Switches, Hubs, and Modems
1748008 Members
4478 Online
108757 Solutions
New Discussion юеВ

Re: VLAN Help Tagging/Untagging

 
SOLVED
Go to solution
Chris Boundey
Advisor

VLAN Help Tagging/Untagging

Hi all,

Been reading through a few of the docs and responses to some of the problems people are having with setting up VLANs and we've hit a few of our problems now.

Im pretty new to VLANs so all the help in the world would be muchly appreciated.

2x HP 5308XL - Core Switches
10 x HP 2524

Firstly, our main problem is the tagging and untagging of our ports. We want to segment the current network (No VLANs) into 4 VLANs.

The ranges we have for our VLANs are as follows:

VLAN100 = 172.16.0.X/16
VLAN200 = 192.168.0.X/24
VLAN300 = 10.0.0.X/23
VLAN400 = 172.16.0.X/24

Below is the result from the 'show ip' command.

Server Cab - Switch 1(vlan-1)# show ip

Internet (IP) Service

IP Routing : Enabled


Default TTL : 64
Arp Age : 20

VLAN | IP Config IP Address Subnet Mask Proxy ARP
------------ + ---------- --------------- --------------- ---------
DEFAULT_VLAN | Manual 192.168.10.1 255.255.255.0 No
VLAN100 | Manual 172.16.0.22 255.255.0.0 No
VLAN200 | Manual 192.168.0.2 255.255.255.0 No
VLAN300 | Manual 10.0.0.2 255.255.254.0 No
VLAN400 | Manual 172.16.10.1 255.255.255.0 No

Now the problem starts when we start tagging and untagging ports.

Once we tag a port, none of the ports which have been untagged can access/ping any of the devices attached to the tagged ports.

For example...

VLAN100 - We 'tag' ports C1-C5, E1,E2,E4. These are our servers and proxy/gateways which need access from ALL the VLANs. (Is tagging these ports the correct method?)
We then 'untag' ports B1-B23, C1-C24, D1-D17 as these are all of our workstations attached to this switch.

I have enabled IP routing on the switches but still nothing can get through to the tagged devices.

Below is a list of ports which have servers and services connected to them. I have stated which VLAN needs access to each of them so hopefully this will aid the command for tagging/untagging.

C1-C5 needs access from all VLANs.
E1-E4 needs access from all VLANs.
F2 needs access from VLAN 3.

What must all the workstations and servers on VLAN100 have their default gateway set as? The IP of the switch or the Proxy/Gateway?

Help would be massively grateful if someone could walk me though this with commands.

Once again, many thanks. If you need any more information please let me know.
Hopefully someone will be able to help me out.

Thanks. :-)
24 REPLIES 24
Mohieddin Kharnoub
Honored Contributor

Re: VLAN Help Tagging/Untagging

Hi

I can give you the configuration for the Core and the Edge Swtiches but i need some information :

1- Network Map with ports between swtiches and servers.
2- Do you want to enable Routing on edge? or just o nthe core.
3- Whats the Internet Router IP address.
4- Whats the security policy you want to have ? do you want users to access all vlans ? or just servers ? which vlan can access all other vlans ?

If you can answer these questions and attache a simple network map, i can break out the configuration for you.

Good Luck !!!
Science for Everyone
Chris Boundey
Advisor

Re: VLAN Help Tagging/Untagging

Wow, thanks for the fast reply.

1- Network Map with ports between swtiches and servers.

I shall get this attached very shortly. Do you need to know which port is connected to what on every switch?

2- Do you want to enable Routing on edge? or just o nthe core.

Routing on the core switch preferably.

3- Whats the Internet Router IP address.

The internet routers IP address is 172.16.0.254/255.255.0.0.
All Vlans need to access this router.

4- Whats the security policy you want to have ? do you want users to access all vlans ? or just servers ? which vlan can access all other vlans ?

We just want users/workstations to access the servers they have access to. We dont want them to jump VLANs to devices they are not meant to have access to. VLAN4 is the VLAN we want to give access to all VLANs.

Hope this helps.
Mohieddin Kharnoub
Honored Contributor

Re: VLAN Help Tagging/Untagging

Hi

1- Yes i need to know whats your design, and for ports, i only need switch-to-switch ports.

2- I'm sorry, i didn't pay attention that you have 2524, this switch doesn;t have ip routing, so routing should be on the core.

3- Ok, so all vlans should access internet.

4- In this case i need to know, in which vlan you want keep the servers, and the IP addresses for them .....

Waiting for the Info ......

