HPE Community
HPE Aruba Networking & ProVision-based
1850367 Members
2953 Online
104054 Solutions
New Discussion

2910al VLANs (Multiple Windows SBS domains on the same physical network)

 
Jim_Anstiss
Visitor

‎07-14-2011 04:13 PM

‎07-14-2011 04:13 PM

2910al VLANs (Multiple Windows SBS domains on the same physical network)

Greetings all,

 

I have a scenario where there are several Windows SBS domains that are being consolidated into a single office. They need to be separate so domain A can't see domain B, but they need to share the same Internet connection and NAS and (ideally) printers. (If the separation wasn't a problem I would just put them all on the same subnet.)

I was hoping that using the kit provided (48 port 2910al switch) this could be accomplished using VLANs and multiple subnets.

 

I have a logical diagram that (in my mind) looks like this:

 

             Internet
                |
                | 1.1.1.0/28
                |
              Router  10.0.10.254/24
                |      
                |
                |
    48 Port Procurve 2910al--------- VLAN 10 (Printers and Storage)

       |        |       |            10.0.10.0/24
       |      VLAN 30   |
       |  10.0.30.0/24  |
       |                |
       |                |
     VLAN 20          VLAN 40
  10.0.20.0/24     10.0.40.0/24

 

 

So...

Q1: Is this possible?

Q2: Can it be arranged so that, say, VLAN20 clients only get DHCP from the VLAN20 DC?  And not VLAN30 or others?

Q3: Should my "shared devices" be in VLAN1 (default/management) rather than VLAN10 or is this not important?

Q4: How difficult would it be to add wireless to the mix? Would this require static routes and hosts. changes on the client?

 

Any information on how to achieve this goal would be greatly appreciated.

 

TIA,

 

Jim.

 

0 Kudos
3 REPLIES 3
Michal Doležal
Frequent Advisor

‎07-15-2011 12:52 PM - edited ‎07-15-2011 12:57 PM

‎07-15-2011 12:52 PM - edited ‎07-15-2011 12:57 PM

Re: 2910al VLANs (Multiple Windows SBS domains on the same physical network)

Hello

At first, 2910al is LiteL3 routing switch so it is enabled for static routing and ACLs. But you can´t apply ACLs per VLAN. You can apply ACL per port (standard or extended). So for your request is possible to implement simple scenario based on three routed VLANS and traffic may be limited using ACLs applied to port.

Important is where you want to have DHCP server. If it is one for all companies, so every VLAN is represented by one scope then you need to configure relay server represented by command ip helper-address. If you would like to use separate DHCP servers in each VLAN (Server 1 VLAN 10, clients VLAN 10 and DHCP server VLAN 10) you will have all ok because broadcasts are discared by routers so DHCP packets cannot traverse thru L3 interfaces without special configuration (on 2910al you need ip helper-address configured per VLAN if DHCP must traverse accross VLANs). So DHCP server of company A in VLAN 10 will assign address only to client in VLAN 10, DHCP server of company B in VLAN 20 will assing address only to clients in vlan 20 etc.

 

Quick config may look like this:

hostname SW1

vlan 1

  ip address dhcp-alloc (or static management address)

exit

vlan 10

  ip address 10.0.10.1 255.255.255.0

  ip helper-address <ip of DHCP>

exit

vlan 20

  ip address 10.0.20.1 255.255.255.0

  ip helper-address <ip of DHCP>

exit

vlan 30

  ip address 10.0.30.1 255.255.255.0

  ip helper-address <ip of DHCP>

exit

vlan 40

  ip address 10.0.40.1 255.255.255.0

  ip helper-address <ip of DHCP>

exit

 

ip route 0.0.0.0 0.0.0.0.0 10.0.10.254

ip routing

 

Access lists is configured using this syntax:

ip access-list standard <name_of_ACL>

   permit <network ex: 10.0.40.0> <wildcard mask ex: 0.0.0.255 representing /24>

so: deny 10.0.40.0 0.0.255 means that all traffic on this port has denied access to defined IP subnet

