VLAN creation

[localzuk]

Right, I am trying to get my head round VLANing our network in school, as we have the infrastructure to do it now.

We have:

1 x HP Procurve 5406zl as our core
11 x HP Procurve 2650's/2626's/2626-PWR's
1 x Unmanaged D-Link 24 port DWL1024+

I would like to:

Have a set of VLAN's for various roles and various area's. The main bits I want are:

1 A VLAN for the servers/printers
2 A VLAN for each of the different area's in the school
3 A VLAN for our phone system
4 A VLAN for the router - but we have no control over its settings, so nothing can be altered on it
5 A VLAN for our Video Conferencing stuff

It should be:

2,3,5 can see 1
1,5 can see 4

How do I go about setting this up? Also, does the unmanaged switch in one area matter? It will only have 2 general use items hung off it.

Also, what sort of VLANs should I be looking at? Static, as in each port hardcoded to the VLAN for that socket, Dynamic (based on MAC addresses) or a mix of both?

[Geoff]

You cannot simply do this with VLANs alone. You must also allocate an IP range and use a router to route traffic between the VLANs. We have discussed this before.

http://www.edugeek.net/index.php?nam...ewtopic&t=9793
http://www.edugeek.net/index.php?nam...wtopic&t=10716

[localzuk]

That is why I mentioned the 5406zl, as it can handle the inter-VLAN routing as far as I am aware. Has anyone come across this?

[Geoff]

I believe DMcCoy had to deal with that as part of his network restructuring (Although he has a 5412zl). See this thread.

http://www.edugeek.net/index.php?nam...wtopic&t=10452

[DMcCoy]

Just catching up with threads. I've been *very* busy.


I have intervlan routing running on mu 5412zl, its not difficult to setup, and the 5400 also supports ACLs between vlans. One thing to note - if you want multicast routing you need a premium edge license, which I spent over £1100 on.

To route between vlans there are a few things you need to do:

1) Configure VLANs
2) Assign an IP to each vlan you want routed
3) Point the clients IP to the relevant vlans ip address on the switch as its gateway
4) This should route traffic between the vlans. One thing to note is that if no devices are on the vlan then it will be unreachable when testing with ping etc (although you can ping the gateways).
5) You might need a new route on the switch to forward unknown traffic to, I had to do this since all my internet servers now had the switch as their gateway. My route points to my firewall.

You will need to assign static routes on any server which already has a gateway set to get traffic back to the right place,

Some examples:

my default route on the core switch:

ip route 0.0.0.0 0.0.0.0 10.0.6.1

A static route on my proxy:

route -p add 10.0.200.0 mask 255.255.255.0 10.0.7.254


I've got around 30 vlans, some are sent to all switches, some are specific to rooms. Each vlan is on a different subnet. If you want the vlan to remain private just don't give it an ip address. I'd look at the hp guides as they are quite good.

[andyrite]

I've got the same setup on my 5140gl.(apart from multicast routing) I'm think of getting a 5412 for next year with 10gb uplinks to the edge switches (hopfully 2900's!)

Have you done anything with your spanning tree setup?

[DMcCoy]

The core switch is running mstp, with the lowest priority so routes are calculated from there. The edge switches are all running rstp which keeps the delay down to 2 seconds when plugging in. I'm not using any of the fancy stp options to provided redundant vlan links.

[techyphil]

Cant wait to get onto the good stuff with the CCNA im doing. All looks complicated atm VLANs.

[Joedetic]

I've just started Cisco FNS (Fundamentals of Network Security) which uses VLANs but they're preconfigured.

I should imagine we'll touch on it in the Cisco IP telephony course i'm doing too and CCNA 3 will definately do it.

[Oops_my_bad]

I hate VLANS

[spc-rocket]

Hi,

DMcCoy is pretty much spot on with the guidance. Your core should be good enough to do the inter-vlan routing (certainly i wound't use a router to do the routing as its software based rather than ASIC with a Layer 3 switch).

The only thing to look out for is the gateway of last resort which should point to your internet router or your internal firewall/proxy server as the switch (core) will not know how to router traffic to say the bbc.co.uk servers so you need to tell the core switch to route all unknown traffic to your router/firewall/proxy server for internet access.

A bit silly by HP to charge extra for multicast routing and the CLI is almost the same as cisco which makes me think they are actually buying some of the stuff from cisco in a OEM thing .

We a similar setup to what localzuk is trying to do. It does work and makes a hell of difference to broadcast reduction not to mention performance improvement and administration/management.

Another think to bear in mind is the subnets, in fact i would start with this first i.e. work out which subnets will be assigned to which vlan and then you can get into configuring on the switches.

Ash.

[localzuk]

I have done all my planning now, and will be jumping in the deep end this weekend (it was scheduled for half term but my boss has told me to do it earlier).

Ideally, I hope to be able to use dynamic vlan's with IAS as a radius server.

I have figured out what subnets to give to each vlan, and which vlans will be able to communicate with each other.

I really don't want to have to go round and figure out which ports on switches should be which VLAN. I'd much prefer to use MAC addresses for this.

Has anyone else got this set up?

[localzuk]

After spending Saturday doing a test run on a selection of items, I am fairly happy now. I shall be doing all the boring 'add computers to AD for IAS' bits over the next couple of weeks and configuring the switches in half term.

I may also get round to wikifying how I did it all.

[DMcCoy]

I've virtually completed the configuration here.

Most ports are authenticated with 802.1x, printers and Macs are autenticated with MAC based authentication.

I have 3 unauthenticated ports. One is the telephone exchange, this sends out no packets on its own - this means the switch can't see its MAC address to authenticate it when you plug it in. The other two are printers on a 4104gl, as it seems they and the 2500s (but not the 2510s) don't support mac based authentication. One of these is in an office, the other two are directly assigned to the non routed printers vlan.

I'm using around 32 scopes (of which 25 are dhcp) and nearly 40 vlans, around 10 of which go to each switch, the rest being only sent to a single switch.

I've got around 19 Procurves running the whole site now, and a right pain they are to configure when you turn ssh on! Be aware that virtually no ssh clients can connect with scp to grab their configs when ssh option is on.

Although it is done now - I mostly worked from a copy/paste set of options for each switch type, altering the port numbers by hand. Switches are all assigned to a managment vlan, all use ssh, all have snmp v3 on and user credentials set. I managed to get it all done before my trial expired on PCM plus :P

[DMcCoy]

Oh, ACLs are also in place. Locked myself out of my machine with rdp as I forgot to create a rule to allow external traffic through.

I've split the servers into two types

General and Admin. Student VLANs belong to a access list that only allows traffic to/from the general servers. While admin VLANs belong to one that allows access to both. Making AB tutor control work for teachers has been a pain, in the end I've decided that I don't need broadcast for discovery (as I usually create manual groups for them anyway). The 5400 does support the establised option for acls though so I can allow the incoming random tcp port back to the originating teachers console quite easily.

This is not all without its issues. XP is stupid. It can often try to start its group policy before authenticating itself to the switch, I've fixed this most of the time with some registry options so it works enough (missing out the startup scripts each boot was becoming a big issue). My browse list doesn't work accross vlans at the moment, names are resolved thanks to a combination of dns and wins that was already in place.