Switches, Hubs, and Modems

Re: Router help with 2910al

 
SOLVED
Go to solution
Ken Richmond
Advisor

Re: Router help with 2910al

Thanks again for all of your help with this.

Shadow13, I've added Voice to vlan 5 as suggested.

Manfred,

2. Set uplink ports between switches in VLAN 4 to tagged? What does this do for me? When I plug the laptop into SW1, I can still browse to the web interface on SW0 with A1/B1 (the CX modules) as untagged. Could you explain or send a reference to help me understand?

3. I used descrete ip's on my current lan and like taht. I thought I'd try stacking to see what benefits there were, but I don't care much for it. I have the spare IP's in my current live LAN. I will assign them to the switches for my live environment.

4. This is a cascading config using the CX modules, not a star config. Would it make sense to add trunking in a star topology for redundancy incase one of the switches or CX modules failed? If so, do you have any recommendations in that regard?

5. If I build trunks as above I suspect RSTP would help (or even be necessary). I will enable regardless, as you state, it offers protection against accidental loops.

6. I will look to my phone vendor (ShoreTel) for recommendations on QoS settings. Agreed that call data provides very little bandwidth, but will take their advice into consideration.

7. Thanks for the default route. I'll add that to my main switch. My firewall is a sonicwall NSA with the lan side already connected to the current 192.168.0.x network. I don't think I need to make any changes to the NSA, would you concur?

Why didn't I buy a modular switch with more ports? These switches were recommended for our 'simple' environment. I'm already considering adding a more modular switch into the equation for next budget year and reconfiging the network from cascade to a star.

Now I've set up two laptops as follows

Laptop 1
IP Address: 192.168.0.100/24
G/W: 192.168.0.11

Laptop 2
IP Addres 192.168.3.200/24
G/W: 192.168.3.11

Both laptops are connected to the same physical switch (ports 23 and 26)

Laptop 1 can ping both vlan 4 and vlan 5
Laptop 2 cannot ping either vlans
Laptop 1 cannot ping laptop 2
Laptop 2 cannot ping laptop 1

(both laptops ping each other successfully when configured on the same vlan)

I presume laptop2 can't ping (or respond to pings) because it's not tagging any traffic as vlan 5. Does that make sense? If so, is there some way I can tag this device as being on vlan5 for testing puropses?

Cheers!
Ken Richmond
Advisor

Re: Router help with 2910al

Woo Hoo!

Ok. After some more research I discovered that vlan tagging is a function of the nic an driver. I found a current driver for nic in laptop 2. I upgraded the driver and presto! There were the vlan configuration options that I was looking for. I configured the device for vlan5 and I can see everything from everywhere!

Time to tidey up some details and get caught up on configing the remaining three switches, adding ip adds to all of them, removing the stack, investigating QoS for the voice side, and preparing for DHCP on both vlans. This is really starting to come together. I may actually be in a position to put this new network online this weekend after all!

I have a new found appreciation for those of you who can build this stuff in a single sitting.

Manfred M.
Advisor
Solution

Re: Router help with 2910al

Hi Ken!

I definitely agree with you that things really come together now!

'I presume laptop2 can't ping (or respond to pings) because it's not tagging any traffic as vlan 5. Does that make sense? If so, is there some way I can tag this device as being on vlan5 for testing puropses?'

You found out the most important things about 802.1Q VLAN tagging.

How can you memorize 'tagged' and 'untagged'?

It's simple now (I hope...)
To mark (tag) a frame at an uplink port, the switch adds the 802.1Q VLAN header (32 additional bits with the VLAN ID and the 802.1p Class of Service priority information).
A normal PC client does not understand this frame format! Only switches, firewalls and servers (especially important in virtualization environments) can 'remove' the VLAN header (tag) and work with that additional 32bits.
The role of the switch in Port based VLANs is to add (tag)or remove (untag) the VLAN header.

Actually your IP phone has also a 2-port switch in it, which understands VLAN tagging.

Only with VLAN tagging it's possible to multiplex traffic belonging to different VLANs over a single wire (the Cisco guys call this 'trunk' - but that is not conform with the actual IEEE Std. 802.1D-2004 standard anymore).

So to be consequent you should also set the uplink ports of your Data VLAN to tagged (tidiness?)

ad 4:
If you have spare CX4 ports on the first and last switch and they are within 15m (CX4 maximum lenght) you can close the loop - if RSTP is active on all switches one of the uplinks will be blocked. So if one of your member switches, the CX4 module or the CX4 cable fails, the switches behind that switch still have a link to the main switch.
This can also be done with a single gigabit uplink or a LACP trunk with more ports (with poor performance in the case of a failed switch). Don't forget to set that trunk to tagged in the VLANs too! I encourage you to test this in your lab - especally the scenario of a failed switch! Look at the spanning tree state of the uplink ports to find out which one is blocked.

