ESX boxes now have the new vlans and the virtual servers have the correct gateways and subnet masks.
Routing is working between the relevant vlans and I have a default route on the switch to forward internet traffic to the firewall (spent a good 20 mins trying to get the internet working with it still plugged in to the *old* switch )
DHCP is handing out addresses on the correct subnets and machines can login again. ACLs are off while i'm testing everything.
Static routes have been put on the ISA and shorewall servers to return packets to the vlans as they can't have the gateway set as their vlan for obvious reasons.
I'll dig out my test 2626 with a working 802.1x setup and test a few ports on the new switch today.
Got 802.1x working on a test port, I've had to present an interface from the radius server on the switch managment vlan otherwise the request appears to IAS from the gateway rather than the switches managment interface. I still need to test a connected switch as a supplicant but I'll probably get to that tomorrow.
I'm still thinking about my guest vlan, I'm going to authenticate the machines rather than the users, so I'm going to need to have some domain and dhcp services available somewhere. I'm probably going to have to allow the guest vlan to be routed as I really don't want to start adding additional interfaces to a DC to allow ghosted machines to join the domain. I will probably use the ACLs to limit traffic from the guest vlan to only domain, dhcp, dns, PXE (for ghosting) to the specified servers.
I'll probably change this round when I get a standalone 802.1x authenticator for windows.
I'm also pretending the mac suites don't exist :P I know they have some 802.1x support but I suspect it has some hideous flaw as usual (like trying to make trunks or vlans work on os x).
Hubs were just so much easier (only going to be one hub left after this summer! Just 3 more switches to go!)
Working on the guest VLAN at the moment. I have ghost working and enough services allowed through to a single DC to join the domain. Spent 2 hours trying to find the right combination of ports to open, also have to use a fixed rpc port for ntds. It seems joining the domain uses more stuff than the authentication list of ports from microsoft. I didn't want to allow all ports though so kept trying until I *think* its working.
Supplicant switch after lunch. Then its the final list of additional vlans for the main areas of the school (plus wifi ones etc). Then I can start reconfiguring all the other switches.
A slight lapse in my usually well thought out plans last week. I don't want any other switches to be suplicants as that would restrict their uplink to one untagged vlan anyway. I got distracted by reading through the HP manual (not *all* of it). I will simply make the uplinks fully tagged with the relevant links as you would expect, and as I had previously tested!
I've decided to remove the last of our unmanaged switches and the last 10Mb hub (yes! there is one left). I've picked the Procurve 2510-24s as temporary replacements for now as it enables the vlans and 802.1x, 1Gb uplink and actually fits in the existing cabinets.
I've decided to just use a seperate vlan for the macs as until they get some idea of *system* level authentication then its not worth bothering with. I might investigate MAC based radius autentication for them instead.
only of vague relevence, but i wanted an excuse for starting to post again -
I can highly recommend the cisco CCNA course for help with this sort of stuff (obv you've got to pull some strings to get your school to pay the ¬£1500 fee - like the big red button threat or something).
It covers sub and super netting, acl's, vlans, all the command line stuff, security, a bit of wireless, and loads of other useful snippets.
Obv not many schools implement cisco kit, but i've only found 4 or 5 syntax difference between the HP CLI and the Cisco... Deffo a good partner to the procurve CLI.
Also, it's the gatway to the ¬£30k job... allegedly - not that i've found one yet