Switches, Hubs, and Modems
cancel
Showing results for 
Search instead for 
Did you mean: 

Vlan Problem

SOLVED
Go to solution
Nereus_1
Occasional Advisor

Vlan Problem

Hello,
Iâ  m a rookie in vlans and this is probably simple.

I have 2 HP procurve 2626, one in each building connected by optical fiber using port 26(Gb) and i want to create VLANs on both 2626.

I would like to have port trunking (On port 26 in each HP 2626) for all these Vlans over this fibre link.

The issue is, thata i want to improve securaty in the network.
On building - A - I have the server room, and on the port 25(Gb) is connected the unmanaged switch HP Procurve 2708 where all the 6 servers of the company are connected, and in the port 24 is connected to unmanaged switch HP Procurve 2708, and from this switch the router is connected to access to internet.

On building - A - i want to create this VLANs:
SERVERS
PRINTERS
ADMIN
COMERCIAL
WIFI
GUEST

On building - B - a test server (Svr. N), on port 24 and on the port 25(Gb) is connected the HP Procurve 1800-24, and in the port 23 of the first HP Procurve 1800-24 is connected the second HP Procurve 1800-24.

On the building - B - i want to create this VLANs:
SERVERS
PRINTERS
COSTUMER SERVICES
ADMIN
PROFESSIONAL SERVICES
WIFI
GUEST

The VLANs SERVERS, PRINTERS, ADMIN, WIFI AND GUEST are the same in the two buildings, and any user in any VLAN (except the VLAN GUEST â  Only internet) should be able to see any server, printer and be able to connect to the internet. The COSTUMER SERVICES VLAN SHOULD SEE AND COMUNICATE WITH ANY VLAN. The default gateway is the firewall address (192.168.1.1), and we have a DHCP SERVER. Some computers and all the 6 servers have static ipaddress and the rest of the computers have DHCP.

Can someone give me an example of how to do this?

See in the attachment my network diagram:
10 REPLIES
Ben Dehner
Trusted Contributor

Re: Vlan Problem

Unfortunately, what you're asking isn't really simple.

First, you talk about setting up VLANs on the 2626. This part is easy. Two things: 1) make sure the link ports on both switches are a member of all VLANs, and 2) make sure that these ports are set to tagging.

Now is where I get confused. You say "I would like to have port trunking (On port 26 in each HP 2626) for all these Vlans over this fibre link.". Port trunking is combining multiple ports into a single logical interface, using some protocol like LACP. If there is only one link between switches, then you don't have trunking.

Next, you want to set up multiple VLANs. But for the most part, all devices in one VLAN (say, SERVERS) can communicate with all devices in a second VLAN (say, PRINTERS), so there is really nothing gained by seperating them into VLANs. Since you are apparently on a flat IP network (192.168.1.0/24), you won't be limiting broadcasts. I just don't see what the point is of most of these VLANs.

Now you want to limit the access from the GUEST VLAN. This is where it gets really ugy, for two reasons. First, how are devices assigned into VLANs in the first place? If you have all of your ports nailed down, you can use port-based VLANs, otherwise you need to get creative and use either 802.1x or MAC-based VLANs. MAC based VLANs are painful to maintain; I don't know enough about 802.1x to comment meaningfully. However, the 1800 switches do not support 802.1X auth anyway.

The second problem -- here it gets fun -- is with the unmanaged 2708 switch. It does not support VLANing at all, so any devices connected to this switch will always see any other device connected to this switch. And unless all devices on this switch are all in the same VLAN, the 2626 that it is connected to must have someway of assigning the in-bound packets to one of the VLANS, either with MAC-based or 802.1X.

Trust me, I know what I'm doing
Nereus_1
Occasional Advisor

Re: Vlan Problem

Thanks Ben Dehner for your replay.
The PRINTERS and the SERVERS and the WIFI can be in the same VLAN.
On building - A i have a unmanaged switch 2708, is where are all the main servers concted (Backbone), and all the persons in the company must have access to these servers, and that switch is connected to the 2626 on port 25.

