Switches, Hubs, and Modems
cancel
Showing results for 
Search instead for 
Did you mean: 

New to VLANs...some guidance would be great...

Sean Rector
Occasional Advisor

New to VLANs...some guidance would be great...

I've attached a drawing of the part of the network I'm concerned with. I understand the functionality of VLANs, but I do not understand the implementation totally. I really appreciate the assistance. If there is any more information needed, please let me know.
18 REPLIES
cenk sasmaztin
Honored Contributor

Re: New to VLANs...some guidance would be great...


hi Sean
----------for 2810 switch config------------
2810-48(config)# vlan 1
2810-48(vlan-1)# ip address 172.16.0.1/24
2810-48(vlan-1)# untag 1(for vlan 1 router port)
2810-48(vlan-1)# vlan 2
2810-48(vlan-2)# untag 2(for vlan 2 router port)
2810-48(vlan-2)# tag 48(for 2510 uplink port,this port vlan 1 untag vlan 2 tag)
2810-48(vlan-2)#exit
2810-48(config)#

----------for 2510 switch config------------

2510-24(config)# vlan 1
2510-24(vlan-1)# ip address 172.16.0.2/24
2510-24(vlan-1)# vlan 2
2510-24(vlan-2)# untag 1-2(left two pc)
2510-24(vlan-2)# tag 3-6,24(right four pc this ports vlan 1 untag vlan 2 tag
this port you run two pc you use vlan aware nic or you attach this port ip phone
you assign on phone vlan id 2 .Ä°nterface 24 2810 uplink port)
2510-24(vlan-2)#exit
--------------------------------------------
all vlan 1 member pc assign ip address vlan1router ethernet interface with same
network and all pc default gateway vlan1router ethernet interface ip address


all vlan 2 member device assign ip address vlan2router ethernet interface with same
network and all device default gateway vlan2router ethernet interface ip address
and all device use vlan aware nic setting vlan2 info on nic.


good luck...

cenk

Joel Belizario
Trusted Contributor

Re: New to VLANs...some guidance would be great...

Hi Sean,

From your diagram you have some hosts that are in VLANs 1 and 2 - can you elaborate on why you need this?

Cheers,
Joel
Sean Rector
Occasional Advisor

Re: New to VLANs...some guidance would be great...

Yes...VLAN 1 is our company's network. VLAN 2 connects to a vendor's network. The two machines that are on VLAN 2 should only connect to the vendor's network, and the other workstations need to connect to both.
Sean Rector
Occasional Advisor

Re: New to VLANs...some guidance would be great...

I've updated my drawing. Hopefully that will help. If you could, the full command set would be very helpful.

TIA
Mohieddin Kharnoub
Honored Contributor

Re: New to VLANs...some guidance would be great...

Hi

Explaining the last topology attached:

2510-24 Switch:
---------------
- Simply has 2 Vlans.
- PCs in Vlan1 are connected to Untagged ports to Vlan1.
- PCs in Vlan1 are connected to Untagged ports to Vlan1.
- uplink port to the 2810 is Tagged to Vlan2.

2810-48 Switch:
---------------
- Server connected to Untagged port to Vlan1.
- Left router -Cisco 1760 connected to Untagged port to Vlan1.
- Right router - Cisco 1760 connected to Untagged port to Vlan2.


And since you have not attached the configuration of the 2810-48 switch then i THINK:

- 2810-48 Routing between Vlans is enabled.
- Vlan1 has an IP which is the Default Gateways for all Devices in Vlan1.
- Vlan2 has an IP which is the Default Gateways for all Devices in Vlan2.
- Default Route (Internet) is entered statically pointing to the Left Router Cisco1760.
- One more Static Route entered to Serve Vlan2 and Vendors Server Traffic.


Cisco Routers:
- Some static routes must be entered to Server All the Vlans (Route Back).
- Some security ACLs could be in place to serve some certain security policies.

Good Luck !!!
Science for Everyone
Sean Rector
Occasional Advisor

Re: New to VLANs...some guidance would be great...

