+ Post New Thread
Page 1 of 2 12 LastLast
Results 1 to 15 of 21
Wireless Networks Thread, VLAN design (Procurve) in Technical; Having read through the replies on various admin \ curriculum network threads (and my own one) I'm thinking about merging ...
  1. #1
    gshaw's Avatar
    Join Date
    Sep 2007
    Location
    Essex
    Posts
    2,699
    Thank Post
    171
    Thanked 224 Times in 207 Posts
    Rep Power
    68

    VLAN design (Procurve)

    Having read through the replies on various admin \ curriculum network threads (and my own one) I'm thinking about merging the two together so I can have a single AD, SCCM and so on. At the same time I'm still rather paranoid about security and contamination from the curriculum machines so I reckon putting a VLAN environment in would be the best bet.

    This way I can still keep curriculum machines away from critical data (aka SQL, admin data etc) but still authenticating against a single AD and so on.

    So I'd be aiming for something like...

    Server VLAN
    Admin workstation VLAN
    Teaching workstation VLAN
    Wireless VLAN (guest access)
    Printers VLAN if it's worth it?

    Here's what I've found so far and a few bits I'm still trying to figure out...

    • on edge switches set ports as untagged to the VLAN required for the endpoint device
    • on uplink ports (fibre) set port as tagged for all VLANs going back to the core (i.e. all of them)
    • the core switch (5406zl) will need to have routing enabled to enable communication between the server and workstation VLANs. The 5406 is layer 3 capable so should be able to handle that once it's turned on.
    • each VLAN on its own subnet (I've read some places saying it's optional but seems to make sense from a management point of view, at a glance you can tell which device is on which VLAN from the IP?)
    • to stop curriculum PCs talking to admin (and the same with the wireless) I'd need some form of ACLs stopping communication between VLANs


    A few issues I've been thinking of, mainly to do with the servers...

    • if the DNS server is on the server network how does a client machine do its lookup in the first place to know where the domain controller is?
    • same thing applies to DHCP, I've read about helper addresses although a bit more research required there


    We're also going to virtualisation at the same time, had a look at a VMWare setup a while back, I'm guessing this is the way it's done with VLANs in most cases?

    vSphere VLAN: Understanding 802.1Q VLAN tagging

    So again a case of having ports tagged for the VLANs required for VMWare and setting the correct VLAN for each VM?

    And one last thing to complicate matters, if I wanted to stop curriculum PCs talking to a database and file server would I need another VLAN for critical servers and only allow the server and admin workstation VLANs to talk to it or is there another way of doing this?

    Btw as mentioned core switch is a 5406zl (also had a 5308xl on the other network). Edge switches are all ProCruve 2610 series...
    Last edited by gshaw; 7th January 2011 at 10:16 AM.

  2. #2
    mrbios's Avatar
    Join Date
    Jun 2007
    Location
    Stroud, Gloucestershire
    Posts
    2,579
    Thank Post
    368
    Thanked 269 Times in 221 Posts
    Rep Power
    101
    You really don't need a seperate vlan for admin and pupil machines, there's absolutely no harm in them being on the same vlan.

    Personally this is how we do it:
    Seperate Vlans for print traffic, IGMP traffic, wireless, infrastructure (servers/layer 3 switches. essentially anything on the backbone), iSCSI, and then a seperate vlan for each building or school section. We have a DC (virtualised) running for each building or section to do DHCP and DNS for all of those (and wireless) then each other service all have static IPs with no DHCP running for them.

    If you start trying to put student, teacher and admin machines all on seperate Vlans your just over complicating your setup and taking a lot of time setting it up for no significant gain to security or performance. You don't want to over complicate it as your just making more work for yourself both in the short and long term. Lastly switches will be fine to do the job you require, we're running a pretty similar setup in that sense.

    On VMware you just tag all the vlans to the vmware server that you want to be able to setup different VMs to run over, configured on both the VM Host, the switch and the VM itself.

