HPE Community
Switches, Hubs, and Modems
1751972 Members
4588 Online
108783 Solutions
New Discussion юеВ

VLAN config problem on HP25xx switches

 
Walter Kiczko
Occasional Advisor

тАО11-01-2004 01:06 AM

тАО11-01-2004 01:06 AM

VLAN config problem on HP25xx switches

Hi Guys,

I was browsing some threads about multiple VLANs on the 25xx family and read something discouraging about the swtich not being able to handle level 3 traffic. I'm no network engineer, so I hope someone here can help me out.

At our school, we're running Novell with IPX enabled for all the PC's in the administrative offices and the student dorms. On the same switches and architecture we're running several large MAC OS X non-appletalk labs. we also have HP4050 printers, with ethertalk off.

A friend recently told us we're running a flat network which to the best of my understanding everything can arp, ping, and broadcast to each other on our 255.0.0.0 subnet. All machines are either DHCP or static IP in the 10.x.x.x range, including our II400 Nortel gateway, which goes out to our Cisco, and then to the T1.

The main problem we're seeing is very slow network speeds everywhere, especially on the MAC network which uses Workgroup Manager to send user prefs over the network whenever someone logs on in a lab across campus.

I tried to set up a couple Vlans on the test bench, but as someone mentioned in another thread the new vlan, could not get to the internet (in my case, our novell server), while the ports on DEFAULT_VLAN for the MAC OS X network worked fine. I made sure the uplink port (we used 24) was set for both VLANs one tagged one untagged, and the same settings on the other 25xx switch we had set up on the table to simulate a small version of our live network which uses 25's, 4000's and an 8000M.

If in fact we cannot set up VLANs to seperate the Novell IPX and the Mac OS X server chatter, what can we do as far as ABC control, or setting individual port broadcast limits?

right now most ports are set to 0, which as I read allows 100% of that ports bandwith to handle broadcasts. I tried to set that to 30%, but the performance didnt get better.

one thing I noticed which seemed to help is dropping some building to building links to 10baseHalf, but its a shame to do that since we have CAT-6 wiring, which should handle 100FullD, and I just hate to reduce my pipe to 10base. from the mac and novell server to the dorms and labs we have a 1000 fiber backbone from a 8000m to a 4000m.

I hope this is enough detail for you guys to help me make the most of these switches, and to help manage or reduce all that packet traffic on our network.

Thanks!
Walter
0 Kudos
4 REPLIES 4
Manuel Wolfshant
Trusted Contributor

тАО11-01-2004 12:03 PM

тАО11-01-2004 12:03 PM

Re: VLAN config problem on HP25xx switches

The first thing you must make sure is that you have a ROUTER which will forward packets among vlans. Once you have a separate VLAN created (let's call it VLAN1), the computers in VLAN1 will not be able to communicate with anyone but the computers in VLAN1 unless a) there is a router connected both to VLAN1 and to the outside world (i.e. to something else) AND b) this router forwards packets to/from VLAN1.
This has absolutely nothing to do with port tagging, which is a different concept.
With port tagging you can use one physical port (be it switch port or router port) to handle multiple VLANs at once. Tagging adds a label to the packets, label which van be then used to identify the VLAN to which each packet belongs. Do not connect a tagged port to an untagged port, this configuration in general will not work, since on one side of the connection you will have tagged packets, while on the other side you are expecting untagged packets.
So, what you should do is:
step 1:
- group computers in VLANs and assign an ID to each VLAN
- create the same VLANs on all interconnected switches (a switch will not pass unkown tags)
- set the cross connect ports to tagged
With this simple setup you should be able to pass packets from VLAN1 on switch A to VLAN1 on switch B and back.
step 2:
make sure that there exists a machine (a router) which can handle the traffic from all the computers. Connect it to one of the switches and make it default gateway for ALL computers.( Beware that if all computers are in the same class, they will always try to communicate directly, not through the gateway, so you will have to do some segmentation and/or add some special routes.)
Having a router should allow you to communicate among VLANs.
Once you have completed step 2, instruct the router to send all trafic not meant for the local computers to the main gateway.. and you are done.

All that remains to do is to give me some points for the answer :)

As a sidenote: linux can handle tagged frames, so a linux router can be connected to a tagged port of the switch. Actually I am using this very configuration for 4 years.
0 Kudos
seymour999
Frequent Advisor

тАО11-03-2004 01:50 AM

тАО11-03-2004 01:50 AM

Re: VLAN config problem on HP25xx switches

One final suggestion: do not use a 10 Mb/s Half duplex router port to route between VLANs. Unless you have a *very* small amount of inter-VLAN & external traffic.
0 Kudos
Ron Kinner
Honored Contributor

тАО11-03-2004 11:18 AM

тАО11-03-2004 11:18 AM

Re: VLAN config problem on HP25xx switches

A flat network is certainly the worst design for what you have. Normally you would break each dorm (or group of dorms) up into its own subnet and VLAN and connect it to a Layer 3 switch or a router and let the switch or router sort it out. That would break up your broadcast domain into something more reasonable.

How many hosts are we talking about?

If you buy a router you will probably need one that can handle all three protocols (IP, IPX, Appletalk). I think Cisco calls this Enterprise code and it's not cheap. It must have 100 Full Ethernet ports if it is to do trunking.

As far as VLANs go the switch is not going to magically separate the three protocols into separate VLANS. You would have to do it one port at a time (unless HP has some new tricks since I last browsed their manuals). Not too practical on a Campus environment unless you can have different jacks for each protocol. They do have a neat feature called isolated port groups which might help but I don't remember if your switches support it. It did need the latest firmware.

You might try leaving your trunks at 100 Full and setting the individual ports to 10 half.

I expect a lot of your traffic is caused by worms and spyware. Every student's computer I've ever looked at was crawling with the things. The fact that reducing the broadcast % didn't help much is a sign that it's not broadcast traffic that is causing the problem. An easy way to see what is going on is to simply put Zone Alarm on a computer (http://www.zonelabs.com - there is a free version you can download) and watch what hits the firewall (Alerts and Logs tab). Then you track the culprit back to his home switch by pinging the IP address in Zone Alarm's log and then arp -a to see the MAC that corresponds to the IP address. Run CWShredder and HijackThis on the offending computer and see what is causing the problem.

http://cwshredder.net/bin/CWSInstall.exe

http://209.133.47.12/~merijn/files/HijackThis.exe

Another method is to monitor your traffic at each switch using something like MRTG.

http://mrtg.hdl.com/mrtg.html

I think you also get a free program like TopTools with your switches which will also do something similar but I've never used it.

Snort at http://www.snort.org is another nice program that can be used to analyze your traffic but you will either need to stick in a hub somewhere or use the port monitor featue of the switch.

Your Cisco has a cute feature on it. Say your T1 is S0/0

Conf t
int s0/0
ip acco out
exit
wr me

let it run for a while and then

sh ip acco

will give you a list of source and destination IPs with the number of packets/bytes sent.

If you see one source that is sending out a few packets to a large number of addresses then that source IP is probably infected. sh arp will give you its MAC.

Ron



0 Kudos
Walter Kiczko
Occasional Advisor

тАО11-04-2004 12:33 AM

тАО11-04-2004 12:33 AM

Re: VLAN config problem on HP25xx switches

Thank you to everyone for the quick responses, I'll be trying all this stuff as the week trudges on. and don't worry, points will be given later this morning, but it's 8:30 and I haven't had my morning coffee yet.

Regards,

Walter
0 Kudos
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.