I am trying to setup a VLAN but my first attempt has created a loopback. I will explain what I did and any help/suggestions are appreciated.

I have three HP 1920 switches, each in separate buildings. Switch1 is on network 172.x.x.x, while Switch2 and Switch3 are on the same 10.x.x.x network. Switch1 is connected to Switch2 and Switch2 is connected to Switch3. Switch3 is connected to the firewall and provides the Internet connection for all three buildings. I need the 172.x.x.x network to passthrough Switch2 and Switch3 to the firewall for Internet service but the two networks must not see each other. 

I created VLAN 30 on Switch2 and Switch3 using ports 23 and 24 on each switch. I then connected port 24 on Switch1 to port 23 on Switch2, and connected port 24 on Switch2 to port 23 on Switch3. And finally connected port 24 on Switch3 to port 3 on the firewall. I was able to get internet access on the 173.x.x.x network. The next step I took was to connect the 10.x.x.x network to the Internet by connecting port 1 on Switch2 to port 1 on Switch3, and then port 2 on Switch3 to port 2 on the firewall. This is when I got the loopback error because Switch2 and Switch3 are connected to each other twice via the separate VLANs. 

What do I need to do to correct this problem? Is there a better way to keep the networks separate? 

Hello,

Quick summary: 

Let us assume that you only have VLAN 30 (where the 172 addresses live) and VLAN 1 (where the 10.x addresses live) in play in your network.

Let us assume that you have local access to the switches and that you are not remotely connected and furthermore that the firewall provides the default gateway for the 10 network and the 172 network. I have gone for the simplest approach possible rather than try and show you too many things at once...

Problem - You need to get VLAN 30 all the way through the network from the user ports of Sw1 to port3 on the firewall without it "touching" vlan1.

So - 

On switch 1:

Make all of the user facing ports part of vlan 30

(you may want to keep one solitary physical port in vlan 1 if you are keeping the management address in vlan 1 - just so you can plug in with your laptop and get local access to the management IP). 

Make the uplink port 24 - a trunk port - untagged (aka PVID) for vlan 1 and tagged for vlan30

Enable spanning tree

On switch 2

vlan 30 - no ip address needed - layer 2 only - user facing ports in vlan1 - management IP addres in VLAN1. 

Make uplink port 23 a trunk untagged (aka PVID ) VLAN1 and tagged for vlan 30 

Configure ports 1 & 24  - bind them together into a Link Aggregate Group or Lagg. (use LACP option).

Make the new bagg1  interface a "trunk" link with VLAN 1 as the pvid / untagged and vlan 30 as a tagged vlan. 

enable spanning tree

On Switch 3

vlan 30 - no ip address needed - layer 2 only - user facing ports in VLAN1 & management IP address in vlan1.

Configure ports 1 & 23 into a link aggregate group - use LACP option.

Make the new bagg1 interface a trunk link with pvid / untagged vlan 1 and vlan 30 tagged 

Put port 24 as an untagged "access" port in vlan 30 as this will interface with P3 on the firewall. 

Enable spanning tree

You should now have reachability at the MAC address level between a PC host connected into SW1 all the way through to port 3 on the firewall. 

Let us know how you progress and if you come across any gotchas. 

Kudos and solved buttons help others find useful posts - please give us a click if this helps you.

many thanks

Ian 

Thanks for the reply Ian! I followed your instructions and am not quite setup yet. So far VLAN1 is working properly from Switch1 and Switch2, but VLAN30 is not responding at all. It is definitely not looping now as VLAN30 does not connect even if I disconnect the link connecting Switch2 and Switch3 for VLAN1. 

When setting up spanning tree, it appears that the Global STP is enabled. I enabled the Region STP for VLAN1 and VLAN30. I am not sure if that was what I was supposed to do? Either way VLAN30 is not connecting to the firewall or even the other switches.

Hello,

Don't forget that VLAN30 has no intelligence as far as the switches are concerned in this scenario. All you are doing is making a "virtual channel" across the network to connect the hosts to the firewall. You will need some tame devices on the network to do a little testing. I shall try and explain what I mean.

A quick checklist:

Do all 3 switches have vlan 30 configured? It just has to exist in the vlan list - no iP address needed.

Can you temporarily put one port in SW3 into vlan 30 as an access port.

A temp device in a vlan 30 access port in SW3 should be a good local test that the firewall is doing what it needs to do - DHCP, routing etc. - as it should easily be able to talk to the firewall in another vlan 30 access port in the same switch. If that doesn't work you have a firewall issue - if it does work we can assume we have a good firewall and we can move up the stack.

Check that the link between SW3 and SW2 is carrying vlan 30 as a tagged vlan in addition to untagged vlan 1 over the trunk.

