topic Re: VLAN Best Practices in Switches, Hubs, and Modems

VLAN Best Practices

Jonathan de Beere — Thu, 14 Oct 2010 16:01:24 GMT

Hi Guys,

I have 1 x 2910al and 3 x 4208vl with trunks between each switch. I have a Sonicwall NSA 3500 connected to one of the 4208 switches.

I have 3 VLAN's:
VLAN 10 VOIP
VLAN 20 Data
VLAN 30 Data

The Sonicwall is performing the routing between the VLAN's. It has 3 sub interfaces setup, one for each VLAN.

The VLAN's seem to be working, but I am not happy with the config of the switches and I have 2 questions:

1. Each VLAN on each switch has a different IP address. As far as I am aware only the main switch (in this case one of the 4208's) should have an IP address for each VLAN. I've found that if I remove the VLAN IP addresses from the other switches the VLAN's stop working. Why is this happening?

2. IP routing has been enabled on each switch. I thought it should only be enabled on the main switch. If I turn it off on the other switches do I need to make any other configuration changes?

I've attached the config of the switches.

The Sonicwall IP is 192.168.111.10 and is connected to Switch 192.168.111.13 Port A2.

My DHCP server is 192.168.111.9 and successfully assigns IP addresses to the 3 VLAN's via ip helper and also to the default VLAN

I am worried about making changes because it is a live network. Any pointers would be appreciated.

Thank you

Jonathan

Re: VLAN Best Practices

Natasha Samoylenko — Fri, 15 Oct 2010 08:20:44 GMT

Hi Jonathan

Can you please attach a topology of your network?
And what IPs did you use in every subinterface on Sonicwall?
And what IPs is tha default gateway for hosts in different subnets.

Why use do routing on Sonicwall?
You need this for some special reason?

Which of your 4208vl switches is "main"?

About your questions:

1. What you mean "VLAN's stop working"?
If you mean clients don't receive adresses:
You configure ip helper-address on switches, so they capture DHCP broadcasts from client and send them to DHCP server.
If you delete IP address from switch, switch cannot anymore do this.

But this doesn't mean that you need IPs on all switches on all VLANs.
I'm just trying to explain why this could happen.

2. Ip routing is not needed in all switches.
But I think you should answer all my questions and we need to look at all your topology in general.
It seems that you have few unnecessary commands on switches.

Please answer all questions. That will help to answer on all yours.

Re: VLAN Best Practices

Jonathan de Beere — Fri, 15 Oct 2010 08:56:03 GMT

Hi Natasha,

I've attached a topology for you to look at. The 'main' switch is 192.168.111.13

The Sonicwall subinterfaces have the following IP addresses:
VLAN 10 = 10.0.10.10
VLAN 20 = 10.0.20.10
VLAN 30 = 10.0.30.10

The Default Gateway for hosts in different subnets is the subinterface IP address of the Sonicwall eg 10.0.10.10, 10.0.20.10

Routing is via the Sonicwall and was already implemented, is there a better way of performing the routing. I didn't think the 4208 switches were capable of doing this?

Answer to your questions:
1. When I remove a VLAN address on swithes other than the main switch, the VLAN stops working eg if on switch 192.168.111.14 I remove VLAN 30 IP address, computers connected to VLAN 30 lose network connectivity and no longer receive DHCP addresses. I though that only the main switch required an IP address for each VLAN?

I hope this helps you.

Thank you

Jonathan

Re: VLAN Best Practices

Pieter 't Hart — Fri, 15 Oct 2010 13:23:21 GMT

>>> I though that only the main switch required an IP address for each VLAN?<<<

No, only a device that needs to be directly accessible from a subnet/vlan needs an-ip-adress in that vlan.
If your sonicwall allready did the routing, none of the switches need "ip routing" enabled.
They only need a single ip-adress on a sibgle vlan for management.
Then the sonicwall routes the packets from subnet to subnet.

As Natasha allready mentioned, you do not need "ip routing" on all switches, only on the switch that really does the routing.

So said, you can do the routing on your main switch.
Then this is the only switch with ip routing enabled, and an ip-adress on all vlan-interfaces and ip-helper to the dhcp-server configured.

Look at Your dhcp-scopes.
If your "main" switch does the routing, then they must specify the main-switch as default gateway for the respective subnet.
If it's the sonicwall, then the adress of the sonicwall must be specified as defaul-gateway in the scopes.

Re: VLAN Best Practices

Natasha Samoylenko — Fri, 15 Oct 2010 14:14:44 GMT

I see two ways for you:
1 way. leave sonicwall as default gateway and main routing device.
But first you will need to configure ip helper-address on ALL Sonicwall subinterfaces.

Then you can disable ip routing on all switches. ANd delete all ip helper-address statements from switches.
Your network should not experience any disruption during this changes.

2 way. Make Switch 1 (main 4208) default gateway
This will require more changes, but I think that for your topology it would be better to do routing on main 4208 switch.
If I were you I would make switch 1 main routing device.
And even more, this is more common and recommended practice.
Especially considering your topology.

So if you decide to change your configuration you will need:
1) Configure switch 1 as default gateway
You already enabled ip routing on switch 1.
So next you need (I see two possible ways):
1a Change default gateway in DHCP scopes to switch 1 VLAN1 IP adresses
Default gateways for client in corresponding VLANs:
VLAN 10 = 10.0.10.3
VLAN 20 = 10.0.20.3
VLAN 30 = 10.0.30.3

1b Or this way:
You may not change scope, but change IPs on switch 1 (next step you will delete subinterfaces from Sonicwall so don't worry about duplicated IPs).
On switch 1 you will have following IPs on corresponding VLANs:
VLAN 10 = 10.0.10.10
VLAN 20 = 10.0.20.10
VLAN 30 = 10.0.30.10
But I see that your logic was to use IPs on switch 1 which ended on 3. So may be 1a way is more preferred for you.

2) apply ip helper-address command to all VLANs (except VLAN 1) ONLY on switch 1

3) Delete subinterfaces on Sonicwall for VLAN 10,20,30
This you should do carefully because in both ways 1a and 1b it may cause a network disruption.
1a is more safe. You can wait till your clients update their IP addresses and get new DG (.3).
After this you can delete subinterfaces from sonicwall.
If you choose 1b, then you better do it at the end of a day.
Next day clients will refresh their ARP cache on switch 1 MAC.

4) Clear all unnecessary commands from other switches:
disable ip routing
delete ip helper address command

I assume that you use VLAN 1 for switch management.
If so: You don't need IPs on other switches (except switch1) on VLAN 10,20,30.
You can delete them also.