Good Luck !!!a
Science for Everyone
Mohieddin Kharnoub
Honored Contributor
Solution

Re: VLAN Help Tagging/Untagging

Hi Again :)
I preprared the Configuration for you, and i tried to explain as much to clear the idea.

Before we start, i just want to remind you not forget to assign points to posts you got. :)

Try to be generous man :)

-----------------------------------------------

I have a better desing for you.
Since you want to inclufe Vlan100 in your access policy, so change its IP address to something else,

maybe 10.1.1.x/24 , and then change the IP address of your Default_Vlan on switch1 to the same range of

the Internet Router, (example 172.16.0.250/16).

Then you have the default_vlan for the Routing Switch, and the Main Router, and the Servers in the same

subnet (same Vlan).

Now, configuration part based on the New IP address for Vlan1 and Vlan100, i will break it out for Edge

Swtiches, and Core Switches with explaination then the Internet Router --- the Boss :)

----
Edge
----

1- Create all the 4 vlans:
(config)# vlan 100 ip address 10.1.1.2 255.255.255.0
(config)# vlan 200 ip address 192.168.0.2 255.255.255.0
(config)# vlan 300 ip address 10.0.0.2 255.255.254.0
(config)# vlan 400 ip address 172.16.0.2 255.255.255.0

2- Enable Default Gateway, and it should be the Vlan1 IP Address on the Routing Switch (switch1),

because this edge switch need an external router to do routing between its vlans:
(config)# ip default-gateway 172.16.0.250

3- Untagg all the Ports on this Edge Switch that will connect to workstations, every port with its

corresponding vlan,
(config)# vlan 200 untag 5 ---- this will untage port 5 to be used for PC in vlan 200.

4- Tag the UPLINK port the connect this switch to the core switch 5308 (switch1) with all vlans other

than Vlan1 - the default_vlan, example, if you connect this switch to the core using port 1:
(config)# vlan 100 tag 1
(config)# vlan 200 tag 1
(config)# vlan 300 tag 1
(config)# vlan 400 tag 1

5- Repeat these steps for all edge switches, after changing Vlan ip addresses, like vlan100 we used

here 10.1.1.2 and on the core we will use 10.1.1.1, then use 10.1.1.3 and so on....

6- A PC under Vlan 100 will have IP: 10.1.1.5 255.255.255.0, Gateway is his Vlan 100 IP address on the

Routing Switch or the COre (Switch1) gw: 10.1.1.1

7- A PC under Vlan 200 will have IP: 192.168.0.5 255.255.255.0, Gateway is his Vlan 200 IP address on

the Routing Switch or the COre (Switch1) gw: 192.168.0.1

And so on ....
----------------------------------------------------------------------------------------------------

----
Core
----

1- Create all the 4 vlans:
(config)# vlan 100 ip address 10.1.1.1 255.255.255.0
(config)# vlan 200 ip address 192.168.0.1 255.255.255.0
(config)# vlan 300 ip address 10.0.0.1 255.255.254.0
(config)# vlan 400 ip address 172.16.0.1 255.255.255.0

2- Enable IP Routing between all Vlans.
(Config)# ip routing

3- Enable Route to Internet:
(config)# ip route 0.0.0.0 0.0.0.0 172.16.0.254

4- Tagg the Ports coming from each Edge with all vlans, lets say port C1 is connecting to Edge1, then:
(config)# vlan 100 tag C5
(config)# vlan 200 tag C5
(config)# vlan 300 tag C5
(config)# vlan 400 tag C5

5- Repeat this taggin for all uplink ports that connect each edge switche to the core.

6- Now in this Stage, and if you do the Internet Router configuration section (down), then All the

Vlans can route between each other, and they can access the internet and the Servers as well.

7- Security Access for Severs:
you mentioned before that ports C1-C5 and E1-E4 and F2, are conencted to the Servers and Services, so

Simply don't do anything for these ports, just keep them untagged to the default vlan1 and BE SURE they

have the Same IP address range for Vlan1 and the Internet Router 172.16.0.x/255.255.0.0 , if yo udo

this then all these servers will be accessed from all Vlans.