Both switches have very basic configurations.

The workstations are on various ports of the 2510.

The 2510 connects to the 2810 via Fibre...Port 26 to Port 50.

The servers are on various ports on the 2810, as are the two routers, and several workstations.

2510 Config:
Running configuration:

; J9019A Configuration Editor; Created on release #Q.11.07

hostname "SW_Office"
snmp-server contact "IT Mgr. x3328"
snmp-server location "Office - Back Office"
web-management management-url ""
time timezone -5
time daylight-time-rule Continental-US-and-Canada
interface 25
name "To SW_SecBox"
exit
interface 26
name "To SW_Servers"
exit
ip default-gateway 10.0.0.33
sntp server 10.0.0.33
timesync sntp
sntp unicast
snmp-server community "Company" Unrestricted
snmp-server community "public" Operator
snmp-server host 10.0.0.80 "public"
vlan 1
name "DEFAULT_VLAN"
untagged 1-26
ip address 10.0.0.18 255.255.0.0
exit
ip authorized-managers 10.0.0.80 255.255.0.0
ip authorized-managers 10.0.0.36 255.255.0.0
ip authorized-managers 10.0.0.39 255.255.0.0
qos type-of-service ip-precedence
stack join 001c2ebd4640

2810 Config:
Running configuration:

; J9022A Configuration Editor; Created on release #N.11.09

hostname "SW_Servers"
snmp-server contact "Ext-3328"
snmp-server location "Accounting-Office"
web-management management-url ""
time timezone -300
time daylight-time-rule Continental-US-and-Canada
interface 1
flow-control
exit
ip default-gateway 10.0.0.33
sntp server 10.0.0.36
timesync sntp
sntp unicast
snmp-server community "Company" Unrestricted
snmp-server community "public"
snmp-server host 10.0.0.80 "public"
vlan 1
name "DEFAULT_VLAN"
untagged 1-48
ip address 10.0.0.11 255.255.0.0
exit
ip authorized-managers 10.0.0.80 255.255.0.0
ip authorized-managers 10.0.0.36 255.255.0.0
stack commander "Group"
stack member 1 mac-address 001c2e1d0b80
stack member 2 mac-address 001c2e47f2e0

I hope that helps.
Sean Rector
Occasional Advisor

Re: New to VLANs...some guidance would be great...

Could someone review my configurations and let me know what I need to do next?

Thanks!
cenk sasmaztin
Honored Contributor

Re: New to VLANs...some guidance would be great...

hi Sean
if you want create in your layout network architecture you must be see carefull above my config.

you send your last config not working
I not see your config in vlan 2 ???
cenk

Sean Rector
Occasional Advisor

Re: New to VLANs...some guidance would be great...

I haven't created VLAN2 yet. THAT is what I am asking for guidance on. Specific to the architecture drawing I posted.
cenk sasmaztin
Honored Contributor

Re: New to VLANs...some guidance would be great...

you have switch 2810 and 2510 can not routing there fore all operation in lan must be L2 seperate vlan 1 and vlan 2 network 2510 and 2810 uplink fibre port must be vlan 1 untag vlan 2 tag port you assign only vlan 1 ip address for managemet.In vlan 1 client connect only vlan 1 untag port in vlan 2 client connect only vlan 2 untag port.
you want two vlan same port you make vlan 1 untag port and vlan 2 tag port and you use vlan aware nic for assign vlan id.

good luck.
cenk

Sean Rector
Occasional Advisor

Re: New to VLANs...some guidance would be great...

