Switches, Hubs, and Modems
cancel
Showing results for 
Search instead for 
Did you mean: 

Definitive Voice/Data vlan config (help please)

SOLVED
Go to solution
Colonelk
Frequent Advisor

Definitive Voice/Data vlan config (help please)

Hi again ;)

I'm so nearly there with my setup but keep getting conflicting advice!

I'm in a similar situation to Karl Collinson in that I have the need of creating a separate voice and data vlan arrangement with 3 HP procurve 2900's (2x 24port 1 x 48 port with the 48 port doing the routing). I also have the Dlink 3028P PoE switch for IP phones. I need routing between the two.

The 2 x 24 port 2900's will ONLY have PC/printer/servers attached to them.

The Dlink switch (and another one to come) will have IP phones on them and in some cases PC's attached to the IP phones.


Attached is a PDF file with a drawing giving my config and connections in my test setup.

I'm still not totally sure about gateway IP's.

The other thing that is irking me in this design is that I can't seem to ping each of the switches from the other switches. I can see stuff "Attached" to the switches, just not the switches themselves therefore it makes management via Telnet/Web difficult.

I think many people could really do with a definitive set-up/answer for segregated voice/data vlan setup's so I'd like help to turn this thread into a good reference for the subject please.


Many thanks

Tino
16 REPLIES
Joel Belizario
Trusted Contributor

Re: Definitive Voice/Data vlan config (help please)

Hi Tino,

Had a quick look at your diagram and here are my thoughts:

- I would leave VLAN 1 untagged and all other VLAN traffic tagged on your uplinks between switches. I believe Cisco gear (and perhaps others too) requires the native / default VLAN to remain untagged.

- Each switch is only required to have an IP address in the default VLAN for management purposes. You can remove the addresses from your edge switches on VLAN 10 and 20 to clean up the configs a little. As long the edge switch default gateways point to your primary switch you should be able to communicate with them.

- From a host point of view, their default gateway should be their VLAN (virtual router) IP address.

- On your primary switch you have a duplicate IP address in VLAN 1 and 20? (i.e. 192.168.5.1) I did not think the switch firmware allowed duplicate IP addresses.

- I've noticed some minor inconsistencies in the configs, such as the management VLAN being defined on the edge switches but not the primary switch.

- I do not recall if the "ip helper-address" command is required on the edge switch configs or not (I haven't touched a ProCurve in a while...)

Anyways hope these suggestions help and I'm sure others on the forum will contribute a lot more! :)

Cheers,
Joel
Colonelk
Frequent Advisor

Re: Definitive Voice/Data vlan config (help please)

Hi Joel

The primary switch IP settings are correct. In the attachment I posted it must have been a copy/paste error as it looks fine when I checked just now!

Just set tagging as you described on the uplinks and removed IP addresses against the Vlans (except default_vlan) on the edge switches. Pinging from the edge switch (192.168.5.2 GW .5.1) I can't see any other network this way. All come back as destination host unreachable no matter what Vlan tagging I set on the uplink ports.

As soon as I reinsert the IP addresses for the vlans I can ping hosts on the .5 and .4 network (except the other switch vlan IP addresses which I can't seem to ping).

Thanks

Tino
Colonelk
Frequent Advisor

Re: Definitive Voice/Data vlan config (help please)

Joel

I've also noticed that if I set port 48 (which connects to the DLINK PoE switch) to

Vlan 1 - untagged
Vlan 10 - tagged
Vlan 20 - tagged

Then PC's attached to the IP phones cannot get a DHCP assigned address.

If I set port 48 to:

Vlan 1 - No
Vlan 10 - Tagged
Vlan 20 - Untagged

Then the PC gets an IP straight away.

This makes sense to me. A PC (with an older network card) doesn't understand tagging and can only be a untagged member of a vlan. Else it seems not to communicate

Tino
Joel Belizario
Trusted Contributor
Solution

Re: Definitive Voice/Data vlan config (help please)

Hi Tino,

That is correct you should not be able to ping from VLAN 1 to any host on another network because when the management-vlan function is turned on routing is disabled for this VLAN.