Good luck!
Manfred
Ken Richmond
Advisor

Re: Router help with 2910al

OK... I reset all of the switches to factory default (again) and started over. Here's what I did this time around.

Reset switches using two pointy things as per the manual.
#Menu
Run Setup
Assigned Host Name (SWx)and IP Address
Went to CLI
Configured Vlans as per configs below
Returned to Menu
Switch Config...
VLAN Menu
VLAN Support
Changed Primary VLAN to Data

Note I didn't config a stack, thinking that I can admin via each switches IP address.

I can ping to/from vlan 4 and vlan 5 devices from any switch.
I can browse to the web interface on SW0 from either laptop using 192.168.0.11 or 192.168.3.11.

I cannot ping 192.168.0.12-192.168.0.15. Obviously I'm missing something fundamental here, but I've been pulling out my hair trying to figure it out.

Also, when I tried to assign an IP address to vlan4 or vlan 5 on the rest of the switches I got the following:

SW1# config
SW1(config)# vlan 4
SW1(vlan-4)# ip address 192.168.0.11/24
The IP address (or subnet) 192.168.0.11/24 already exists.

I presume that this is ok because my vlans are tagged at the CX ports, but not sure if it's correct?!?

I'm so close I can taste it :)


Here's my config run for all switches...

*******SW0*******

Running configuration:

; J9148A Configuration Editor; Created on release #W.14.38

hostname "SW0"
module 1 type J9148A
module 2 type J9165A
no stack auto-join
ip routing
vlan 1
name "DEFAULT_VLAN"
forbid 1-48,A1
no untagged 1-48,A1
no ip address
exit
vlan 4
name "Data"
forbid 1-16
untagged 17-48
ip address 192.168.0.11 255.255.255.0
tagged A1

exit
vlan 5
name "Voice"
forbid 1-16
ip address 192.168.3.11 255.255.255.0
tagged 17-48,A1
exit
vlan 2
name "iNetWild"
forbid 9-48
untagged 1-8
no ip address
exit
vlan 3
name "iNetSafe"
forbid 1-8,17-48,A1
untagged 9-16
no ip address
exit
ip route 0.0.0.0 0.0.0.0 192.168.0.22
snmp-server community "public" unrestricted
primary-vlan 4


*******SW1*******

Running configuration:

; J9148A Configuration Editor; Created on release #W.14.38

hostname "SW1"
module 1 type J9148A
module 2 type J9165A
module 3 type J9165A
vlan 1
name "DEFAULT_VLAN"
forbid 1-48,A1,B1
ip address 192.168.0.12 255.255.255.0
no untagged 1-48,A1,B1
exit
vlan 4
name "Data"
untagged 1-48
tagged A1,B1
no ip address
exit
vlan 5
name "Voice"
tagged 1-48,A1,B1
voice
no ip address
exit
snmp-server community "public" unrestricted
primary-vlan 4


*******SW2*******

Running configuration:

; J9148A Configuration Editor; Created on release #W.14.38

hostname "SW2"
module 1 type J9148A
module 2 type J9165A
module 3 type J9165A
vlan 1
name "DEFAULT_VLAN"
forbid 1-48,A1,B1
ip address 192.168.0.13 255.255.255.0
no untagged 1-48,A1,B1
exit
vlan 4
name "Data"
untagged 1-48
tagged A1,B1
no ip address
exit
vlan 5
name "Voice"
tagged 1-48,A1,B1
voice
no ip address
exit
snmp-server community "public" unrestricted
primary-vlan 4


*******SW3*******

Running configuration:

; J9148A Configuration Editor; Created on release #W.14.38

hostname "SW3"

module 1 type J9148A
module 2 type J9165A
module 3 type J9165A
vlan 1
name "DEFAULT_VLAN"
forbid 1-48,A1,B1
ip address 192.168.0.14 255.255.255.0
no untagged 1-48,A1,B1
exit
vlan 4
name "Data"
untagged 1-48
tagged A1,B1
no ip address
exit
vlan 5
name "Voice"
tagged 1-48,A1,B1
no ip address
exit
snmp-server community "public" unrestricted
primary-vlan 4


*******SW4*******

Running configuration:

; J9148A Configuration Editor; Created on release #W.14.38

hostname "SW4"

module 1 type J9148A
module 3 type J9165A
vlan 1
name "DEFAULT_VLAN"
forbid 1-48,B1
ip address 192.168.0.15 255.255.255.0
no untagged 1-48,B1
exit
vlan 4
name "Data"
untagged 1-48
tagged B1
no ip address
exit
vlan 5
name "Voice"
tagged 1-48,B1
voice
no ip address
exit
snmp-server community "public" unrestricted
primary-vlan 4
Manfred M.
Advisor

Re: Router help with 2910al

Hi Ken!

Sorry for answering one day later - I was very busy yesterday.

Leave your hair on your head (I have lost already almost of my hair - don't know why...)

