HPE Community
Switches, Hubs, and Modems
1752774 Members
4598 Online
108789 Solutions
New Discussion юеВ

VLAN and Routing Questions - i just don't get it

 
SOLVED
Go to solution
Stephan G
Regular Advisor

тАО08-17-2009 04:59 AM

тАО08-17-2009 04:59 AM

VLAN and Routing Questions - i just don't get it

Hello everyone,

after reading the important pieces from the three big manuals .. i'm stuck.

What i achieved till today:
Setup RADIUS with Microsoft IAS
Setup a VLAN where unauthenticated clients will be assigned to

What i have not achieved ;)
Routing between the VLAN
DHCP server configuration for the VLAN (it's a microsoft dhcp server)

The config and some stats are in the text file. WOuld be great if someone has an advice for me.

Greets
Stephan
0 Kudos
9 REPLIES 9
Stephan G
Regular Advisor

тАО08-17-2009 06:03 AM

тАО08-17-2009 06:03 AM

Re: VLAN and Routing Questions - i just don't get it

I forgot to mention what it should looks like in the end.

I want a defaultvlan (for the employees). And a guest_vlan for the other.

The guest_vlan should only access the internal dns, dc, dhcp server and the internet (for dc/dns for new notebook that need to be registred with AD).

greets
stephan
0 Kudos
Stephan G
Regular Advisor

тАО09-30-2009 01:30 AM

тАО09-30-2009 01:30 AM

Re: VLAN and Routing Questions - i just don't get it

Ok I have it all done. Now my firewall routes and restricts the traffic.

But there's another thing i don't get. I've read somewhere that you don't need an ip on the VLAN if you don't use the ip routing.

But when i don't set an ip up my client doesn't get an ip address from the dhcp server defined with the ip helper address (other VLAN).
When i set up an ip everything works fine.

Can someone explain please ?

Thanks
Stephan
0 Kudos
Mohammed Faiz
Honored Contributor

тАО09-30-2009 01:42 AM

тАО09-30-2009 01:42 AM

Re: VLAN and Routing Questions - i just don't get it

Hi,

The answer is sort of in your question. The switch needs an IP on that VLAN in order to forward the DHCP packets on to the helper address.
Your DHCP server also knows what range to offer an address on based on that source IP.
I'm also assuming that the default gateway for your clients on VLAN 99 is that '192.168.99.254' address.

hth,

Mo
0 Kudos
Stephan G
Regular Advisor

тАО10-02-2009 05:19 AM

тАО10-02-2009 05:19 AM

Re: VLAN and Routing Questions - i just don't get it

Thanks for your answer.

I think i can add every vlan on every switch an ip address. I already implemented it now on every switch.

My gateway is now my firewall. Which is connected directly with an extra interface to the vlan. IP Address 192.168.99.1.

But now i came across a different problem. And i don't understand why it is like this.

I have sort of a core switch. HP Procurve 6400cl-6XG. Which has all ports untagged VLAN1 and all ports tagged VLAN99 (which is my unauth VLAN).

There are 5 connections to the switch.

On 1 port there is one 2900-48G with the connection to the coreswitch untagged vlan1 tagged vlan 99. I can ping the vlan ip from the core switch and back.

On another port there is another 2900-48G with the connection to the coreswitch untagged vlan1 tagged vlan 99. I can't ping the vlan ip from the core switch and back. Same config !! (except the ip addresses). Problem is: On this switch there are almost all the other switches which service the client network.

ip routing is disabled. But the firewall is handling this.

Is there a problem with spanning-tree or something like this ?

Any help appreciated.
0 Kudos
Tijl van der Steeg
Valued Contributor

тАО10-02-2009 05:25 AM

тАО10-02-2009 05:25 AM

Re: VLAN and Routing Questions - i just don't get it

There might indeed be a loop. You can do a "show span" to check if that port is blocked. You still should be able to reach it the other way though
0 Kudos
Mohammed Faiz
Honored Contributor

тАО10-02-2009 05:30 AM

тАО10-02-2009 05:30 AM

Re: VLAN and Routing Questions - i just don't get it

I'm little unclear on which IPs you're referring to. Are you pinging from a VLAN 1 ip on the core switch to a VLAN 1 ip on each of the 2900's? (A look at the configs might help clarify things)
0 Kudos
Stephan G
Regular Advisor

тАО10-02-2009 06:15 AM

тАО10-02-2009 06:15 AM

Re: VLAN and Routing Questions - i just don't get it

There is indeed a port blocked on the core switch.

show span on core:

Port Type Cost Priority State | Designated Bridge
----- --------- --------- -------- ---------- + -----------------
1 10GbE-CX4 2000 128 Disabled |
2 10GbE-CX4 2000 128 Forwarding | 001c2e-187240
3 10GbE-CX4 2000 128 Forwarding | 001c2e-187240
4 10GbE-CX4 2000 128 Blocking | 001ffe-1ffdc0
5 10GbE-CX4 2000 128 Forwarding | 001c2e-91ffc0
6 10GbE-CX4 2000 128 Forwarding | 001c2e-187240

show span on switch 2:
45 1000LX | 20000 128 Forwarding | 001f28-051840 2 Yes No
46 100/1000T | Auto 128 Disabled |
47 1000LX | 20000 128 Forwarding | 001ffe-1ffdc0 2 Yes No
48 1000LX | 20000 128 Forwarding | 001ffe-1ffdc0 2 Yes No
A1 | Auto 128 Disabled |
A2 10GbE-CX4 | 2000 128 Forwarding | 001ffe-1ffdc0 2 Yes No
A3 10GbE-CX4 | Auto 128 Disabled |
A4 | Auto 128 Disabled |


This might seems to be the problem. It's a bit strange because the other connections to this switch are not 10gbit links.

I will disconnect the other redundant links from switch 2 on monday and tell you if that solves it.

Is there a way to configure spanning tree (especially on the core switch) that these ports should never be blocked ?

Thanks for the help.
0 Kudos
Tijl van der Steeg
Valued Contributor

тАО10-02-2009 06:21 AM

тАО10-02-2009 06:21 AM

Solution

Re: VLAN and Routing Questions - i just don't get it

You can configure BPDU-filtering.
For example: spanning-tree A5 bpdu-filter

But I'm against this
- The next administrator will not know you configured this
- If you connect an additional switch, you might run into similar problems.

Better to solve the loop by getting the root bridge priorities straight. Think it's best to make a Visio layout of your environment and decide from there on what's best.
Stephan G
Regular Advisor

тАО10-04-2009 09:35 PM

тАО10-04-2009 09:35 PM

Re: VLAN and Routing Questions - i just don't get it

Thanks a lot for the help with spanning tree. This was the problem.

I just disconnected the redundant connections and i'm good to go :)

As long as there is so much attention on this thread. Is there a possibility to put clients that start with a particular mac address vendor (in my case: 001AE8 (Siemens IP telephones)) automatically into a VLAN ? Or do i need to define a protocol VLAN?

Greets from Stuttgart
Stephan
0 Kudos
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.