This is by design so if someone were to compromise one of your hosts then they should not have access to your management VLAN to try and compromise your network too.

When you add the IP addresses back into the edge switches you are creating a virtual router interfaces that can communicate with hosts connected to the .4 and .5 VLANs on those switches.

With the D-Link switch, did you set up the port on it the same way? (i.e. mirroring port 48 setup) If you have then I don't see why this is happening unless there is something particular about the way the D-Link implements 802.1Q tagging.

You are correct the PCs would not understand the 802.1Q tag but the switch definitely should.

Hope this clears any confusion.

Cheers,
Joel
Colonelk
Frequent Advisor

Re: Definitive Voice/Data vlan config (help please)

In that case I think I'm happy with the config I have.

In order to manage the switch via telnet or web then I need to configure a port to be untagged on the management-vlan and then assign a static IP in the default_vlan subnet??

Thanks Joel

Tino
Joel Belizario
Trusted Contributor

Re: Definitive Voice/Data vlan config (help please)

Hi Tino,

Couple of options here:

You could set up a workstation on VLAN 1 (dedicated or dual NIC?) so you could access the switches that way.

You can still communicate with the mothership switch via the .5 network VLAN address from any host and then telnet from there to the other switches.

Or you could turn the "management-vlan" function off and then communicate directly with any switch from any host. I don't recommend this though.

Cheers,
Joel
cenk sasmaztin
Honored Contributor

Re: Definitive Voice/Data vlan config (help please)

hi Tino
this configuration for successfully working
no need ip helper address because you use dhcp server 2nic

vlan 1 management vlan all switch default vlan you make same subnet ip address

vlan 10 voice vlan and attach on untag member ports dhcp server nic 1 ,voip server

vlan 20 data vlan and attach on untag member ports dchp server nic2 ,and all client

all uplink ports you make vlan 1 untag vlan 10 and vlan 20 tag member ports

no need vlan 10 and vlan 20 ip address no need ip helper address.

you want pc under ipphone connection
this port vlan 20 untag vlan 10 tag port

you make only ip phone connection this port vlan 10 untag port.
you want provided that I send this sh run config print.

good luck
cenk

cenk sasmaztin
Honored Contributor

Re: Definitive Voice/Data vlan config (help please)

note :you create all ip phone vlan id settings vlan 10

good luck
cenk

Colonelk
Frequent Advisor

Re: Definitive Voice/Data vlan config (help please)

Thank-you both for your replies.

One question.

You have both commented that the VLAN interfaces on the "non-mothership" switches do NOT need IP addresses. Could you explain why please? Its probably related to layer 2 switching but if you could fill in the hole in my knowledge that would be great.

The other thing is that I have been testing connectivity between switches using the switches console interface. I'm guessing thats not the best way of doing this!

Last thing :)

As it stands at the moment, the untagged clients of Vlan 20 (the PC's) that are on the same subnet as the switches cannot ping the default gateway address of 192.168.5.1. Routing IS working normally through the layer 3 functionality of the switch though. Why is this?


Thanks again. Informative and educational :)

Tino
cenk sasmaztin
Honored Contributor

Re: Definitive Voice/Data vlan config (help please)

hi Tino
many company one dhcp server and more vlans system

method 1:
one dhcp server and one nic on more ip scobe (for one vlan one scobe )
example:
dhcp server nic address 10.0.0.10/24

scobe 1:vlan id :10
range 10.0.10.1/24---10.0.10.250/24
default gateway 10.0.10.1(same address switch vlan 10 interface ip address)