8- Security Access for Vlans:
Create Access Control List to deny access to VLan100,200,300 and 400 from other Vlans except the

default vlan1 or Internet Traffic:

----VLAN100----

(config)# access-list 1 deny 192.168.0.1 0.0.0.255 --- deny Vlan200
(config)# access-list 1 deny 10.0.0.1 0.0.1.255 --- deny Vlan300
(config)# access-list 1 deny 172.16.0.1 0.0.0.255 --- deny Vlan400
(config)# access-list 1 permit any --- permit other traffic
(Config)# vlan 100 ip access-group 1 in --- apply ACL 1 to Vlan100

----VLAN200----

(config)# access-list 2 deny 10.1.1.1 0.0.0.255 --- deny Vlan100
(config)# access-list 2 deny 10.0.0.1 0.0.1.255 --- deny Vlan300
(config)# access-list 2 deny 172.16.0.1 0.0.0.255 --- deny Vlan400
(config)# access-list 2 permit any --- permit other traffic
(Config)# vlan 200 ip access-group 1 in --- apply ACL 2 to Vlan200

----VLAN300----

(config)# access-list 3 deny 10.1.1.1 0.0.0.255 --- deny Vlan100
(config)# access-list 3 deny 192.168.0.1 0.0.0.255 --- deny Vlan200
(config)# access-list 3 deny 172.16.0.1 0.0.0.255 --- deny Vlan400
(config)# access-list 3 permit any --- permit other traffic
(Config)# vlan 300 ip access-group 1 in --- apply ACL 3 to Vlan300

----VLAN400----

(config)# access-list 4 deny 10.1.1.1 0.0.0.255 --- deny Vlan100
(config)# access-list 4 deny 192.168.0.1 0.0.0.255 --- deny Vlan200
(config)# access-list 4 deny 10.0.0.1 0.0.1.255 --- deny Vlan300
(config)# access-list 4 permit any --- permit other traffic
(Config)# vlan 300 ip access-group 1 in --- apply ACL 4 to Vlan400

9- Now the Core Switch is ready and will deny any Vlan to access to other except the Default_Vlan

----------------------------------------------------------------------------------------------------

---------------
Internet Router
---------------

You have to give every Vlan its way back to the Core from this router, so you have to add 4 static

routes for each vlan on this router, the command is : ip route network mask gateway, now the gateway

for all vlans is the Default_Vlan (vlan1) ip address:

(Config)#ip router 10.1.1.0 255.255.255.0 10.1.1.1
(Config)#ip router 192.168.0.1 255.255.255.0 10.1.1.1
(Config)#ip router 10.0.0.1 255.255.254.0 10.1.1.1
(Config)#ip router 172.16.0.1 255.255.255.0

----------------------------------------------------------------------------------------------------

I hope that was enough information for you to run a proper Setup for your network.

Good Luck !!!
Science for Everyone
Mohieddin Kharnoub
Honored Contributor

Re: VLAN Help Tagging/Untagging

Sorry for this NEWS PAPER :)
i didnn;t expect it will be that long, i attached the configuration for you in a text file.

Don;t forget to assign points.

Good Luck !!!
Science for Everyone
Chris Boundey
Advisor

Re: VLAN Help Tagging/Untagging

wow excellent reply Mohieddin.

Thank you!!

Very nice guide... however we would really like to keep VLAN100 with the current configured IP Range/scope. This will help us considerably as our main network has just been setup and configured with 375 PC's.

Would there be any chance of getting your guide adapted a little to suit and i will ensure max points added to your posts.

Once again, thank you very much for you time and help so far... verrrrry helpful!!
Chris Boundey
Advisor

Re: VLAN Help Tagging/Untagging

Mohieddin, i have just submitted points to your name now.

I am going to try out your configuration tommorrow morning and i shall let you know how it goes.

Thanks very very very much!!
Mohieddin Kharnoub
Honored Contributor

Re: VLAN Help Tagging/Untagging

Hi

In order to keep a Management Vlan contains the Main Vlan1 IP addresses and all the Servers plus the Internet Router in ONE Subnet, which will be easier to manage,

So i changed the IP address of the Internet Router from 172.16.0.254/16 to 192.168.10.254 255.255.255.0
If you can;t do that, simply add a secondary IP address for Internet Router :192.168.10.254 255.255.255.0

Be sure to keep the Servers also in the Same Range of 192.168.10.x 255.255.255.0 network.

Check the Attachement, it has the Final Configuration, and Please check after me...

NO One Perfect :)

Good Luck !!!
Science for Everyone
Chris Boundey
Advisor

Re: VLAN Help Tagging/Untagging

Damn, this is getting confusing now. :-/ Just checked over those configs u sent...

Ideally we would like ALL servers and services in the 172.16.0.x/16 range. Would this change your config much? Could this remain as VLAN100? Also for VLAN100 to include the Internet Router too.

Is this request possible?

VLAN400 can remain the management VLAN if needs be.