I'm sorry...I'm simply not understanding what you wrote.
cenk sasmaztin
Honored Contributor

Re: New to VLANs...some guidance would be great...

hi Sean you switches 2510 and 2810 not capability static routing or dynamic routing

you want create two vlan on your system and assign two different router vlan 1 to public internet vlan 2 to vendor server.

you must be 2vlan create and isolate vlans


2510 and 2810 between connect fibre uplink port this port carry two vlan vlan 1 untag vlan 2 tag port.
for vlan 1 all client vlan1 untag port
for vlan 2 all client vlan2 untag port

you want use two vlan same port you must be create this config on port vlan 1 untag vlan 2 tag and connect device this port vlan aware ethernet card.

vlan 1 users ip address with public internet router ethernet address same subnet and default gateway address public internet router ethernet interface address

vlan 2 users ip address with vendor server router ethernet address same subnet and default gateway address vendor router ethernet interface address


I hope understand
cenk

Sean Rector
Occasional Advisor

Re: New to VLANs...some guidance would be great...

Hmmm...I'm still a bit confused - let me explain further.

Currently, the computers on the right-side of the drawing are working as I want them to - a specific application they use goes out the vendor router, and all other traffic goes either to our internal servers or out via the internet router. What the vendor wants us to do is configure the network so they can add two machines (on the same switch) that will ONLY have their traffic go out the vendor router. The other, previously connected machines must still operate as they do currently - traffic is able to traverse both routers.

I thought VLANs were the way to accomplish this. I also thought that if (on the 2810) I added both routers' ports to both VLANs as well as the Fibre port, that would allow the routing between the two VLANs to function properly.

Did I confuse the issue more?
Mohieddin Kharnoub
Honored Contributor

Re: New to VLANs...some guidance would be great...

Hi

I believe You don't to configure anything on the switches.

Just add the 2 new Machines, and set the default gateway wherever they want (GW will be the right Cisco Router) and it will Simply work without any issues.

Note:
You can do that on the switches, but then you have to Reconfigure the Whole Network again, because on the switches you have a very simple configuration and all the Routing/Policies have been set on both Routers.

Good Luck !!!
Science for Everyone
cenk sasmaztin
Honored Contributor

Re: New to VLANs...some guidance would be great...

please look 5. replies
cenk

Sean Rector
Occasional Advisor

Re: New to VLANs...some guidance would be great...

I'd like another look by more people, please. Thanks!

The suggestion of setting the Gateway on the other machines isn't possible, unfortunately, as some of these machines will be wireless scanners.
Matt Hobbs
Honored Contributor

Re: New to VLANs...some guidance would be great...

Sean, since the 2510 and 2810 do not support routing, most of the configuration is going to be done on the WAN routers.

You state that it is currently working fine for the hosts that need to access both networks and everything is currently in the same VLAN. To me this means that the clients most likely have their default gateway set to the Internet router, and the Internet router has a static route configured to the Vendor router for when traffic needs to be sent to the Vendor network.

The problem is you now need to configure two workstations that can only access the Vendor network. This can be achieved a few ways.

As Mohieddin suggested you could simply add these 2 new clients to the existing flat network and point their default gateway to the Vendor router. It's a very simple solution but from a physical network access point of view it's not exactly secure as the workstations could easily be configured to get Internet access by simply changing their default gateway.

To lock things down more securely, you can definitely use VLANs although not quite in the manner that your proposed network diagram suggests.

For your existing workstations that already have access to the Interent and to the Vendor network they could be left as is in VLAN1. For the new VLAN, you would configure some untagged ports for those workstations on the 2510, you would then tag this link back to the 2810 and tag it again back to the 1760. The 1760 would need to be configured with a dot1q trunk and be configured with an additional subnet for clients in this new VLAN. The workstations would have their default gateway set to this new IP address on the VLAN2 1760 router.

To prevent routing between the two VLANs on this router, an ACL would be configured.

This is just one solution I can think of, there are probably multiple other solutions. I'm not saying this is the best choice but given your current hardware it makes sense to me.

Most of the work that needs to be done is on the Cisco's. Setting the VLANs on the ProCurves is the easy part. If in doubt I would get someone with some Cisco experience to listen to your problem and help you find a suitable solution.
Sean Rector
Occasional Advisor

Re: New to VLANs...some guidance would be great...

Unfortunately, the separation via VLAN is due to PCI compliance (I did not know that previously) requirements of the vendor.