specific VLAN

 

However, we use a classroom management tool 'Impero' to view all of our computers and remotely control them across our site...and it also ties into our safeguarding policies. However, it does not work across VLANs. So the contractor configured everything to drop into the 'Unathenicated' VLAN. We've been waiting for the company to provide a solution, with it being on their 'road map', however nothing so far.

 

  8 minutes ago, BudMan said:

What would be doing the routing between these networks?  Are you saying they are all on the same layer 2?

Expand  

We have a HP Core Switch, which all of our HP edge switches connect to.

[+BudMan MVC]

Ah ok.. Going to be a lot of broadcast traffic in the current setup... The specific vlans would be for sure more secure!!  Especially with require 802.1x auth, etc.

 

So your 2 vlans hang off the core? Would be the typical normal setup.  That you can not route between them seems like something setup wrong on your core.  Or your other phone vlan doesn't have gateway set to the core hp L3..  I assume your core switch is L3 doing routing.

 

Why are you using a /16 mask - when your other masks you gave are /22 and /24?

[Daedroth]

I've made a crude drawing of our setup (only the relevant segments) and attached it to this post. We have GVRP enabled across our site, except on Edge Switch 2. Any other core switch, I cannot manually add a port into VLAN 40 (or any other VLAN) because it complains about being dynamically assigned. Edge Switch 2 has GVRP disabled and ports can be manually assigned to VLAN 40.

 

  On 21/06/2017 at 16:39, BudMan said:

So your 2 vlans hang off the core? Would be the typical normal setup.  That you can not route between them seems like something setup wrong on your core.  Or your other phone vlan doesn't have gateway set to the core hp L3..  I assume your core switch is L3 doing routing.

Expand  

The thing is, I can route between VLAN 100 and VLAN 40, as I can ping 10.22.40.1 from my machine on VLAN 100 with an IP of 10.22.100.60. I just cannot connect to 10.122.40.10.

 

  Quote

Why are you using a /16 mask - when your other masks you gave are /22 and /24?

Expand  

That was the info given to us by the phone system engineers.

 

[sc302 Veteran]

You would have to configure and allow vlan 40 and pass through on your "core switch router" and your "edge switch 2" via trunking or lacp and you would have to allow vlan 40 on your ports between "edge switch 1" and "core switch router"

 

 

 

Basically, create the path for it to function....without a path defined on all equipment or some way to route to it, you aren't going anywhere by putting vlan 40 only on "edge switch 2" and "edge switch 1", vlan 40 needs to either exist on all switches/routers in between or a route has to exist so that your devices can communicate to it on other networks.  vlan 40 does not need an ip on each device, vlan 40 just needs to exist on each device (device in this case meaning router or switch).

[+BudMan MVC]

ok lets be clear here

 

vlan 40

10.22.40.0/24

 

vlan100

10.22.100.0/22

 

Per your drawing they put your IPT controller and phones on "vlan 40" but gave them on network 10.122/16

 

Yeah that is borked.. This should be a completely different vlan, say vlan 122.  And you would have to allow/route it at your core. 

 

If the ports and such are setup for vlan 40, they are just running this different L3 network ontop of the same L2..   So you should be able to get those devices from any network on the vlan40 as long as you put the correct IP on it.  Like I said running multiple L3 networks on the same L2 is a borked config!

[Daedroth]

  On 22/06/2017 at 15:05, sc302 said:

You would have to configure and allow vlan 40 and pass through on your "core switch router" and your "edge switch 2" via trunking or lacp and you would have to allow vlan 40 on your ports between "edge switch 1" and "core switch router"

Expand  

It is trunked at the moment, which I think is why I can ping the gateway of VLAN 40 from my workstation.

  16 hours ago, sc302 said:

Basically, create the path for it to function....without a path defined on all equipment or some way to route to it, you aren't going anywhere by putting vlan 40 only on "edge switch 2" and "edge switch 1", vlan 40 needs to either exist on all switches/routers in between or a route has to exist so that your devices can communicate to it on other networks.  vlan 40 does not need an ip on each device, vlan 40 just needs to exist on each device (device in this case meaning router or switch).

Expand  

That diagram was only an example, all the VLANs are trunked across our whole site, by GVRP I'm assuming.

[Daedroth]

  On 22/06/2017 at 15:15, BudMan said:

ok lets be clear here

 

vlan 40

10.22.40.0/24

 

vlan100

10.22.100.0/22

 

Per your drawing they put your IPT controller and phones on "vlan 40" but gave them on network 10.122/16

 

Yeah that is borked.. This should be a completely different vlan, say vlan 122.  And you would have to allow/route it at your core. 

