HPE Community
LAN Routing
1752286 Members
4713 Online
108786 Solutions
New Discussion

Re: New VLAN Config - Going from FLAT to VLANs/Subnet

 
Kylejb007
Occasional Visitor

‎05-01-2013 12:21 PM

‎05-01-2013 12:21 PM

New VLAN Config - Going from FLAT to VLANs/Subnet

Good Afternoon Everyone.

 

I am looking at creating a nice VLAN and Subnetted network. I have done a lot of reasching and learning but I have a few un-answered questions and I also have some elemementary configs drafted up, which could change drasticlly with input from everyone.

 

We are using VoIP but are supplying QOS via DSCP, I would like to see that go into VLAN.

We have Enterprise Wireless System Ruckus, Allows VLAN Tagging on SSIDs.

 

We have 5308XLs in every building as the Main Switch, and 2650s as Edge Switches. I plan as long as the Toplogy will let me, use the 5308XL at our High School as the Layer 3 routing device. This is where we also plug into our ISD's Cisco, that provides us Internet. The ISD network is a /16, we are allowed only 10.25.x.x. I cant use 10.26 for example to /24 subnet my sites (oh well).

I am planning to make the network in our buildings (all fiber connected) /24. The only instance this won't work is on the Wireless and or VoIP. We have more than 254 hosts, so I was thinking IF I could, do a /23 on VoIP, and a /22 on Wireless on the Private side (1-1 coming eventually). I wasnt sure if I could mix Subnets or if I had to strictly be on /24 for everything.

 

So with that knowledge, I have some Notes and also sample configs for the Core Switch at HS and also main Switch at Edison that does the fiber. All the other buildings tie into a building called "edison". The Internet/Servers are hosted at High School.  Here are some Questions in my Notes/Assumptions, and also if people could look over the configs to make sure Im on the right track.

 

**Notes/Assumptions Im making**

1) Devices use Default Gateway of the VLAN on the Layer 3 Switch for all VLANs,? Set the Default Gateway in the DHCP Scope on the server for each subnet.?
100 = 10.25.100.1
120 = 10.25.120.1
130 = 10.25.130.1
140, etc
150, etc
160, etc
170, etc
180, etc
190, etc
200, etc

100 = Server VLAN
120 = Voice
130 = HS Data
140 = MS Data
150 = EL 1 Data
160 = EL 2 Data
170 = EL 3 Data
180 = Networked HVAC System
190 = Public Wireless
200 = Edison Data

2) Untag Phone Ports as Data vlan for that building - Tag 120 on top of them, Setup Phones to Be in VLAN120 (or when I turn on Voice for Vlan 120 the phones should reboot and go into 120).
3) Enable Voice on Vlan (Phone should reboot and go to 120), if DHCP Helpers are correct, they will connect to dhcp and get a correct IP from correct scope.
4) Same Applies to Ruckus Wireless - Untag Data Vlan on AP, Tag Appropiate VLAN for SSID (Private - Setup for Schools Data Vlan, and a Public 190), Modify Zone Director to force SSID on that VLAN.
5) tag Uplink to ISD (internet Service) Cisco with all Ports???? Is this correct?

6) By Default, Max Vlans is set to 8, need to increase it to: 12 for Core, and Edison due to Vlan transversal. Correct?

7) HP has Primary Vlan and Seperate Management VLAN: Management could be VLAN1 or more secure, different vlan, Primary would be the data vlan of the switch, Correct?

8) Ip Helper Address - Every Switch need this or Just the Layer 3 Switch that does the routing?

9) Can I mix my Subnet Mask on a couple of the vlans for more hosts? (Thinking a /22 for a Max pool of 1022 on Wireless) and Maybe a /23 on the VoIP, Can you do this??

10) Imaging Server - Will be on Server VLAN but DHCP Will provide the Options to reach the Server with IP? or no?

11) Do I need an IP Address for each Switch in the VLAN like I do below? I.e Core has 10.25.120.1, does the next switch need to be 10.25.120.2, the next switch 10.25.120.3, or does just the Layer 3 Device need an IP for that VLAN?


