Network Infrastructure Change [HP Procurve]

[Tunster]

Hi All!

Just need some advice and want to make sure I'm going in the right direction. I've nearly finished my Cisco CCNA course and the biggest concern after learning switching was the lack of configuration on our own network.

We've got a "fat" network. No VLANs, no STP, no QoS. We've got VoIP, data and all our IP Security Camera system running over one default VLAN. Of course you're all going to scream at me, but the previous technicians had not deployed any of the above. Even left the switches in default configuration with no password or security. I'm now working my way through all the switches to make sure we dont get a security breach on any of our switches.

My next phase of the plan (to deploy over the summer holidays) is to introduce VLAN and STP (along with my AD changes to the OUs and move all our physical servers onto virtual servers using a RAID storage system).

I know I'll have to at least bring in at least 3 VLANs (away from the default VLAN). One each for data, VoIP and the IP Security Camera system.

We have all HP Procurve equipment 2600/2800 switches with our core switches being 4100GL and 5400ZL (one in each of our old server room and new server room with a GigFibre in between each other). It's pretty much in a star shape and none of our other switches are interconnected for redundancy at the moment (I'll raise this concern later).

For anyone who runs or has setup VLAN/STP...

How easy is it on HP Procurve Switches?
How do you run your own setup?

The only issue I can see is that we have a proxy server that should serve students and staff (and I did want to split student and staff data on two different VLANs for security to satisfy the powers at be).

Please let me know of your experiences and the best way of deploying this. Sounds like a mine-field I know!

[p858snake]

What extra security do you think you would gain by having student and staff on separate vlans?

[Tunster]

What extra security do you think you would gain by having student and staff on separate vlans?

We have plenty of roaming laptops (mainly student ones) we have no control over and we've had students trying to hack the network in the past. All our wireless boxes (all HP Procurve) are VLAN enabled, so we can password off the staff VLAN. It would create an extra bridge and creating a new domain within our forest would tighten it up a lot.

It's not necessary though as I said. As long as I can seperate the data, VoIP and IP camera data; I'll be much happier and the switches should run a lot better!

[maark]

I have done it myself here - followed HP stuff off the web and loads of stuff on edugeek if you search. Should be ok if you do it over the summer but took me a while to get my brain round it. Have got it linked into DHCP so addresses are dished out to different subnets on different vlans. One word of advice - make sure it is ll running ok without security between vlans before putting any access restrictions in place.
Procurve manager is good and will help with your wireless.

[zippo]

Firstly make sure all of your switches have the most upto date firmware installed.

You could try reconfiguring the core switch manually - but you really need to buy Procurve Manager. I think that you can download a demo version - but to do everything you seem to want, you probably need to buy the full version.

[Ric_]

Firstly make sure all of your switches have the most upto date firmware installed.

You could try reconfiguring the core switch manually - but you really need to buy Procurve Manager. I think that you can download a demo version - but to do everything you seem to want, you probably need to buy the full version.

Agree with the firmware. Some older releases were known to make random things happen with VLANs.

I would have to disagree with needing Procurve Manager. You can do virtually everything from the CLI menu interface and it's pretty straight forward. I think that sorting the routing between VLANs may need a couple of additional commands but I may be wrong. All my kit is Procurve (similar set up to you) and I have 4 VLANs set up similar to how you want yours.

[maark]

procurve manager gives you a nice view of your netwotk - what ports switches are connected on etc - also lets you search for mac address and tells you what switch/port it is connected to which is really useful especially if your network points have not been labelled perfectly.

[zippo]

Quite honestly sometimes buying something that just makes life easier is a good investment. Sure you can do things manually using CLI, its true for just about everything IT releated. I guess some people just love maintaining their core mode 2008 servers. I even expect some people install core mode just because they have to manage it using a CLI and powershell scripts! Just makes the magic of what you do even greater ... and your bosses stand in awe of your abilities!

As you can probably guess, my IT management views are firmly in the "lets make it as easy as possible" court!

Before anyone shouts - this reply is firmly tounge in cheek!

[DMcCoy]

For Procurve there are things you *have* to do with the CLI, it's not optional

[funkymunky]

Go with learning the CLI, it's easy enough and more powerful for most things unless you need the sort of stuff the IDM plugin offers in which case you'll need Procurve Manager. Working with a CLI is an important skill to have if you want to further yourself in the world of networking... you don't generally configure BGP, OSPF, MPLS etc. via point and click!

As for moving to using VLANs and STP you should find it quite easy if you plan properly, work out what subnets will be running over each VLAN and note down the security parameters required for each. The actual configuring on the switch is the easy bit.

[Kipling]

Although initially there’s a lot of head scratching when getting vlans going, once you sort it all out in your head there’s surprisingly few commands and settings required so the CLI is all you need really.

My advice is don’t just set up 3 or 4 vlans, set up 20 or 30; It’s no extra work once you have your configuring “routine” sorted and you will find uses for them as time goes by, it just makes it easier later if your edge switches are already configured for them.

[Tunster]

Thanks for the advice guys! I guess I'm going to have to get my head down and read HP's equivalent commands in their CLI to do the same job as the Cisco CLI (which I'm learning in CCNA). I've got the Procurve Manager setup on a separate stand-alone Win2003 server. Note to anyone, most switches come with a basic license of Procurve Manager. Very handy to at least gain an overview of the network and get everything secured quickly.

Ric_: AFAIK, you can't bridge VLANs without a router (unless my CCNA course doesn't cover any brand new protocols which makes this possible). Could you let me know how you bridge your VLANs.

[DMcCoy]

If you have enabled IP routing, and the VLAN has been assigned an IP address, traffic will be routed by the switch between vlans. You then point the clients to the IP set for their vlan as their gateway. You can stop routing between vlans by not setting an address on the switch or with acls (only available on your 5400).

[Tunster]

If you have enabled IP routing, and the VLAN has been assigned an IP address, traffic will be routed by the switch between vlans. You then point the clients to the IP set for their vlan as their gateway. You can stop routing between vlans by not setting an address on the switch or with acls (only available on your 5400).

DMcCoy: Thanks! (seems like my last reply got deleted with the person trying to advertising their networking business in this forum) Does the switch that'll do the VLAN bridging need to be the only one that needs IP Routing on? I did notice that option when browsing the switches and was a little confused as I thought it was only possible on Routers and Layer 3 Switches.

[DMcCoy]

Your 5400 is a layer 3 switch (with acls). If it is the core switch, and your topology is sufficiently star shaped, with servers connected to the core then there is no issue with running routing only on that core switch. It's what we do here.