 

If the ports and such are setup for vlan 40, they are just running this different L3 network ontop of the same L2..   So you should be able to get those devices from any network on the vlan40 as long as you put the correct IP on it.  Like I said running multiple L3 networks on the same L2 is a borked config!

Expand  

Bah, I guess it isn't possible for me to access the 10.122/16 network from my machine on 10.22/16? The IPT setup pre-dates our new network by a number of years. The contractor we had in to do our network, like me, has no control over the hardware of the IPT, as it does not belong to us. We'd have to pay for an engineer call out to sort it...which management won't pay for because the phones work at the moment. Don't fix something that isn't broken. I guess it was our contractor that was at fault for not properly configuring the VLANs?

[sc302 Veteran]

Yes. Contractor at fault for allowing multiple subsets on a single vlan. I am sure I can find ways around it but it would require after hours work and physical access to reset passwords (not config).

 

It has to be redesigned, slightly.

[+BudMan MVC]

Yeah it should be on its own vlan for sure, especially for voice data should be on its own vs shared with a data vlan.

 

You would be able to access it from any 40 vlan just by placing an IP in their range on your device.  I think you already did that..  But that is borked config.  If you sniff on the 40 vlan your going to see all the broadcast traffic from all those devices. Arps, etc.

 

Your other option if under your control would be to redo your side of the vlan 40 and make it something else. That way you leave vlan for the phone network

[Daedroth]

Cheers for the responses.

It looks as though this isn't something I have the expertise or permission from the IPT supplier to sort myself, nor is it something management would sign off on payment for the IPT supplier or another third party to sort it out.

 

I guess it'll just have to stay as it is!

[+BudMan MVC]

That there is zero security between these 2 networks and completely BORKED - why should you have to pay for them to come fix their F up??

[Daedroth]

  On 01/07/2017 at 11:01, BudMan said:

That there is zero security between these 2 networks and completely BORKED - why should you have to pay for them to come fix their F up??

When they finished their installation two years ago, we had a list of issues for them to sort out. They addressed most of the issues, however this VLAN issue was only found recently and they will not come back on site to sort it as it was not something that was brought up earlier.

The only things we can do are: Do it myself (unlikely as I don't have the expertise and my employer won't pay for training), pay another contractor to come in and do it (won't happen because my employer won't pay for it), or get the IPT supplier in to re-address the IPT system (which my employer won't pay for).

[+BudMan MVC]

As already stated just create NEW vlan, to move your devices that are on this 40 to.  You do not have to touch the current IPT system.

 

This is really basic 101 networking.. If you can not even create a vlan on your own network - what do you do exactly?  Replace the ink in the printer and users mice when they break?

 

Do you not have access to any of these switches?  Do you not have access to the core switch?  If not then no there is nothing you can do.. How do you not have access to your own network infrastructure?

[Daedroth]

  On 01/07/2017 at 11:21, BudMan said:

As already stated just create NEW vlan, to move your devices that are on this 40 to.  You do not have to touch the current IPT system.
 
This is really basic 101 networking.. If you can not even create a vlan on your own network - what do you do exactly?  Replace the ink in the printer and users mice when they break? [emoji6]
 
Do you not have access to any of these switches?  Do you not have access to the core switch?  If not then no there is nothing you can do.. How do you not have access to your own network infrastructure?

I do have admin access to all of the networking equipment, however it's not something that we often access. We are a department of two, supporting nearly 1000 users, so we are stretched quite thin!

With my lack of networking experience, I don't want to risk making a mistake and causing further issues, especially as it is all working at the moment. What's that phrase? Don't fix something that isn't broken?

[+BudMan MVC]

But it is broken and broken badly!  The fact that you can not even run dhcp server on this vlan 40 network shows you this.. Anyone that is on this vlan 40 with basic skill or simple google would be able to access any of the IPT system - so there is zero security here.  From a lay users point of view I can see how it seems to be working..  But from even the most basic network standpoint it is completely and utterly BORKED!!

[Daedroth]

  On 01/07/2017 at 13:29, BudMan said:

But it is broken and broken badly!  The fact that you can not even run dhcp server on this vlan 40 network shows you this.. Anyone that is on this vlan 40 with basic skill or simple google would be able to access any of the IPT system - so there is zero security here.  From a lay users point of view I can see how it seems to be working..  But from even the most basic network standpoint it is completely and utterly BORKED!!

I understand that, so how would I go about sorting it?
Should I rename VLAN 40 to VLAN 122 and change the DHCP range to 10.122.40.xxx?
Or should I leave the VLAN name as it is and change DHCP to 10.122.40.xxx?
GRVP is enabled on all the switches as far as I am aware.