**Notes/Assumptions End**

 

 

*Core Switch Config*

 

JGHS Core #1

config
ip routing
ip default-gateway 10.25.254.254
route 0.0.0.0 0.0.0.0 10.25.254.254
loop-protect - x ports
loop-protect trap loop-detcted
loop-protect disable-timer 60

tag Uplink to ISD with all Ports ????

trunk1, PortX,PortY - LACP (Second Switch in Rack, LACP Trunked)

 

10.25.100.x - Server vlan - Vlan 100 (static, no Helper)
ip address 10.25.100.1 255.255.255.0
ip igmp
untag - All Servers
tag uplink to Edison (backup, Etc)

 

10.25.120.x - Voice Vlan - Vlan 120
ip address 10.25.120.1 255.255.255.0
ip helper-address 10.25.100.DHCP
tag - Phone Ports
tag phone server
Tag Uplinks to other Switches + edison
qos prioiry 6
ip igmp
Voice

 

10.25.130.x - JGHS Data - Vlan 130
ip address 10.25.130.1 255.255.255.0
ip helper-address 10.25.100.DHCP
untag - PCs
ip igmp
tag - Uplinks Tag Uplinks other Switches (120, 130, 190)

 

10.25.140.x - CMMS Data - Vlan 140
ip address 10.25.140.1 255.255.255.0
ip helper-address 10.25.100.dhcp
ip igmp
tag D4 (single Mode to edison)

 

10.25.150.x - Central Data - Vlan 150
ip address 10.25.150.1 255.255.255.0
ip helper-address 10.25.100.dhcp
tag D4 (single Mode to edison)
ip igmp

 

10.25.160.x - Lincoln Data- Vlan 160
ip address 10.25.160.1 255.255.255.0
ip helper-address 10.25.100.dhcp
tag D4 (single Mode to edison)
ip igmp

 

10.25.170.x - West Data - Vlan 170
ip address 10.25.170.1 255.255.255.0
ip helper-address 10.25.100.dhcp
tag D4 (single Mode to edison)
ip igmp
 
10.25.180.x - HVAC All Buildings (static, no Helper)
ip address 10.25.180.1 255.255.255.0
tag MultiMode Fiber to G1 Wing
untag HVAC Computer
ip igmp

 

10.25.190.x - Wireless Vlan
ip address 10.25.190.1 255.255.255.0
tag Wireless APs
tag Ruckus Controller - 130,140,150,160,170,190,200
tag Switch Uplinks - 190
tag Switch Link to Edison
ip igmp

 

10.25.200.X - Edison Data
ip address 10.25.200.1 255.255.255.0
tag Multimode Fiber to Edison
ip igmp

 

 

**Edison Main Switch that All Fiber goes to but does not link to internet**

 

Main Switch-5308XL

loop-protect - x ports
loop-protect trap loop-detcted
loop-protect disable-timer 60

Tag uplink to JGHS - 100,120,140,150,160,170,180,190,200

10.25.100.2 - Server vlan - Vlan 100
ip address 10.25.100.2 255.255.255.0
untag Backup, Archiver
ip igmp

 

10.25.120.1 - Voice Vlan - Vlan 120
ip address 10.25.120.12 255.255.255.0
ip helper-address 10.25.100.DHCP
tag Phone System + Phones
ip igmp
voice

 

10.25.140.x - CMMS Data - Vlan 140
ip address 10.25.140.2 255.255.255.0
ip helper-address 10.25.100.DHCP
tag CMMS Link - 140
ip igmp

 

10.25.150.x - Central Data - Vlan 150
ip address 10.25.150.2 255.255.255.0
ip helper-address 10.25.100.DHCP
tag Central Link - 150
ip igmp

 

10.25.160.x - Lincoln Data- Vlan 160
ip address 10.25.160.2 255.255.255.0
ip helper-address 10.25.100.DHCP
Tag Lincoln Link - 160
ip igmp

 

10.25.170.x - West Data - Vlan 170
ip address 10.25.170.2 255.255.255.0
ip helper-address 10.25.100.DHCP
Tag West Link - 170
ip igmp

 

10.25.180.X - HVAC System - Vlan 180
ip adress 10.25.180.3 255.255.255.0
tag all Uplinks - 180 (CMMS,JGHS, Edison, West, Central, Lincoln)
ip igmp

 

10.25.190.X - Wireless System - Vlan 190
ip address 10.25.190.12 255.255.255.0
tag all uplinks - 190 (CMMS,JGHS, Edison, West, Central, Lincoln)
ip igmp

 

10.25.200.X - Edison Data - Vlan 200
ip address 10.25.200.2 255.255.255.0
ip helper-address 10.25.100.DHCP
untag Computers
ip igmp

 

 

 

Thanks again for any help you are able to give. I have a feeling im on the right track but some of the questions I need answered I Cant find on the internet I've listed those in the notes/assumptions, you can answer numerically if you would like 1), 2), 3), etc.

