Switches, Hubs, and Modems
1748113 Members
3495 Online
108758 Solutions
New Discussion юеВ

Re: New to VLANs...some guidance would be great...

 
cenk sasmaztin
Honored Contributor

Re: New to VLANs...some guidance would be great...

you have switch 2810 and 2510 can not routing there fore all operation in lan must be L2 seperate vlan 1 and vlan 2 network 2510 and 2810 uplink fibre port must be vlan 1 untag vlan 2 tag port you assign only vlan 1 ip address for managemet.In vlan 1 client connect only vlan 1 untag port in vlan 2 client connect only vlan 2 untag port.
you want two vlan same port you make vlan 1 untag port and vlan 2 tag port and you use vlan aware nic for assign vlan id.

good luck.
cenk

Sean Rector
Occasional Advisor

Re: New to VLANs...some guidance would be great...

I'm sorry...I'm simply not understanding what you wrote.
cenk sasmaztin
Honored Contributor

Re: New to VLANs...some guidance would be great...

hi Sean you switches 2510 and 2810 not capability static routing or dynamic routing

you want create two vlan on your system and assign two different router vlan 1 to public internet vlan 2 to vendor server.

you must be 2vlan create and isolate vlans


2510 and 2810 between connect fibre uplink port this port carry two vlan vlan 1 untag vlan 2 tag port.
for vlan 1 all client vlan1 untag port
for vlan 2 all client vlan2 untag port

you want use two vlan same port you must be create this config on port vlan 1 untag vlan 2 tag and connect device this port vlan aware ethernet card.

vlan 1 users ip address with public internet router ethernet address same subnet and default gateway address public internet router ethernet interface address

vlan 2 users ip address with vendor server router ethernet address same subnet and default gateway address vendor router ethernet interface address


I hope understand
cenk

Sean Rector
Occasional Advisor

Re: New to VLANs...some guidance would be great...

Hmmm...I'm still a bit confused - let me explain further.

Currently, the computers on the right-side of the drawing are working as I want them to - a specific application they use goes out the vendor router, and all other traffic goes either to our internal servers or out via the internet router. What the vendor wants us to do is configure the network so they can add two machines (on the same switch) that will ONLY have their traffic go out the vendor router. The other, previously connected machines must still operate as they do currently - traffic is able to traverse both routers.

I thought VLANs were the way to accomplish this. I also thought that if (on the 2810) I added both routers' ports to both VLANs as well as the Fibre port, that would allow the routing between the two VLANs to function properly.

Did I confuse the issue more?
Mohieddin Kharnoub
Honored Contributor

Re: New to VLANs...some guidance would be great...

Hi

I believe You don't to configure anything on the switches.

Just add the 2 new Machines, and set the default gateway wherever they want (GW will be the right Cisco Router) and it will Simply work without any issues.

Note:
You can do that on the switches, but then you have to Reconfigure the Whole Network again, because on the switches you have a very simple configuration and all the Routing/Policies have been set on both Routers.

Good Luck !!!
Science for Everyone
cenk sasmaztin
Honored Contributor

Re: New to VLANs...some guidance would be great...

please look 5. replies
cenk

Sean Rector
Occasional Advisor

Re: New to VLANs...some guidance would be great...

I'd like another look by more people, please. Thanks!

The suggestion of setting the Gateway on the other machines isn't possible, unfortunately, as some of these machines will be wireless scanners.
Matt Hobbs
Honored Contributor

Re: New to VLANs...some guidance would be great...

Sean, since the 2510 and 2810 do not support routing, most of the configuration is going to be done on the WAN routers.

You state that it is currently working fine for the hosts that need to access both networks and everything is currently in the same VLAN. To me this means that the clients most likely have their default gateway set to the Internet router, and the Internet router has a static route configured to the Vendor router for when traffic needs to be sent to the Vendor network.

The problem is you now need to configure two workstations that can only access the Vendor network. This can be achieved a few ways.

As Mohieddin suggested you could simply add these 2 new clients to the existing flat network and point their default gateway to the Vendor router. It's a very simple solution but from a physical network access point of view it's not exactly secure as the workstations could easily be configured to get Internet access by simply changing their default gateway.

To lock things down more securely, you can definitely use VLANs although not quite in the manner that your proposed network diagram suggests.

For your existing workstations that already have access to the Interent and to the Vendor network they could be left as is in VLAN1. For the new VLAN, you would configure some untagged ports for those workstations on the 2510, you would then tag this link back to the 2810 and tag it again back to the 1760. The 1760 would need to be configured with a dot1q trunk and be configured with an additional subnet for clients in this new VLAN. The workstations would have their default gateway set to this new IP address on the VLAN2 1760 router.

To prevent routing between the two VLANs on this router, an ACL would be configured.

This is just one solution I can think of, there are probably multiple other solutions. I'm not saying this is the best choice but given your current hardware it makes sense to me.

Most of the work that needs to be done is on the Cisco's. Setting the VLANs on the ProCurves is the easy part. If in doubt I would get someone with some Cisco experience to listen to your problem and help you find a suitable solution.
Sean Rector
Occasional Advisor

Re: New to VLANs...some guidance would be great...

Unfortunately, the separation via VLAN is due to PCI compliance (I did not know that previously) requirements of the vendor.