[+BudMan MVC]

You have 2 networks running on vlan 40.. You need to create a New vlan - either for your 10.122 network or for the other devices that are not ipt on vlan 40.

 

If you want to name it vlan 122 sure, what ID you use is not really important.  So either leave all those device how they are and create a new vlan for your devices that are on your vlan 40 "10.22.40.0/24" maybe call it vlan 22..

[Daedroth]

Cheers for the info. One last question I think:

 

As I mentioned previously, we have GVRP enabled across the site, except on this one edge switch in question. As GVRP is disabled on this switch, the port is manually tagged as VLAN 40 so that the engineer can connect his laptop up. My question: If GVRP was enabled, how would this engineer connect to VLAN 40 if the VLAN assignment is automatic?

[+BudMan MVC]

I really don't know how your setup - it sounds like a complete mess!!  GVRP would be used on trunks ports for dynamic addition and pruning on the vlans on your trunk (uplinks to other switches)..  Are you saying you have every port set for GVRP?

 

You would setup GVRP to add a new vlan to trunk.  This allows you to create a vlan and let it propagate throughout your switching network so you don't have to go hit all your other uplinks and allow said vlan, etc.

 

Can you post up config of your core switch and a access switch?  PM it to me if you don't want to post it, or I can send you my email address in PM if your ok with sending me the config.

[Daedroth]

  On 07/07/2017 at 10:16, BudMan said:

I really don't know how your setup - it sounds like a complete mess!!  GVRP would be used on trunks ports for dynamic addition and pruning on the vlans on your trunk (uplinks to other switches)..  Are you saying you have every port set for GVRP?

 

You would setup GVRP to add a new vlan to trunk.  This allows you to create a vlan and let it propagate throughout your switching network so you don't have to go hit all your other uplinks and allow said vlan, etc.

 

Can you post up config of your core switch and a access switch?  PM it to me if you don't want to post it, or I can send you my email address in PM if your ok with sending me the config.

Expand  

Sorry, I've been reading over some previous emails and it appears my assumption of GVRP may have been incorrect. I think I may have confused it with 802.1x. That was originally on all of our ports on all of the edge switches, as I had to use the command on port 3 to allow the VLAN to be changed manually:

no aaa port-access authenticator 3

 

If 802.1x is enabled on that port and the engineer turns up with a laptop - how would he connect to VLAN 40?

[+BudMan MVC]

What is your concern?

 

You have ports that are vlan 40, and your running more than one network address space on them!  If plugs into a port that is vlan 40 and sets the IP address for your IPT he will be able to talk to IPT, if sets an IP to talk to your other vlan 40 stuff he will be able to talk to that.

 

Once you FIX this mess - doesn't matter what vlan he connects to and what IP he uses he will be able to talk to IPT via its IP from the IP range of whatever vlan he is on via routing!

[Daedroth]

  On 07/07/2017 at 10:43, BudMan said:

What is your concern?

 

You have ports that are vlan 40, and your running more than one network address space on them!  If plugs into a port that is vlan 40 and sets the IP address for your IPT he will be able to talk to IPT, if sets an IP to talk to your other vlan 40 stuff he will be able to talk to that.

 

Once you FIX this mess - doesn't matter what vlan he connects to and what IP he uses he will be able to talk to IPT via its IP from the IP range of whatever vlan he is on via routing!

Expand  

I understand that, but it isn't something I can sort in the short term.

 

The whole issue is if the engineer turns up and he does not have physical access to the switch. Ideally, I'd like him to rock up to another room and connect into a network socket, regardless of what switch/port that is connected to. If he could somehow configure his laptop so that 802.1x automatically puts that port on VLAN 40 during that use...that would be grand. If not, I'd have to find the switch and port he is on, use PuTTY to connect to the switch and run that above command, just to allow him access. Then change it back when he's done. Though, if neither my colleague or I are on-site at the time the engineer is on-site...we wouldn't even be able to do that. Which is why if it could be automatically done, it would be great.

 

Does that make sense?

[sc302 Veteran]

You really need to have a little understanding of what you are looking at. 

 

If it automatically assigns vlans, that can be either based on the user login/user groups the user is in or the pc and what that pc is a member of.  If it doesn't automatically assign vlans, the port on the switch is configured for the vlan he needs/wants to be on and can be done on the fly with the tech either sshing into the switch or the tech physically connecting in when he is there and changing the config.  I am not the tech, I am not on site, I cannot tell you what he is doing.   I also don't know the config of your environment, so for me to sit over here and tell you the right course of action would be asinine and could lead you into a complete misconfiguration taking down your entire network.  Best advice I can give, post your configs....if you don't want to post your configs of every switch (because each switch can be config'd differently)... learn your environment good enough to have a educated discussion, or hire someone to fix this mess.