On the other building - B i have connected the other 2626 by optical fiber on port 26, and i have a test server (Svr. N), on port 24 and on the port 25(Gb) is connected the HP Procurve 1800-24, and in the port 23 of the first HP Procurve 1800-24 is connected the second HP Procurve 1800-24.

My main question is the lan in may company is too heavy, and i have about 100 machines work in one lan, and i need too separate traffic of the departments.

Since i have only one flat IP network (192.168.1.0/24) and in the test server i have 192.168.1.16 and 192.168.3.1(Test lan of the costummer Services - This server makes the route between the two IPs)i want to put my lan more fast and not too heavy. I dont know if i have other ip's in the vlans, can i have access to my servers and too the internet(but not the guest-this only to the internet) with out add more routes in to my router?

The port trunking is my mistake.What i want to do is pass all the vlans in the two 2626 by the same port (26).

I hope this could be more explicit. I have in attachement my network diagram.

Thanks one more time for your reply.
Ben Dehner
Trusted Contributor

Re: Vlan Problem

When you start breaking up your internal network into sepertate subnets, you will need to do internal routing. Since the 2626 are layer 3 switches, they can handle this function for you. However, each internal network you add will require that you add an additional static route to your internet router, unless you can add a summarized route to it.

The simplest way to do VLANs is a port-bases VLAN, based on location and switch. The servers in building A will be easy to segment off -- just assign Port 25 of the 2626 to a seperate VLAN; this will be VLAN 1. However, presuming that your DHCP server is also in this segment, you will also need to configure DHCP forwarding on the 2625 switches so everyone else get an IP address. Do the same thing with the 1800 in building A -- assign port 24 to a seperate VLAN -- VLAN 2 -- in a different IP subnet.

In Building B, it gets a little trickier because the two 1800's are cascaded. If it is possible to attach the second one directly to the 2626, that would be better, but it may be impossible due to cabling restrictions. So with what we've got, I would assign port 25 on the building B 2626 to two new VLANs, VLAN 3 and VLAN 4. This must be a tagged port. You might want to create a VLAN 5 for all server/systems that are direct attached to this switch for ports 1-24.

Then, on the first 1800 in Bldg B (ip 1.7), I would make port 24 tagged and a member of VLANs 3 & 4, make port 23 a member of VLAN 4, and all other ports a member of VLAN 3. Tagging the traffic between the two 1800s in Bldg B is optional; the first 1800 does all of the tagging, and the second 1800 is along for the ride.

Now we deal with the link between Bldg A and Bldg B. Since everything is subnetted out, this really should be done at layer 3. Create a VLAN 6 on both 2626 switches, assign an IP address to both 2626 switches on this VLAN, and add port 26 to this VLAN. On the Bldg B 2626, add a default route that points to the Bldg A 2626. On the Bldg A 2626, add a default route that points to the inernet firewall, and add static routes for the various Bldg B subnets that point back to the Bldg B 2626. On the internet router, add static routes for all of the internal networks that point to the Bldg A 2626.

Finally, I have not dealt with your security requirement for the guest VLAN, for two reasons. One, with port-based VLANs, I don't know where your guests are located; what ports are they plugged in to. Second, what you really need here is an internal firewall. I don't know if the 2626 switches have the functionality to do this.
Trust me, I know what I'm doing
Nereus_1
Occasional Advisor

Re: Vlan Problem

Thanks Ben Dehner for your reply,

For security requirement for the guest VLAN, i know witch ports are going to be connected.