 

THANK YOU SO MUCH!

0 Kudos
4 REPLIES 4
Vince_Whirlwind
Trusted Contributor

‎05-05-2013 06:12 PM

‎05-05-2013 06:12 PM

Re: New VLAN Config - Going from FLAT to VLANs/Subnet

Your layer3 switch is the router for each VLAN and therefore the .1 address for each VLAN will be on it.

Your layer2 switches do not do any routing and so do not need any IP address on them. However, you want to managed them: create :

VLAN99: 10.25.99.0/24: "Management VLAN"

Give all your switches a management VLAN IP address. Configure VLAN99 on each layer2 switch as the management VLAN.

(I can't off the top of my head recall anything about a "primary VLAN").

 

You will need an IP helper on your layer3 switch to forward DHCP requests from each VLAN/Subnet to the DHCP server on the Server subnet.

 

You do not need to trunk any VLANs upstream to the Cisco switch - you route traffic to them, using a default route on your layer3 switch that points to the upstream Cisco router. Presumably this will be an untagged in VLAN1 port, with VLAN1 configured with an IP address to match whatever the IP address is on the Cisco switch. Make sure it doesn't conflict with any of your planned subnets, obviously.

 

You do need to trunk VLANs from the Layer3 switch out to your layer2 switches.

Remember the golden VLAN rule when designing this:

 - have as few VLANs as possible on each switch

 - have each VLAN span as few switches as possible.

 

VLANs should be tagged when they cross a switch-switch link, and untagged on an edge port. Phones are a special case: they count as a "switch" supplying an untagged data VLAN to edge devices.

 

If you have subnets that need to be bigger than /24 (250 devices) then simply drop the subnet mask to /23 to double the size of the subnet, or /22 to double it again to 1000 devices. Just make sure you plan this properly so they don't conflict with one another, ie,

10.25.180.0/22 includes .180., .181., .182, .183.,

but

10.25.190.0/22 includes .188., .189., .190., .191.

0 Kudos
paulgear
Esteemed Contributor

‎05-06-2013 05:22 AM

‎05-06-2013 05:22 AM

Re: New VLAN Config - Going from FLAT to VLANs/Subnet

Hi Kylejb007,

 

A couple of further suggestions, addressed per your points:

  1. Looks like you've got the general plan worked out.  I would suggest rather than using spacings of 10 based on VLAN numbers, divide up the address space first, then allocate your VLANs based on subnet boundaries.  You need to think about how it will look if you have to fill the whole address space.  e.g. If you know you need a /22 for wireless, allocate a few /20s for it for future growth, then allocate your /22s in there as if they took up a whole /20. Then when you find that you need 1025 wireless devices instead of 1022, you'll have a whole address range ready to grow into.  Similarly, if you know that you need more than 254 IPs for VoIP, allocate a whole /22 or /20 so that expansion will follow subnet boundaries naturally.
  2. The next couple points seem fine to me.
  3. ...
  4. I recommend putting your Ruckus devices on a management VLAN; don't let the client wifi devices have IP-level access to the management interface of the APs or the Zone Director.
  5. As Vince_Whirlwind mentioned, usually the Internet uplink is untagged. I suggest putting it in its own VLAN entirely, because by default Windows platforms don't support ICMP redirects, which makes having multiple routers on the same VLAN problematic.  Best to let the workstations route everything through the L3 switch to get to the Internet.
  6. There is no cost to setting max-vlans to the maximum, so you should do that to save downtime later if you find you need more VLANs.
  7. The primary VLAN is the VLAN on which the switch gets its DHCP service. The management VLAN is the VLAN on which management traffic (esp. ssh and SNMP) is allowed.  Usually they are the same.  They should not be accessible to client PCs.
  8. The IP helpers are only required on the routing switch.
  9. As mentioned above, there's nothing to stop you using whatever netmasks you prefer, but it's important to assume that you're going to fill the space and to allow for growth.  I prefer to keep to a limited number of subnet masks: /24 and /20 if possible, /22 if necessary.
  10. Your PXE boot server can be on the server VLAN.  You'll need to provide the right DHCP options and include it in your IP helper list.
  11. Vince's reply convers this part pretty well.
Regards,
Paul
0 Kudos
Kylejb007
Occasional Visitor