    I don't know if i actually answered any questions that you asked there though

    EDIT: We implemented complete virtualisation and Vlan solution over the past 4 years, had it running this way just over a year now and we had a very expensive consultant (got one hell of a brain on him and has taught me a lot!) come in to help us set it all up originally as the other 2 here were pretty dumb and i had only just started work in IT at the time. So if you want any help i'm always happy to assist if i can via PM
    Last edited by mrbios; 7th January 2011 at 10:42 AM.

  3. 2 Thanks to mrbios:

    gshaw (7th January 2011), pran (8th January 2011)

  4. #3

    localzuk's Avatar
    Join Date
    Dec 2006
    Location
    Minehead
    Posts
    18,131
    Thank Post
    522
    Thanked 2,540 Times in 1,975 Posts
    Blog Entries
    24
    Rep Power
    875
    Being on different VLANs doesn't mean they're necessarily isolated. So, the DNS servers being on a different VLAN doesn't mean they are inaccessible to the clients.

    DHCP is done, as you say, by ip helpers on your core router. If you've got something like a HP Procurve 5400zl then you set the ip helper-address for each VLAN to your DHCP server. You also assign each VLAN its own IP address with its own subnet mask. Then on your DHCP server, you split your IP addresses up into scopes that match up with the IP and the subnet mask that you used for each VLAN.

  5. Thanks to localzuk from:

    gshaw (7th January 2011)

  6. #4
    gshaw's Avatar
    Join Date
    Sep 2007
    Location
    Essex
    Posts
    2,699
    Thank Post
    171
    Thanked 224 Times in 207 Posts
    Rep Power
    68
    Thanks for the confirmation localzuk, confirms what I've been reading roughly on other sites

    It's just keeping the curriculum away from the admin I want to do; call it paranoia but I feel a lot happier if student PCs have no way of even seeing the MIS and staff data servers, they have no need to ever see them so if I'm going to all the trouble of VLANs in the first place it makes sense to segment less trusted machines away. In a way if I compare to how mrbios' setup whereas you have VLANs school buildings \ sections we've got admin offices and teaching in the same physical building but logically separate in function. We also don't have floors which seems to be a common way of segmenting VLANs in big offices by the looks of it (great for moving kit around )

    I get that all the VLANs can contact each other as long as the routing is working on the switch; so basically once the machines get their DHCP lease as above it then knows the IPs of the DNS servers and away it goes.

    A few more thoughts...

    - I take it you've got separate subnets for each VLAN?
    - did you have to add the extra subnets to Sites and Services in AD?
    - I guess this one depends on your network size but were you using /24 subnets in each VLAN?
    Last edited by gshaw; 7th January 2011 at 11:11 AM.

  7. #5

    localzuk's Avatar
    Join Date
    Dec 2006
    Location
    Minehead
    Posts
    18,131
    Thank Post
    522
    Thanked 2,540 Times in 1,975 Posts
    Blog Entries
    24
    Rep Power
    875
    Quote Originally Posted by gshaw View Post
    - I take it you've got separate subnets for each VLAN?
    Yes, you have to have separate subnets as far as I know.

    - did you have to add the extra subnets to Sites and Services in AD?
    No. I didn't alter the AD at all.

    If you really do want to segregate admin from curriculum (something I'd say is kind of out of date now) then you can use ACLs on your core router to deal with this.

  8. #6

    SpuffMonkey's Avatar
    Join Date
    Jul 2005
    Posts
    2,257
    Thank Post
    55
    Thanked 283 Times in 189 Posts
    Rep Power
    135
    I don't think that using VLANs for "security" purposes really works in a school environment - or at least in ours In an office situation, there are clear divisions between accounts/HR/sales etc, but most staff herewant to sit down at a screen and get on with whatever work is necessary, be it curricular or more administrative - so that's what we provide. There are some risks in that - but I think the major risks are more human - sharing passwords, not logging off etc.

  9. #7
    gshaw's Avatar
    Join Date
    Sep 2007
    Location
    Essex
    Posts
    2,699
    Thank Post
    171
    Thanked 224 Times in 207 Posts
    Rep Power
    68
    Quote Originally Posted by localzuk View Post
    Yes, you have to have separate subnets as far as I know.