 

and then you must apply to interface using command

 

interface 1

  ip access-group <name of ACL> in (or out)

exit

Michal Dolezal, DiS.
System engineer
AVE BOHEMIA, s.r.o.
0 Kudos
paulgear
Esteemed Contributor

‎07-15-2011 07:37 PM

‎07-15-2011 07:37 PM

Re: 2910al VLANs (Multiple Windows SBS domains on the same physical network)

Assuming i've understood your configuration correctly, here are my answers:

A1: Of course.  Almost every topology in networking is possible.  It's a matter of how much effort it takes, how reliable it is, and how well it performs.  :-)  If you want to route using your 2910al and don't want clients to see each other, then you'll need to put in some ACLs on the switch.

A2: If you have a DHCP server on the same VLAN as the clients, it will be their DHCP server unless you take explicit steps to forward their DHCP requests to another VLAN.

On my network (which uses the ISC DHCP server on Linux), each VLAN can have its own parameters, so there's no need to have separate DHCP servers.  So i forward all DHCP requests to a central server using 'ip helper-address' in my 5400 switch.  This is a non-default configuration.

You can also have a different 'ip helper-address' setting for each VLAN, so even if the servers are all on a central VLAN, you can configure each VLAN to forward DHCP requests to a different server.

A3: The choice is up to you with this.  Personally, i like to keep printers on a separate VLAN.

A4: Usually wireless is just put in another VLAN and treated very similarly to wired clients.  Generally you don't want to add any static routes or static host entries on the client - you should give out a default gateway and DNS server address in DHCP and get the clients to work it out dynamically, the same way you would for wired clients.

Regards,
Paul
0 Kudos
Jim_Anstiss
Visitor

‎07-20-2011 06:46 AM - edited ‎07-20-2011 08:02 AM

‎07-20-2011 06:46 AM - edited ‎07-20-2011 08:02 AM

Re: 2910al VLANs (Multiple Windows SBS domains on the same physical network)

Michal / Paul

 

Thanks for your replies. Using the information supplied by Michal above I have built the following config, but I seem to have trouble contacting anything that isn't on it own VLAN ie VLAN20 machines can only talk to VLAN 20, and not the router or printers in VLAN 1 / VLAN10

 

Running configuration:

; J9147A Configuration Editor; Created on release #W.14.38

hostname "ProCurve 2910al-48G Switch"
ip access-list standard "allow_Shared"
   10 permit 10.10.20.0 0.0.0.255
   20 permit 10.10.30.0 0.0.0.255

   exit
ip access-list extended "inbound_VLAN20"
   10 permit ip 10.10.10.254 0.0.0.0 10.10.20.0 0.0.0.255
   exit
ip access-list extended "inbound_VLAN30"
   10 permit ip 10.10.10.254 0.0.0.0 10.10.30.0 0.0.0.255
   exit

module 1 type J9147A
interface 1
   ip access-group "allow_shared" in
exit
interface 2
   ip access-group "inbound_VLAN20" in
exit
interface 3
   ip access-group "inbound_VLAN30" in
exit

ip routing
vlan 1
   name "DEFAULT_VLAN"
   untagged 1,4-48
   ip address 10.10.10.10 255.255.0.0
   tagged 2-3
   exit
vlan 10
   name "Shared"
   no ip address
   exit
vlan 20
   name "VLAN20"
   ip address 10.10.20.254 255.255.255.0
   tagged 2
   exit
vlan 30
   name "VLAN30"
   ip address 10.10.30.254 255.255.255.0
   tagged 3
   exit

ip route 0.0.0.0 0.0.0.0 10.10.10.254
snmp-server community "public" unrestricted

ProCurve 2910al-48G Switch#

 

I am sure I am missing something very simple. Any ideas what that might be?

 

Regards,

 

Jim

0 Kudos
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.