Go through the same procedure as above but this time on SW2  - put a single access port on vlan 30 and make sure you are getting the same services from the firewall. You are simply extending that layer 2 network within VLAN 30 to SW2 using the tags and the trunk link.

If that works you are half way there.

Check the "lagg" link between the SW2 and SW1 and make sure that it is carrying tagged vlan 30 and untagged / native / pvid VLAN 1.

Does Sw1 now have all user ports as "access" ports in vlan 30?

You are making sure that VLAN 30 traffic gets carried onto the network and over the trunks between the intervening switches to the access port where the firewall is.

Do you have a "pingable" device (i.e. something other than a windows PC with a personal firewall) that you can use for testing?

Two would be even better as you could leave one in SW1 and move the other between the temporary vlan 30 access ports yuo made in switches 2 and 3 and test that the pings are going over the trunks.

I don't think that you are too far away and I hope it is becoming clearer. 

When it is all up and worked remember to revet the "temp test" ports in vlan 30 on switches 2 and 3 back to vlan 1.

The spanning tree thing is a "just in case" really and shouldn't impact your connectivity if you only have one logical link between each pair of switches (the Lagg only counts as one).

Let us know when you have the eureka moment and get teh clients talking to the firewall .

Thanks

Ian

You're a genious Ian! :) I had accidentally set lagg for VLAN30 on Switch2 as untagged. Once I corrected that everything started working properly. Thank you so much for your time! 

No problem. I'm glad you got it working. 

Don't forget to save your configurations on the switches (just in case they get powered off at some point). 

It is also worth backing up the configurations to another server or put them somewhere safe off the network in case a switch suffers a malfunction or accident and you have to restore a configuration from scratch. 

You'll be glad to know that I've set your scenario as a little exercise for some of my colleagues who are learning the ropes of networking. If you've grasped the concepts of subnets, VLANs, access ports, trunks, LAGGs etc you are doing well and with a bit of subnet mask practice you'll be well on the way getting your first "belt" in the martial art of Network-Fu.

:-) 

many thanks

Ian

That's awesome! I hope it is a good exercise for them too. :)

I have saved the configs and set them to be backed up on the normal rotation. I have a supplemental question or two if you do not mind. At some point we will want to add a guest wifi to SW2 that is separate from VLANs 1 and 30. We can connect to port 4 on the firewall so that they are on a completely different network. I'll likely put the wifi on port 22 on SW2 as VLAN40. I imagine I'll just do the same procedure for VLAN40 as I did to VLAN30? Then use port3 on SW3 to connect to port4 on the firewall? 

This brings up another question. Is there a way to just use one link from SW2 to SW3 in this scenario? One link is fiber and the other is copper. We would like to remove the copper link if possible.

Thanks for your help!

Hello,

Ok a couple of points to cover:

1. Yes. You can add new networks to the design just by adding
   1. The vlan config on each switch
   2. Some access ports for clients and one for a firewall
   3. The tagged vlan to the trunk links between switches
2. You can "break up" / delete the lagg config and turn the single port that you want to use on each side as a trunk type interface with untagged vlan 1 and tagged vlan 30

Just bear in mind that your traffic between SW1 and the firewall now depends on a whole sequence of single components and if you don't have the LAGGs between switches you don't take advantage of the redundancy that they offer.

Thanks

Ian

Good day everyone

one of my computers auto negotiates to 100Mbps and on the driver it states that the negotiation partner are not capable of higher speeds.  On my HP 1910 switch the port speed is set to auto[100].  When i try to set the ports speed to auto[1000],  i get the following error:

"Error: Invalid speed value for port auto-negotiation."

when i set the port to [1000], i get this error:

"Set port attribute error!"

any ideas on why this is happening?

thank you

regards

please see the attached picture to see how the port in question are currently configured.

thanks

Isn't the HPE OfficeConnect 1910-24 PoE+ (Product Number JG539A: is it correct?) a Fast Ethernet Switch?



AFAIK, if the Switch you have is that exact model (and not the JE007A which is the 1910-24G PoE+), well...it should provide you twentyfour - from port 1 to port 24 - RJ-45 Fast Ethernet (10/100 Mbps) ports plus two Combo - port 25 and port 26 - Gigabit Ethernet (1000Mbps) ports (those ones - the Combo ports - can be equipped with SFP Transceiver(s) or used directly with RJ-45 Gigabit Ethernet Cables, SFP and RJ-45 - on each Combo port - is mutually exclusive).

So...port 18 should correctly be only a Fast Ethernet port and, the fact that that Switch's Web GUI is offering you to set a parameter - Speed: Auto(1000) - which should not offered you at all for that particular Fast Ethernet port, is probably just a nasty Web GUI bug.

Can you confirm that your Switch's Product Number is equal to JG539A (the Screenshot you provided looks compatible with the JG539A's ports layout where you have port 25 and 26 as Combo)?

What Firmware version is your Switch currently running?

You are correct about the product number.  So the gigabit configuration will not be possible and its quite annoying that the gui offers to set the port to 1000Gbit it sent me on a wild goose chase.

Firmware version: 5.20.99 Release 1108?

thank you for your help.

regards

Yep, sometime...it's happen.

Remember that you have (if not yet used for connecting other Hosts/Switches) port 25 and port 26 that can both work at Gigabit Ethernet speeds.

Actually the latest Firmware is R1113 (March 2016), your one R1108 is just about one year older, see here and, in particular, read R1113 Firmware's Release Notes here.

Apparently no bugs related to Web GUI Settings...most of fixed bugs are related to OpenSSL/Security Fixes.

Problem has reappeared.

I can see why loops are being introduced - switch-06 is transitioning interfaces to FORWARDING on an uplink before it sets them to DISCARDING on the other uplink !!

%Sep 10 08:57:29:258 2016 SWITCH-06 MSTP/6/MSTP_NOTIFIED_TC: Instance 0's port GigabitEthernet1/0/25 was notified of a topology change.
%Sep 10 08:57:30:905 2016 SWITCH-06 MSTP/6/MSTP_NOTIFIED_TC: Instance 0's port GigabitEthernet1/0/25 was notified of a topology change.
%Sep 10 08:57:31:007 2016 SWITCH-06 MSTP/6/MSTP_NOTIFIED_TC: Instance 0's port GigabitEthernet1/0/25 was notified of a topology change.
%Sep 10 08:57:31:135 2016 SWITCH-06 MSTP/6/MSTP_DISCARDING: Instance 2's port GigabitEthernet1/0/26 has been set to discarding state.
%Sep 10 08:57:31:136 2016 SWITCH-06 MSTP/6/MSTP_FORWARDING: Instance 2's port GigabitEthernet1/0/25 has been set to forwarding state.
%Sep 10 08:57:32:916 2016 SWITCH-06 MSTP/6/MSTP_NOTIFIED_TC: Instance 0's port GigabitEthernet1/0/25 was notified of a topology change.
%Sep 10 08:58:00:255 2016 SWITCH-06 MSTP/6/MSTP_FORWARDING: Instance 0's port GigabitEthernet1/0/26 has been set to forwarding state.
%Sep 10 08:58:00:256 2016 SWITCH-06 MSTP/6/MSTP_DETECTED_TC: Instance 0's port GigabitEthernet1/0/26 detected a topology change.
%Sep 10 08:58:00:257 2016 SWITCH-06 MSTP/6/MSTP_FORWARDING: Instance 1's port GigabitEthernet1/0/26 has been set to forwarding state.
%Sep 10 08:58:00:258 2016 SWITCH-06 MSTP/6/MSTP_FORWARDING: Instance 2's port GigabitEthernet1/0/26 has been set to forwarding state.
%Sep 10 08:58:13:531 2016 SWITCH-06 MSTP/6/MSTP_NOTIFIED_TC: Instance 0's port GigabitEthernet1/0/26 was notified of a topology change.
%Sep 10 08:58:13:532 2016 SWITCH-06 MSTP/6/MSTP_DISCARDING: Instance 0's port GigabitEthernet1/0/26 has been set to discarding state.
%Sep 10 08:58:13:533 2016 SWITCH-06 MSTP/6/MSTP_DISCARDING: Instance 1's port GigabitEthernet1/0/26 has been set to discarding state.
%Sep 10 08:58:13:534 2016 SWITCH-06 MSTP/6/MSTP_DISCARDING: Instance 2's port GigabitEthernet1/0/25 has been set to discarding state.
%Sep 10 08:58:13:720 2016 SWITCH-06 MSTP/6/MSTP_NOTIFIED_TC: Instance 0's port GigabitEthernet1/0/25 was notified of a topology change.
%Sep 10 08:58:14:933 2016 SWITCH-06 MSTP/6/MSTP_NOTIFIED_TC: Instance 0's port GigabitEthernet1/0/25 was notified of a topology change.

Normal operation is:

1/0/25  Forwarding Instances 0,1 and Discard instance 2

1/0/26  Discard instances 0,1 and Forwarding instance 2

so it can be clearly seen in the log above that I end up with all three instances being forwarded out of both g1/0/25 and g1/0/26.

This is when I start seeing looping packets in the network and may indicate why I get BPDU starvation on switch-02.

Is this a known bug? If so is there a fix?

Not sure what else I can do if STP is not functioning correctly.

You might be running into an issue where the Webinterface goes down after the switch has been up for a while.  I've got the same problem on my 1810-48.  Powercycle the switch then see if you can connect to it.  

In my case, the switch stops responding even to arp queries, but still passes traffic.  

Hi All

I just unboxed the brand new switch in the subject and it says that poe is enabled in the interfaces yet in the cli the pse device shows the following:

Slot 1:
PSE ID Slot No. SSlot No. PortNum MaxPower(W) State Model
4              1                0               48          370.0           Off    LSP7POEB

I have searched high and low to find where to enable it but cannot find anything.

Thanks in Advance

Sless

Bonjour,

Je dois configurer sur un switch HPE 1920 un port "Vlan 10" Wifi pour le diviser de mon Lan "Vlan 1", malheureusement il ne me reste plus d'interface physique sur mon Firewall donc je dois créer un "Vlan 10" Wifi dans mon firewall et le coller sur mon interface physique Lan.

Concernant la conf du switch HP comment dois-je configurer mon port pour récupérer uniquement l'IP du Vlan 10 Wifi ? Mode hybride ? tagged ? untagged ? Pvid,...

Merci

Hello,

I need to configure on a switch port HPE 1920 "VLAN 10" Wifi to divide my Lan "VLAN 1", unfortunately it only remains for me physical interface on my firewall so I have to create a "VLAN 10" Wifi my firewall and paste on my physical interface Lan.

Regarding the switch HP conf how do I configure my port to retrieve only the VLAN 10 IP Wifi? Hybrid Mode? tagged? untagged? Pvid ...

Thank you

I don't believe PoE is active on each PoE enabled interface as factory default "out of the box": you always need to enable PoE feature (via Web UI or via CLI) on/for each port.

Which Firmware is the JG962A running? I recall of a fixed bug about PoE Status as shown by the Web UI with respect to what the CLI shows...solved with Software Release 3111 P07 (March 2016). Check that through latest Release Notes.

What are the results of display poe pse 4 (4 is your PSE-ID) and display poe pse commands?

Consider that PoE Firmware can be updated too, see here (page's bottom).

Note: there is definitely something strange on the 1950 Firmware's page...I don't see R3113P05 anymore (I have its Release Notes...because I downloaded it during the last week of August)...the latest Firmware release is only R3113P03 of June. Really strange.

La configuration du switchport doit correspondre a celle du port sur le router. 
Le VLAN10 sera surement "Tagged" sure the port du Firewall, puisqu'il va etre le second VLAN sur ce port.

Sur le port du switch VLAN10 devra donc egalement etre"Tagged".

There's a lot you can learn when it comes to photography, and you could spend years learning the craft. However, just knowing a few key tips can mean taking great shots with your camera. This article contains some sound advice on how you can start taking shots you are proud of.

Don't rely on your camera's zoom. Get a close as possible before you start to use your zoom. Zooming in can be helpful, but after a while the picture can get distorted. You're better off getting as close to the subject as you can before you try to zoom in on it.

Pay attention to natural lighting. You might need to use your flash feature or install additional sources of light, but you can use natural lighting to create interesting effects with light and shadow. Position your subject accordingly. Make sure the photograph is not too dark or too bright.

Make sure that your arms remain next to your body when you hold a camera, and make sure that the sides and the bottom of the camera are supported. This will minimize shaking and produce clearer shots. Additionally, by cradling your hands around and under the camera, it will prevent accidental dropping of the device.

Try not to be too mechanical with your shots. Sometimes it is better to get an eclectic angle than to shoot various run of the mill photos. Also, try to implement the scenery into your photos as often as possible if you want to capture a more personal and unique depiction waterproof camera.

A good photography tip is to use color contrast as a way to create your focal point. Basically this means the area you want the viewer to focus on should have high color contrast. A good way to achieve this is by putting two pure colors side by side.

Natural light will always provide you with the highest quality photos. Cloudy days are actually better for shooting than sunny ones, because the clouds act as a natural diffuser, spreading the light out and eliminating shadows and harsh contrasts. Opt for your next photo shoot outside on an overcast day.

Do not let your knowledge shape your pictures. You should base your picture around your idea and creative feel and use knowledge and your equipment help you make this idea come to life. You can experiment with techniques when you first learn them, but you will take your best pictures when you let your ideas take charge.

Don't miss the little things when taking photos on vacation. If you don't photograph the fine details, you may not remember them later. Shoot pictures of small objects like tickets and coins and also larger things like street signs and strange objects in markets.

Like any science or art form, photography is something you could study and read about for a good portion of your life. Or, you could just apply what you have read in this article and improve your photography immediately. Keep these tips in mind the next time your camera is in your hands and you'll see better images quickly best action camera.