    If you really do want to segregate admin from curriculum (something I'd say is kind of out of date now) then you can use ACLs on your core router to deal with this.
    I just think of it like this... if the classroom PCs never need to use the SQL server or admin data why let them see it and have the possibility of a breach coming from that area. I can understand having all accessible if you have a SIMS client in the classroom etc but our MIS is only used in offices (slightly different way of doing things in Adult Ed) so there's no real need for it to talk apart from AD authentication.

    I guess the difference in our case is that the teaching machines up until now are just used on a kiosk-style basis and staff don't log into them. Might not be such a bad thing to keep that distinction as it means the classroom resources have to go on the VLE
    Last edited by gshaw; 7th January 2011 at 11:39 AM.

  10. #8
    DMcCoy's Avatar
    Join Date
    Oct 2005
    Location
    Isle of Wight
    Posts
    3,483
    Thank Post
    10
    Thanked 502 Times in 442 Posts
    Rep Power
    114
    Quote Originally Posted by gshaw View Post
    I just think of it like this... if the classroom PCs never need to use the SQL server or admin data why let them see it and have the possibility of a breach coming from that area. I can understand having all accessible if you have a SIMS client in the classroom etc but our MIS is only used in offices (slightly different way of doing things in Adult Ed) so there's no real need for it to talk apart from AD authentication.
    I do the same here, and assign servers to one of two vlans depending on which clients need access to it.

    Wired 802.1x works quite well with windows vista/7 these days, I use it to assign clients to the correct vlan based on AD group membership (computer authentication, not user authentication though)

  11. #9

    Join Date
    Apr 2011
    Location
    Oman
    Posts
    5
    Thank Post
    0
    Thanked 0 Times in 0 Posts
    Rep Power
    0
    I have the same issue ...same core switch ...
    I added a new VLAN for wireless network ...what I have are:

    1-30 Procurve APs (wireless Vlan)
    2-ISA Server 2006 and DHCP (ISA&DHCP VLAN)
    3-Clients (students, Guests & Teachers Laptops VLAN)

    Previously the 1st and second vlan were one vlan then i separated them because of the ip conflict ...

    The problem with me is :
    The clients laptops can see the other vlans ...I have DHCP, DNS , ... Servers, computer labs, other departments VLANS ....and I dont want them to see these vlans...

    What I want is :
    I want the clients VLAN to access the internet from ISA server and to get the ip from the DHCP ...I have done that ...BUT I dont want them to see other VLANS ...


    What Shall I do ...I know its ACL ...but how do I configure it in 5406zl...

    Thank you
    Last edited by the_warrior; 26th April 2011 at 09:43 AM.

  12. #10
    gshaw's Avatar
    Join Date
    Sep 2007
    Location
    Essex
    Posts
    2,699
    Thank Post
    171
    Thanked 224 Times in 207 Posts
    Rep Power
    68
    In which case you'll want an ACL to do something along the lines of...

    - allow traffic from client VLAN to access ISA server IP
    - allow traffic from client VLAN to access DHCP server (via DHCP-helper set on the VLAN)
    - deny everything else (HP does this by default but you can define it explicitly as well)

    Not sure how you'd want to do DNS for those clients, might just be better to set something like your ISP \ Google DNS for the public wifi clients so they never touch your internal DNS server? If you wanted to use the internal DNS just add another ip permit rule.

    As far as I've understood it the ACL would look something like this (assuming client subnet of 192.168.6.0/24)
    Code:
    ip access-list standard "PUBLIC_WIFI_ISOLATION"
    
    remark "ALLOW ACCESS TO DHCP SERVER 192.168.1.250"
    10 permit ip 192.168.6.0 0.0.0.255 192.168.1.250 0.0.0.0 
    
    remark "ALLOW ACCESS TO FIREWALL GREEN INTERFACE"
    20 permit ip 192.168.6.0 0.0.0.255 192.168.7.10 0.0.0.0
    
    30 deny any any
    And on the VLAN definition...
    Code:
    vlan 6
    name "WLAN_GUEST"
    ip address 192.168.6.254 255.255.255.0
    vlan 6 ip access-group "PUBLIC_WIFI_ISOLATION" in
    (then tag \ untag ports as required)

    If this looks wrong to anyone please correct me as it's only a theoretical design I've come up with after reading forums \ HP documentation!
    Last edited by gshaw; 26th April 2011 at 12:00 PM.