‎05-06-2013 10:53 AM

‎05-06-2013 10:53 AM

Re: New VLAN Config - Going from FLAT to VLANs/Subnet

Thank you both for your information. I thought I was heading in the right direction and you've confirmed that. I apperciate your help!

 

If you dont mind just a couple other questions --

 

1) Ruckus Wireless - Do either of you have experiance with it? My question is, I have mobile laptop carts with an AP on top, I would want my staff to be able to plug that into any Network Outlet anywhere and be able to pass the traffic, I was thinking that I would set the Private SSID on the Data Vlan for that building and tag all the Data VLAN ports with the Public VLAN ID so it can pass the traffic. Do either of you suggest something different or accomplish it differently? I guess in the future we wouldnt have Mobile Carts and APs wont move, but until we do that, I need help with a work-around.

 

2) I have a couple buildings non Fiber Linked, they are using an Fortinet Point to Point VPN that tunnels thru the ISP to a NATT'ED Address at our ISD then gets NATTd/Routed to the ISDs Cisco in our Headend room, the VPN Appliance on our end is plugged into a Certain Port on the ISDs Cisco on the WAN side, and then we assign it an IP Address in our Static Range on the LAN side. They are on a different /16 Subnet, they have a 10.26 and 10.27 range (2 different buildings tunnel to it.). Would I have to build a route into the Layer 3 Switch to pass traffic to the IP address on that VPN Appliance? (They get access to File Shares, Web Filtering for Internet).

 

3) The rest of your answers have helped tremendously. Im still bouncing my head around the idea of bigger subnets. 99% sure the Phone could stay with 510 hosts, we would barely consume 1 Subnet as is ~238 phones + Servers + L3 IP, but the Wireless/Data VLANs could go big if I pass the Private SSID to the Data vlan.

 

The Elementaryies with just computers are way under 200 hosts, but in the future I add Wireless and have more wireless clients I might have to change that. Would it be better to have a Seperate Wireless VLAN for each building or make the datavlans bigger (Ruckus is flexible to tag different VLans on Different SSIDs on Different APs). It would be less maintaince in the future than having a Huge Single Vlan or is the thought process go huge so you dont have to change it later?

 

 

Thank you kindly!

 

0 Kudos
Vince_Whirlwind
Trusted Contributor

‎05-06-2013 05:27 PM

‎05-06-2013 05:27 PM

Re: New VLAN Config - Going from FLAT to VLANs/Subnet

1) There are ways to dynamically assign a VLAN based on access controls, ie, your AP that is being moved around and plugged in can be detected by the switch and automatically assigned to the Public VLAN.

You could use a Radius server for AD authentication, or you could use "aaa port-access mac-based"...

Alternatively, what you've suggested should work - set each of the switchports to "untagged" for Data and "tagged" for Public, then configure all the APs' switchports as tagged in the "Public" VLAN. Not secure, but that might not be a problem for you.

 

2) If I understand your topology correctly, your default route points out to that Cisco router, so you are already routing 10.26... & 10.27... in the correct direction.

 

3) I tend to go with 1 VLAN per floor or per building, or something similar. I stick with /24s as a rule of thumb to keep broadcast segments down to a reasonable size, but also because /24s are a very easy proposition for ongoing management even in organisations that have no dedicated network resource. Changing the subnet mask can result in all sorts of confusion and incidents when 3rd-parties come in to install stuff.

If you must plan for a wireless subnet that could experience future growth (pretty safe bet) then leave a big amount of space in your subnet plan for that growth.

0 Kudos
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.