Switches, Hubs, and Modems
cancel
Showing results for 
Search instead for 
Did you mean: 

new vlan setup questions?

sanchlehl1
Occasional Visitor

new vlan setup questions?

Let me start by saying that I'm extremely new to setting up vlans and routing. With that said let me give you some info on what we have and what we are trying to do.
Our network consists of 1 netscreen25. 3 HP Procurve 2650's, 1 Procurve 2650-PWR, and 1 HP Procurve 4000M. All the switches are stacked, but they also have their own IP as a backup for access. They are all connected in series using ports 49 & 50. The 4000M has 1 gigabit card and it is at the end of the series.
Currently, there is 1 vlan , the default_vlan, setup on all the switches and all the ports are part of it.
Our goal is to have a guest/public vlan separate from our network. In other words, we have a bunch of ports that we want for visitors to be able to plug in and surf the internet, without accessing any resources on our private lan.
I've been trying to do some reading on these forums and other places to get info, but I seem to just end up with more questions.

one of my questions is what would be easier, port based 802.1q vlans or 802.1x using radius (microsoft ias)? The ports that we want on the public vlan are in a conference room and training area, so we will almost never have to change them back to a private vlan.

also, we have a win2k3 dhcp server. In order to hand out ip addresses to the public vlan, if i understand right, i have to use the ip helper-address. do i need routing enabled? what else do i need enabled? does routing have to be enabled on all the switches or just the one with the internet connection? we would like to use 1 internet connection for both vlans if possible.
If anyone can give me some insight on how to go about this and any caveats that i may need to watch out for i would greatly appreciate it.
5 REPLIES
Mohieddin Kharnoub
Honored Contributor

Re: new vlan setup questions?

Hi

- For Authentication part, i don;t think the 4000 supports 802.1x protocol, even its a very professional solution.

- For the DHCP, you just need the IP helper-address.

- I suggest routing to be enabled only on the switch that has DHCP server connected and internet.

- From my point, i suggest this solution:

1- Create another Vlan on all switches.
2- Enable routing on the 2600 switch.
3- Add default route to the NetScreen25.
4- Add IP helper-address for this new Vlan after creating a Scope for it.
5- Control Guest traffic by the NetScreen25, by adding a new Policy for their traffic, and control the authentication (you can make it WEB Based and create some local accounts or integrate with the RADIUS in Microsoft IAS).

** Note: you can do the routing on the Netscreen25 as well but i won't recommend that, just keep every busy with what he designed to do.

Good Luck !!!
Science for Everyone
sanchlehl1
Occasional Visitor

Re: new vlan setup questions?

Thanks for the reply.
We are going to try and set this up this weekend so we'll see how far we get. Unfortunately, we don't have a test/lab to play with so hopefully we won't break too much.

Here is what Iâ m understanding so far.
Switch 1 - Vlan 1 (primary)
enable routing - when i do this i will have to change the gateway on to be the switch IP, correct?
Port 1 will be our internet port, that will belong to vlan1 and should it be tagged for vlan2?

does the dhcp server port need to be tagged? Or does the server NIC need to be vlan aware in order to function properly as the helper-address?

when i setup the vlans on each switch, do i need to give them all an IP address?

thanks again for your help.
sanchlehl1
Occasional Visitor

Re: new vlan setup questions?

ip default-gateway 192.168.20.1
ip routing
vlan 1
name "VLAN20"
untagged 1-34,36-50
ip address 192.168.20.37 255.255.255.0
ip helper-address 192.168.20.9
no untagged 35
vlan 2
name "VLAN24"
untagged 35
ip address 192.168.24.37 255.255.254.0
ip helper-address 192.168.20.9
tagged 25,49-50

Here is how we have our main switch configured? I'm having problems getting DHCP to work. haven't gotten to surfing yet?
Port 35 is a client on vlan 2 (guest).
Port 49-50 are the uplinks to other switches.
Routing is enabled but i have not added any routes yet? Not sure what i need to route for DHCP to work? On this switch i have also enabled DHCP-Relay option 82 append. Not sure if this was needed?
On the DHCP server (Win2k3) I have created a Superscope. Our internal scope (192.168.20.0/24) is not part of the superscope, the 192.168.24.0/23 is in the superscope. I have also added an IP for the guest vlan on the DHCP server nic. so now the server has 192.168.20.9 and 192.168.24.9. The server is on port 25 and it is in Vlan1 and tagged on vlan2.

after doing all this, i can't get a client on vlan 2 to pull DHCP. If a client is on vlan 1 it works fine. The vlans appear to be working because i can put other ports on vlan 2 and talk between computers on vlan 2 but vlan 2 can't talk to vlan 1 which is what we wanted.
Any help on getting DHCP working would be greatly appreciated.
Once that is figured out then i can move on to getting VLan2 to surf the internet.
Mohieddin Kharnoub
Honored Contributor

Re: new vlan setup questions?

Hi

Do the following:
- Remove the tag from port 25 (DHCP server) to port Vlan2, just leave the port untagged to Vlan1.
- Check the scope of Vlan2 ( 192.168.24.0/23) and add router option is your vlan1 IP address, 192.168.20.37.

- Assign a static IP for the client like:
IP 192.168.24.38 , Subnet 255.255.254.0
gateway 192.168.24.37 ,

then test connectivity:
- ping Vlan1 IP, Vlan2 IP and the DHCP server IP address.

Now i don't think you really need the DHCP rely inserted in your configuration, DHCP requests will be sent to the IP helper address that you already configured on both Vlans.

Good Luck !!!
Science for Everyone
sanchlehl1
Occasional Visitor

Re: new vlan setup questions?

Ok. I removed the Tag on 25 (dhcp server). So now it is untagged on Vlan1.

If I assigned a static ip on the client on vlan 2 with the suggested ip/gateway. I can't ping the vlan1 gateway. If i assign the gateway on the client to be the vlan2 ip (192.168.24.37) then i can ping the Vlan1 gateway but not the DHCP server (192.168.20.9)

I tried configuring vlan1 as the gateway for the dhcp server that didn't help any.

Right now all vlan1 servers are configured for the Firwall gateway (192.168.20.1)

Do i need to configure something after turning Routing on in the switch? I noticed that the optoin for a default gateway in the menu goes away after turning on routing?