Switches, Hubs, and Modems
cancel
Showing results for 
Search instead for 
Did you mean: 

VLAN and Network Segmentation

SOLVED
Go to solution
Matt Ballou
Occasional Advisor

VLAN and Network Segmentation

Hello,
Just getting started on setting up some VLAN's on our K12 network. We have several new 2650's,4-4000M, 1-4108gl and 1-5300xl (backbone) we also have PCM+2.1/IDM 2.1.
However, I first need to figure out the bestway to Segment our IP Scheme from our Flat Class B, 10.10.0.0/255.255.0.0 to smaller Class C Segments and how that would be handled via our single DHCP server and multiple VLAN's. For example we want to segment out the Students, Administrators and network servers to start with into seperate VLAN's. We also have 2 remote schools connected via VPN and they are on 10.11.x.x/24 Networks.

If I segment the network, having a hard time conceptually figuring out how to place the Network File Servers/DHCP/Domain Servers etc. So that the users in seperate VLAN's still have access to what they commonly need, but still be seperated.
7 REPLIES
Matt Hobbs
Honored Contributor

Re: VLAN and Network Segmentation

Do you want to be able to stop a Students machine from being able to communicate with Administrators? Or are you just wanting to segment the network to reduce broadcast traffic and improve performance?

One option is you create the VLANs throughout the network and on your servers the NICs will need to support VLANs. That way you just give each virtual NIC it's own IP address and users in each VLAN will be able to access those servers.

The other option is you still create your different VLANs, but you enable 'ip routing' on your 5300. With this design though if you need to prevent one group of users talking to one another, you need to use Access Control Lists which are more difficult to setup. This option though gives you more flexibility with remote routes such as to your other VPN sites or the internet.

With your IP addressing scheme, it depends on how many devices you want/need per subnet. If there are 1000 Students and you wanted them all in the same VLAN then you'd go with a /22 subnet. Or maybe you want smaller ones for per building or level..

With your DHCP server, you simply create new scopes for these address ranges. If using the 'ip routing' network design option, then on the 5300 you would specify an 'ip helper address' per VLAN that points to the DHCP server.

Re: VLAN and Network Segmentation

I find this thread very interesting.

We are wishing to do the same thing with our school network. We have already came up with the IP structure we wish to use so maybe someone could possibly help us further implementing it?!

VLAN1 = 172.16.0.x/22
VLAN2 = 172.16.3.x/24
VLAN3 = 10.0.0.x/23
VLAN4 = 10.1.0.x/24

We have 2 HP5308xl's for the backbone then we have 14 HP 2524's scattered in various locations around the school.

In simple terms, how easy, and how, do we get certain workstations on VLAN1 to talk to servers on VLAN2 and vice versa? We dont wish for any other traffic to be broadcast across the vlans.

Each VLAN is going to have its own DHCP server as we already have them configured.

Also, a lot of the HP 2524 switches are going to contain more than one VLAN... how do we go about making them pickup and start assigning ports to VLANs?

Help on this would be great and really appreicated.

Many thanks. :-)
Mohieddin Kharnoub
Honored Contributor
Solution

Re: VLAN and Network Segmentation

Hi Chris

To make certain workstations on VLAN1 to talk to servers on VLAN2 and vice versa, simply Implement IP Routing on the Core (5308) like what Matt suggested in his response, and use Access Control List ACLs, allow only your servers on each vlans to talk to each other, and block the others.

And, Each vlan has the IP address you planned for, then use the IP Helper Address to guide each PC in a particular Vlan to get the IP from its DHCP Server.

For the 2524, it supports up to 30 Vlans, so for security Issue, i would addvice you to use the 802.1x Protocol (which is supported by 2524 - 5308), in this case each switch will Dynamically assign ports by the Credentials provided by the user attached to this port, BUT you need to implement RADIUS server which comes with the Microsoft ISA.

If you use 802.1x, you will have a robust installation and very secure network, plus you can allow Guests to access to the internet and some granted resources without threat your network.

User can access from anywhere, and still have the same privileges, also if you decided to add Wireless solution for Guests or Mobile users, the 802.1x is a very strong solution for this.

Read about 802.1x implementation:
ftp://ftp.hp.com/pub/networking/software/6400-5300-3400-Security-Oct2005-59906052.pdf


Don;t forget to assign points :)
Good Luck!

Science for Everyone

Re: VLAN and Network Segmentation

Thanks for the very quick response to the question.

The method you suggested above using ACL's... would this allow certain machines on VLAN1 to comunicate with 1 server on VLAN2?

Thats the only communication needed between those 2 VLANs.

Do we use GVRP to make the 2524 switches learn the VLANs?

We basically just want the easiest way to do these VLANs to segment traffic and to secure our admin area from spying students.

Hope you can help more.

Once again, thanks very much for your help.
Mohieddin Kharnoub
Honored Contributor

Re: VLAN and Network Segmentation

Hi Chris

I think the proper design and the easy one for you case is:

- Create the Vlans.
- Enable Routing between Vlans.
- Create ACL to Allow only traffic of your Certain Machines from each Vlan to be forwareded.
- Apply the ACL in your Vlans.

Thats it, and Don't use the GVRP protocol, it has a serious security issues.

For Dynamic Vlan, the best way is to use 802.1x protocol, otherwise use the easy way which is Static Port assignments for each Vlan.

I wish this will be helpful for you.

Good Luck !!!
Science for Everyone
Matt Ballou
Occasional Advisor

Re: VLAN and Network Segmentation

Hello,
I have a DHCP server that does not seem to be passing DHCP requests to the clients on my newly setup VLANS. The server address is 10.10.104.2/255.255.0.0 and is on the default vlan. The DHCP server has an Intel Based Gigabyte NIC. What steps am I missing here. Should I place the DHCP server (and others) in a separate VLAN?

I have attached my current 5300XL config.

HP ProCurve Switch 5304XL(config)# sh conf

Startup configuration:

; J4850A Configuration Editor; Created on release #E.10.23

hostname "HP ProCurve Switch 5304XL"
module 1 type J4820B
module 2 type J4820B
module 3 type J4878B
ip routing
snmp-server community "public" Unrestricted
snmp-server host 10.10.108.162 "public"
vlan 1
name "DEFAULT_VLAN"
untagged A2-A24,B1-B2,B5-B24,C1-C4
ip address dhcp-bootp
no untagged A1,B3-B4
exit
vlan 30
name "VLAN30"
untagged A1
ip address 10.11.35.1 255.255.255.0
ip helper-address 10.10.104.2
exit
vlan 25
name "VLAN25"
untagged B3-B4
ip address 10.11.25.1 255.255.255.0
ip helper-address 10.10.104.2

Mohieddin Kharnoub
Honored Contributor

Re: VLAN and Network Segmentation

Hi

The configurations seems correct to me, nothing missing, ip routing enabled, and ip helper-address is in place,

Now on the DHCP server you need 3 scopes, first one which is working (Because Vlan1 takes an address from it).

Second scope is for vlan30, the address pool should be in the range 10.11.35.x/24 and the you should assign the router ip address in the scope is Vlan30 ip address:10.11.35.1

Third scope is for vlan25, the address pool should be in the range 10.11.25.x/24 and the you should assign the router ip address in the scope is Vlan30 ip address:10.11.25.1

Check these scopes, then if you plugged your PC to A1 you should be in Vlan30 and address range 10.11.35.x , and if you plugged your PC in B3 or B4, you should be in Vlan25 with address range 10.11.25.x.

Good Luck !!!
Science for Everyone