Switches, Hubs, and Modems
1748213 Members
3051 Online
108759 Solutions
New Discussion юеВ

Re: Definitive Voice/Data vlan config (help please)

 
SOLVED
Go to solution
Colonelk
Frequent Advisor

Definitive Voice/Data vlan config (help please)

Hi again ;)

I'm so nearly there with my setup but keep getting conflicting advice!

I'm in a similar situation to Karl Collinson in that I have the need of creating a separate voice and data vlan arrangement with 3 HP procurve 2900's (2x 24port 1 x 48 port with the 48 port doing the routing). I also have the Dlink 3028P PoE switch for IP phones. I need routing between the two.

The 2 x 24 port 2900's will ONLY have PC/printer/servers attached to them.

The Dlink switch (and another one to come) will have IP phones on them and in some cases PC's attached to the IP phones.


Attached is a PDF file with a drawing giving my config and connections in my test setup.

I'm still not totally sure about gateway IP's.

The other thing that is irking me in this design is that I can't seem to ping each of the switches from the other switches. I can see stuff "Attached" to the switches, just not the switches themselves therefore it makes management via Telnet/Web difficult.

I think many people could really do with a definitive set-up/answer for segregated voice/data vlan setup's so I'd like help to turn this thread into a good reference for the subject please.


Many thanks

Tino
16 REPLIES 16
Joel Belizario
Trusted Contributor

Re: Definitive Voice/Data vlan config (help please)

Hi Tino,

Had a quick look at your diagram and here are my thoughts:

- I would leave VLAN 1 untagged and all other VLAN traffic tagged on your uplinks between switches. I believe Cisco gear (and perhaps others too) requires the native / default VLAN to remain untagged.

- Each switch is only required to have an IP address in the default VLAN for management purposes. You can remove the addresses from your edge switches on VLAN 10 and 20 to clean up the configs a little. As long the edge switch default gateways point to your primary switch you should be able to communicate with them.

- From a host point of view, their default gateway should be their VLAN (virtual router) IP address.

- On your primary switch you have a duplicate IP address in VLAN 1 and 20? (i.e. 192.168.5.1) I did not think the switch firmware allowed duplicate IP addresses.

- I've noticed some minor inconsistencies in the configs, such as the management VLAN being defined on the edge switches but not the primary switch.

- I do not recall if the "ip helper-address" command is required on the edge switch configs or not (I haven't touched a ProCurve in a while...)

Anyways hope these suggestions help and I'm sure others on the forum will contribute a lot more! :)

Cheers,
Joel
Colonelk
Frequent Advisor

Re: Definitive Voice/Data vlan config (help please)

Hi Joel

The primary switch IP settings are correct. In the attachment I posted it must have been a copy/paste error as it looks fine when I checked just now!

Just set tagging as you described on the uplinks and removed IP addresses against the Vlans (except default_vlan) on the edge switches. Pinging from the edge switch (192.168.5.2 GW .5.1) I can't see any other network this way. All come back as destination host unreachable no matter what Vlan tagging I set on the uplink ports.

As soon as I reinsert the IP addresses for the vlans I can ping hosts on the .5 and .4 network (except the other switch vlan IP addresses which I can't seem to ping).

Thanks

Tino
Colonelk
Frequent Advisor

Re: Definitive Voice/Data vlan config (help please)

Joel

I've also noticed that if I set port 48 (which connects to the DLINK PoE switch) to

Vlan 1 - untagged
Vlan 10 - tagged
Vlan 20 - tagged

Then PC's attached to the IP phones cannot get a DHCP assigned address.

If I set port 48 to:

Vlan 1 - No
Vlan 10 - Tagged
Vlan 20 - Untagged

Then the PC gets an IP straight away.

This makes sense to me. A PC (with an older network card) doesn't understand tagging and can only be a untagged member of a vlan. Else it seems not to communicate

Tino
Joel Belizario
Trusted Contributor
Solution

Re: Definitive Voice/Data vlan config (help please)

Hi Tino,

That is correct you should not be able to ping from VLAN 1 to any host on another network because when the management-vlan function is turned on routing is disabled for this VLAN.

This is by design so if someone were to compromise one of your hosts then they should not have access to your management VLAN to try and compromise your network too.

When you add the IP addresses back into the edge switches you are creating a virtual router interfaces that can communicate with hosts connected to the .4 and .5 VLANs on those switches.

With the D-Link switch, did you set up the port on it the same way? (i.e. mirroring port 48 setup) If you have then I don't see why this is happening unless there is something particular about the way the D-Link implements 802.1Q tagging.

You are correct the PCs would not understand the 802.1Q tag but the switch definitely should.

Hope this clears any confusion.

Cheers,
Joel
Colonelk
Frequent Advisor

Re: Definitive Voice/Data vlan config (help please)

In that case I think I'm happy with the config I have.

In order to manage the switch via telnet or web then I need to configure a port to be untagged on the management-vlan and then assign a static IP in the default_vlan subnet??

Thanks Joel

Tino
Joel Belizario
Trusted Contributor

Re: Definitive Voice/Data vlan config (help please)

Hi Tino,

Couple of options here:

You could set up a workstation on VLAN 1 (dedicated or dual NIC?) so you could access the switches that way.

You can still communicate with the mothership switch via the .5 network VLAN address from any host and then telnet from there to the other switches.

Or you could turn the "management-vlan" function off and then communicate directly with any switch from any host. I don't recommend this though.

Cheers,
Joel
cenk sasmaztin
Honored Contributor

Re: Definitive Voice/Data vlan config (help please)

hi Tino
this configuration for successfully working
no need ip helper address because you use dhcp server 2nic

vlan 1 management vlan all switch default vlan you make same subnet ip address

vlan 10 voice vlan and attach on untag member ports dhcp server nic 1 ,voip server

vlan 20 data vlan and attach on untag member ports dchp server nic2 ,and all client

all uplink ports you make vlan 1 untag vlan 10 and vlan 20 tag member ports

no need vlan 10 and vlan 20 ip address no need ip helper address.

you want pc under ipphone connection
this port vlan 20 untag vlan 10 tag port

you make only ip phone connection this port vlan 10 untag port.
you want provided that I send this sh run config print.

good luck
cenk

cenk sasmaztin
Honored Contributor

Re: Definitive Voice/Data vlan config (help please)

note :you create all ip phone vlan id settings vlan 10

good luck
cenk

Colonelk
Frequent Advisor

Re: Definitive Voice/Data vlan config (help please)

Thank-you both for your replies.

One question.

You have both commented that the VLAN interfaces on the "non-mothership" switches do NOT need IP addresses. Could you explain why please? Its probably related to layer 2 switching but if you could fill in the hole in my knowledge that would be great.

The other thing is that I have been testing connectivity between switches using the switches console interface. I'm guessing thats not the best way of doing this!

Last thing :)

As it stands at the moment, the untagged clients of Vlan 20 (the PC's) that are on the same subnet as the switches cannot ping the default gateway address of 192.168.5.1. Routing IS working normally through the layer 3 functionality of the switch though. Why is this?


Thanks again. Informative and educational :)

Tino