For Bldg A and Bldg B i already try to config 3 vlans equal in each switch 2626 and adress ip to each vlan.
Bldg A:

ip default-gateway 192.168.1.1
ip routing
snmp-server community "public" Unrestricted
name "ADMIN"
untagged 25-26
ip address 192.168.1.4 255.255.255.0
tagged 1-24
exit
vlan 22
name "SERVERS"
forbid 13-24
untagged 2-12
ip address 192.168.20.4 255.255.255.0
tagged 26
exit
vlan 33
name "GUEST"
forbid 1-12
untagged 13-24
ip address 192.168.30.4 255.255.255.0
tagged 26
exit
no stack
password manager

Bldg B:
ip default-gateway 192.168.1.1
ip routing
snmp-server community "public" Unrestricted
name "ADMIN"
untagged 25-26
ip address 192.168.1.5 255.255.255.0
tagged 1-24
exit
vlan 22
name "SERVERS"
forbid 13-24
untagged 2-12
ip address 192.168.20.5 255.255.255.0
tagged 26
exit
vlan 33
name "GUEST"
forbid 1-12
untagged 13-24
ip address 192.168.30.5 255.255.255.0
tagged 26
exit
no stack
password manager

With these two configurations in the switches i can not ping one machine in the network.
Regarding the Vlans i will configure the same vlans in the two 2626 switches (10 Vlans total in each SW).

When you siad"just assign Port 25 of the 2626 to a seperate VLAN; this will be VLAN 1. However, presuming that your DHCP server is also in this segment, you will also need to configure DHCP forwarding on the 2625 switches so everyone else get an IP address." i dont understand vey well.
For truth, i dont understand anything of Vlans. Can you show me some configuration code for the two 2626 and for the Bldg B: if it is possible to attach the second one directly to the 2626.

Thanks Ben Dehner one more time

Re: Vlan Problem

IIRC corectly you can use the routing and default gateway option together, you need to remove the default gateway and add a 0.0.0.0 0.0.0.0 entry to the routing table.

also make sure you have the link betwene the two switches tagged for all vlans
Nereus_1
Occasional Advisor

Re: Vlan Problem

Thanks for your replay Daniel Wright.

How can i do this. Like i siad i dont understand nothing about vlans. I tried to add the route 0.0.0.0 0.0.0.0 and i cant do.

Thanks Daniel Wright.
Nereus_1
Occasional Advisor

Re: Vlan Problem

I do realize that my scheme is false, it is in fact slightly more complicated.

All VLANs are allowed to connected to the internet and to the servers except VLAN Guest who have access to the internet only, all the rest for the VLAN Guest is blocked.

On Vlan Guest i need only to tell witch port is going to be used.

The VLANs arent allowed to communicate with each other, only the COSTOMER SERVICES Vlan, and PROFESSIONAL SERVICES can.

If i need to create routing i want that be made by de HP2626 if the can do it.

On Bldg B can i have RSTP? If yes how can i do it?

Thanks in advance for your help.
Nereus
Ben Dehner
Trusted Contributor

Re: Vlan Problem

If you need explicit examples, I'm afraid I can't help. I have a decent knowledge of VLANs and layer 2/layer 3 internetworking, but I've never touched a Procurve switch. The product documentation on the various Procurve switches says they are capable of certain functions (such as DHCP forwarding), but I have no idea how it would be configured on that platform.
Trust me, I know what I'm doing
Nereus_1
Occasional Advisor

Re: Vlan Problem

I dont need explicit examples. I just need some guide lines (1st: this, 2nd: that, ...)
I already try some configurations and the result was bad. The last configuration of the two switches is on my last answer, and it doesnt do anything.

Thanks in advance
Matt Hobbs
Honored Contributor
Solution

Re: Vlan Problem

The 2600 has basic routing functionality and it's performance may start to suffer when routing is enabled (depending on how many hosts are being routed).

Usually for 100 machines in a VLAN this would not be a problem unless there is an extreme amount of broadcast/multicast traffic which is unlikely.

For the access control requirements that you have in mind, this would be best met with Access Control Lists on your router - which the 2600 does not support.

I would recommend you get a 5400/3500 if possible and let that handle all of your internal routing and ACL's. You may also be able to get away with the 5300 but its ACL's are not as full featured.

Security wise, what you are trying to do at the moment with the 2600's is impossible.