scobe 2:vlqan is :20
range 10.0.20.1/24---10.0.20.250/24
default gateway:10.0.20.1(same address switch vlan 20 interface ip address)
create all switch vlan 1 vlan 10and vlan 20
vlan 1 only managemet vlan vlan 10 voice vlan 20 data all uplink port aware all vlan (vlan untag 10and 20 tag port)
enable ip routing and use ip helper address
ip helper address for all vlan 10.0.0.10(dhcp server nic)
on only core switch or switchs you write vlan ip address ,other edge switch unnecessary vlan ip address for vlan 10 and vlan 20
vlan 1 managemet ip address you write all switch same subnet address

on vlan 20 client send dhcp request whit routing unicast packet this client take dhcp server vlan 20 scobe ip range

on vlan 10 client send dhcp request whit routing unicast packet this client take dhcp server vlan 10 scobe ip range

many people or company whit this configuration create network in hundreds vlans


because you state
three vlan one vlan mamagenet other vlan voip and data.and you use two nic dhcp server
therefore I recommed above config
because very easy config only layer 2 operation ,ony vlan 1 all switch for managemet assign ip address other vlan no need ip address because only layer 2 operation all uplink port aware vlans one vlan untag port connect device this vlan member
same port connect two device (ipphone and pc )you create same port vlan 10 (data)untag member and vlan 20 tag member (voice) and set ip phone vlan id 20
I hope you understand

good luck...
cenk

Joel Belizario
Trusted Contributor

Re: Definitive Voice/Data vlan config (help please)

Hi Tino,

See my last reply in the thread "Cascading Multiple Procurve's ?" to Karl Collinson's query.

Cheers,
Joel
Colonelk
Frequent Advisor

Re: Definitive Voice/Data vlan config (help please)

One last question.

I've got an ISA server as a proxy and back firewall (behind a Cisco PIX box) currently on our network. On our current network its internal NIC address is the default gateway address for our network.

On the new network the HP "Mothership" switch is the default gateway for the data VLAN (192.168.5.1) and the ISA server will have the internal address of 192.168.5.20. With IP routing enabled on the switch I don't seem to be able to set a default gateway for it to go through the ISA server. Whats the best way of ensuring that all traffic that needs to go out to the internet goes out via the ISA server?

Thanks

Tino
cenk sasmaztin
Honored Contributor

Re: Definitive Voice/Data vlan config (help please)

hi tino attach ip route command

example:
config)switch#ip routing 0.0.0.0 0.0.0.0 192.178.1.1(this ip pix lan interface)

and you write on pix ip routing command for each vlan

pix:ip routing 10.10.10.0(vlan network address) 255.255.255.0 10.10.10.1(vlan ip address)

pix:ip routing 10.10.20.0(vlan network address) 255.255.255.0 10.10.20.1(vlan ip address)
cenk

cenk sasmaztin
Honored Contributor

Re: Definitive Voice/Data vlan config (help please)

sorry for frist isa and after pix configuration

switch ip route command ok .
0.0.0.0 0.0.0.0 (isa server lan ip address)


you write ip route for each vlans on isa

route add 10.10.10.0 255.255.255.0 10.10.10.1

route add 10.10.20.0 255.25.255.0 10.10.20.1

good luck ...


cenk

Colonelk
Frequent Advisor

Re: Definitive Voice/Data vlan config (help please)

OK so my ISA internal NIC will be 192.168.5.20
Its NIC that attaches to the PIX will be 192.168.6.2

The PIX will be 192.168.6.1

So the command on the HP master switch will be:


switch ip route command ok .
0.0.0.0 0.0.0.0 192.168.5.20


And then on the ISA I create manual routes for our VLANs. So

route add 192.168.5.0 255.255.255.0 192.168.5.1 (HP masterswitch VLAN 20 Data IP)

route add 192.168.4.0 255.25.255.0 192.168.4.1 (HP Vlan 10 Voicevlan IP)



Is that right?

cenk sasmaztin
Honored Contributor

Re: Definitive Voice/Data vlan config (help please)

ok Tino:) you understand
cenk