  13. #11

    Join Date
    Apr 2011
    Location
    Oman
    Posts
    5
    Thank Post
    0
    Thanked 0 Times in 0 Posts
    Rep Power
    0
    Thank you gshaw for the precious information and guidance ...
    I will do what you suggested and I will let you know the result...and I will discuss this issue with you ...

    Thank you again

  14. #12
    gshaw's Avatar
    Join Date
    Sep 2007
    Location
    Essex
    Posts
    2,699
    Thank Post
    171
    Thanked 224 Times in 207 Posts
    Rep Power
    68
    Also check out the HP advanced traffic management guide and the HP IT Resource Center forums as there's lots of examples there of people trying to achieve similar things

  15. #13

    Join Date
    Apr 2011
    Location
    Oman
    Posts
    5
    Thank Post
    0
    Thanked 0 Times in 0 Posts
    Rep Power
    0
    Thanks ....I really appreciate your help

  16. #14

    Join Date
    Apr 2011
    Location
    Oman
    Posts
    5
    Thank Post
    0
    Thanked 0 Times in 0 Posts
    Rep Power
    0
    I have done the following ....and I tested my network ...its working properly...
    ================================================== ===
    ip access-list extended WLAN
    deny ip any 10.75.116.128/26
    deny ip any 10.75.3.128/28
    deny ip any 10.75.9.128/28
    deny ip any 10.75.112.0/23
    deny ip any 10.75.114.0/23
    deny ip any 10.75.4.128/28
    deny ip any 10.75.6.128/28
    deny ip any 10.75.5.128/28
    deny ip any 10.75.7.128/28
    deny ip any 10.75.8.128/28
    deny ip any 10.75.120.0/24
    deny ip any 10.75.116.0/25
    deny ip any 10.75.117.128/26
    deny ip any 10.75.121.128/28
    deny ip any 10.75.118.192/27
    permit ip any any
    =
    vlan 218
    ip access-group WLAN in
    ================================================== =======


    Then I changed my mind .....Instead of denying all then permitting any ...I issued the following commands, and I got the same result:

    ip access-list extended WLAN
    permit ip any 10.75.119.0/29
    deny ip any any

    =
    vlan 218
    ip access-group WLAN in

    =========

    Thank you

  17. #15
    gshaw's Avatar
    Join Date
    Sep 2007
    Location
    Essex
    Posts
    2,699
    Thank Post
    171
    Thanked 224 Times in 207 Posts
    Rep Power
    68
    Good to know it's doing the trick, am I right in assuming vlan 218 is your guest wireless (the one you want to restrict the traffic on?)

SHARE:
+ Post New Thread
Page 1 of 2 12 LastLast

Similar Threads

  1. vlan design issue on HP procurve 5406zl
    By puliramesh in forum Wireless Networks
    Replies: 4
    Last Post: 10th August 2010, 06:23 AM
  2. Vlan issue on Procurve
    By sassine in forum Wireless Networks
    Replies: 7
    Last Post: 16th November 2009, 01:39 PM
  3. Procurve vlan dhcp problem
    By maark in forum Wireless Networks
    Replies: 4
    Last Post: 5th June 2009, 09:36 AM
  4. Procurve VLAN help
    By meastaugh1 in forum Wireless Networks
    Replies: 8
    Last Post: 4th September 2008, 08:29 PM
  5. Adding vLAN not working on HP Procurve
    By mrforgetful in forum Wireless Networks
    Replies: 21
    Last Post: 2nd March 2007, 11:53 AM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •