Aruba & ProVision-based
1748159 Members
3929 Online
108758 Solutions
New Discussion

Re: 2620 Vlan question

 
oliverm
Occasional Contributor

2620 Vlan question

Hi Chaps

Can someone sanity check this configuration for me? I have 3 HP Procurve 2620 POE switches though I'm focusing on the first one as the other two are fairly straightforward.

I've attached an image to this post showing the layout of Switch 1.

I've got the two VLANs working, and devices tagged with VLAN10 can access the VOIP server and untagged devices can access the servers.

However neither VLAN can access the firewall on port 47. This might be a firewall issue, which we're looking at, but I was wondering if someone could check the procurve config for me and make sure.

Thanks

Here's the config.

10.1.1.251 = Windows Server inc DHCP
10.2.1.2 = VOIP Server inc DHCP

*********************
; J9627A Configuration Editor; Created on release #RA.15.10.0010
; Ver #03:03.17.2f:38
hostname "Switch-POE1"
dhcp-snooping authorized-server 10.1.1.251
dhcp-snooping authorized-server 10.2.1.2
dhcp-snooping vlan 1 10
no telnet-server
no web-management
web-management ssl
ip routing
interface 1
name "To Switch1"
exit
interface 3
name "To Switch2"
exit
interface 5
name "To Switch3"
exit
interface 7
name "To Switch4"
exit
interface 9
name "To Switch5"
exit
interface 37
name "WinDHCP"
exit
interface 39
name "FileServer"
exit
interface 41
name "VirtualHost"
exit
interface 43
name "FileServer2"
exit
interface 45
name "VOIP Server"
exit
interface 47
name "Firewall"
exit
interface 50
name "POE2"
exit
snmp-server community "public" unrestricted
vlan 1
name "DEFAULT_VLAN"
no untagged 45
untagged 1-44,46-52
ip address 10.1.1.1 255.255.0.0
ip helper-address 10.1.1.251
exit
vlan 10
name "Phone_Vlan"
untagged 45
tagged 2,4,6,8,10,12-36,38,40,42,44,46
ip address 10.2.1.1 255.255.255.0
ip helper-address 10.2.1.2
qos priority 6
voice
exit
no dhcp config-file-update
password manager
password operator

3 REPLIES 3
Cajuntank MS
Valued Contributor

Re: 2620 Vlan question

So is the firewall's LAN port addressed on the subnet of 10.1.1.0/16 (that's a mighty large subnet)?

 

You don't need the helper address statement in VLAN 1 since your DHCP server for that subnet is already in that subnet. You only need helper address statements in vlans if the DHCP server is in a different subnet than the vlan interface.

 

Assuming that maybe the firewall is on the same subnet as vlan 1, does it have a route to 10.2.1.0 via 10.1.1.1?

Also you need a default route to the firewall's LAN IP address for all unknown subnets, so something like

ip route 0.0.0.0/0 10.1.1.2 (using this address as a possible address of your firewall)

paulgear
Esteemed Contributor

Re: 2620 Vlan question

Hi Oliver,

 

A couple of quick comments:

  • As Cajuntank MS mentioned, if your DHCP server is on the same VLAN, 'ip helper' does nothing.  IP helper is for forwarding DHCP requests & replies across subnet boundaries.
  • If you have 'voice' on a VLAN, you don't really need 'qos priority 6' - 'voice' automatically sets the QoS priority (can't remember whether it uses 5 or 6).
  • I recommend using some kind of standardised pattern to tie your IP addressing to your VLAN numbering.  This isn't necessary, but helps to make it easier for you in your operational network.  e.g. If you're going to use 10.2.* for your VoIP VLAN, then use VLAN 2, not VLAN 10; then you know that the 2nd octet of the address is always your VLAN number.  I would also recommend using a consistent subnet mask, so that VLAN 1 is 10.1.0.0/16 and VLAN 2 is 10.2.0.0/16.  (There's no issue with using large subnet masks like this as long as they're sparsely filled.  Usually you shouldn't try to put more than about 200-500 hosts in a subnet.)

 

None of these should affect whether or not your PCs can contact your firewall.  Check the IP address and subnet mask on the firewall and do some tests of which nodes can ping it and which can't.  Start with hosts in the same VLAN.

Regards,
Paul
oliverm
Occasional Contributor

Re: 2620 Vlan question

Hi all. 

 

Thanks for the posts. It turned out that the firewall port wasn't in the tag list for VLAN10. Tagging it got it working. 

 

I did try to change the IP of VLAN10 to 10.10.x.x to match the ID, which is a smart idea. However when I changed the IP address for that vlan in the switch and on all the VOIP hardware, traffic stopped flowing on VLAN10. Changing the IP back on the switch and the VOIP server/phones got it all back again. 

 

Any idea why that would be? Is there some other way to change the IP other than a "no ip address blah" ?

 

Olly