That one is easy:

You must set the management adresses of the switches 1 to 4 in VLAN4 (not VLAN1)- of course different adresses from switch 0!
Remember: VLAN 4 ist your Primary VLAN!

Think of the switch management as if it would be a PC in that VLAN! Maybe you want do add the address of the default gateway also: 'ip default-gateway 192.168.0.11'
(so that you can reach your switches from other VLANs if you wish)

Again - Good Luck!

Manfred
(from the rainy Austria - desperately waiting for the summer sun...)
Shadow13
Respected Contributor

Re: Router help with 2910al

From the config you have posted

From switch 1
vlan 1
name "DEFAULT_VLAN"
forbid 1-48,A1,B1
ip address 192.168.0.12 255.255.255.0
no untagged 1-48,A1,B1
exit

And you were trying to configure and IP address from the same subnet configured in VLAN 1 in VLAN 4

SW1# config
SW1(config)# vlan 4
SW1(vlan-4)# ip address 192.168.0.11/24
The IP address (or subnet) 192.168.0.11/24 already exists.

The switch will not accept assigning IP addresses from the same subnet in 2 different VLANs, so if you don't need the IP address under VLAN 1 you need to remove it hen you will be able to assign an IP address from that range in VLAN 4

Regards.
Ken Richmond
Advisor

Re: Router help with 2910al

Manfred - Don't appolgize! I'm truly grateful for your help, education and patience. I've learned a lot from you this week.

Shadow13 - Thanks for the insight. For some reason I thought the management address needed to be on the default_vlan. I couldn't connect the fact that I took the default_vlan out of the equation with why my addressing scheme wasn't working. Much better now.

Now I've added the the IP Helper address to vlan5 so my requests should make it to my DHCP server. I've created a second scope on the DHCP server to assign addresses in the 192.168.3.x range. I'll try that after hours tonight and looking forward to the result.

Another area that I'm confused with is time protocols. I'm currently using a windows server as a time source. The server goes out to a time source on the internet. Can I point my switches to this windows server or should/can I point them to an internet time server? On the surface, it would seem that manually assigning a time server's address using TIMEP would be the way to go, but I've been wrong before :)

Finally, I'm looking to document this new network. I'm starting with printouts of config run from each switch, and designing two network diagrams showing Physical and Logical layouts. Is there anything else I should be concerned with while preparing my documentation?

Cheers (from soggy Calgary - who never really had a summer at all this year - it's rainy and 11 degrees here right now).

Manfred M.
Advisor

Re: Router help with 2910al

Hi Ken!

Normally the SNTP Protocol (Unicast) should work with your Windows Server.

A hint for your documentation:
If you have Visio you can download all HP shapes for free at http://www.visiocafe.com/

Good luck for your migration this weekend!

Cheers,
Manfred

Ken Richmond
Advisor

Re: Router help with 2910al

My migration went well. Thanks again for all your help!!

I have two issues left outstanding. The switches are not syncing with my Windows 2003 server - Support advises that this is fixed in 14.49. I've yet to update the switches but will report back on my findings once I do.

The other issue is routing to the internet from my vlan. Routing from vlan4 is working fine (to both vlan5 as well as my internet connection - a sonicwall 4500 nsa). Routing from vlan5 works well to vlan4, but not to the internet. I believe this has everything to do with how the sonicwall device is configured.

As near as I can tell, I cannot have traffic from my tagged vlan (192.168.3.x) going out to the sonicwall via the default route (192.168.0.22) and expect the sonicwall to send return traffic back to the tagged vlan without configuration effort on my part, but I'm not sure where I should concentrate those efforts. While I appreciate that this is not a sonicwall support site, I'm struggling with their documentation and thought I'd come back here for some direction.

Again, thanks for any nudges in the right direction.

Cheers,
Ken
Ken Richmond
Advisor

Re: Router help with 2910al

Woo Hoo!! The time sync problem is resolved. Not exactly as simple as it should have been - at least not when you're as thick as I am.

For anyone following along at home, updating to 14.49 was one step. Next, I went into Switch config/system information and changed the timezone from -7 to -420, which would be in minutes (NOT hours), just like it says in the docs and on the 'hint' bar in the menu... All I had to do was pay attention!

Finally apply the daylight time rule, Continental US and Canada in my case.

Restart the switch and all was good.

Getting more clueless about how to tie my sonicwall into the scene tho.

Vlan4 -> Default g/w -> default route works

Vlan4 -> Default g/w works. Looks like it's breaking at default route on the procurve. I'm thinking I only have one option and that's to use the sonicwall to route between my vlans as well as the internet, but then I'd lose the 10Gbit backplane on the procurve switches and be down to 1GB routing on the sonicwall.

Can I add routes from vlan4 to the sonicwall and vlan5 to the sonicwall? I'm sure I have to do something on the sonicwall side, but the interface is confusing and the documentation is even more confusing!