+ Post New Thread
Page 2 of 3 FirstFirst 123 LastLast
Results 16 to 30 of 33
Wireless Networks Thread, VLAN gotchas in Technical; Phew, glad I'm not going mad Looks like to shift the management onto a separate VLAN I need to run ...
  1. #16
    gshaw's Avatar
    Join Date
    Sep 2007
    Location
    Essex
    Posts
    2,672
    Thank Post
    168
    Thanked 221 Times in 204 Posts
    Rep Power
    67
    Phew, glad I'm not going mad

    Looks like to shift the management onto a separate VLAN I need to run

    ProCurve Switch(config)# management-vlan <vid | vlan-name>

    After configuring another VLAN on the core and putting the switch static IP address in the edge config (along with the extra VLAN declaration and any untagged ports required for a management PC)

    According to the HP docs if a VLAN is defined for management only devices in that VLAN can manage the switch, that VLAN also becomes non-routable. I guess it depends on the level of paranoia and whether someone would try to reconfigure a switch but probably worth doing. Basically means you end up needing a set PC to manage the switches set up on its own untagged port in the management VLAN.

    Does make things a bit more complicated than using VLAN 1 but I guess that's the price you pay for security...

    Just those pesky ACLs to double check now!
    Last edited by gshaw; 9th March 2011 at 05:52 PM.

  2. #17

    Join Date
    Jan 2009
    Location
    Northants
    Posts
    143
    Thank Post
    5
    Thanked 11 Times in 10 Posts
    Rep Power
    13
    Gotcha's we found:

    All the usual switching stuff which you've covered, although you also need a DHCP helper pointing at your PXE server if you ever want network boot to work. But the oddest problems were with some client software. Things that talk to network licensing servers/dongles can be funny and may need special configuration. We had one app that needed the licensing server IP entering in a config file, and another that needed the name entering as an environment variable. These programs usually use broadcast to locate the server, of course once you have VLANNED that doesn't work. Also if you use WOL there is a command about directed-broadcast you will need to enter in the core switch.

    ISsues since then have been when adding additionalo VLANS making sure that the path back to the core through multiple uplinks all have the tagged traffic enabled. takes a while to diagnose if it's not right.

  3. #18


    Join Date
    Jan 2006
    Posts
    8,202
    Thank Post
    442
    Thanked 1,032 Times in 812 Posts
    Rep Power
    339
    Quote Originally Posted by gshaw View Post
    Seems to go against all the docs I've been reading so far, if I use the default switch IP as gateway on clients I'd up with something like...

    On client

    IP address: 192.168.40.100
    Subnet: 255.255.255.0
    Gateway: 192.168.1.1

    Doesn't seem right? Pretty much all the HP guides I've seen so far say that the IP address of the VLAN (set on core switch) should be the default gateway for clients?
    You quite right. I'm sorry just re-read my own post and not even sure how I came to that conclusion myself. has been a long day.
    The DHCP should set the default route to the core switch as per teejays response. The IP's of the switches should be in the management VLAN - and the edge switches default route should be that of the core switches management VLAN IP address. is sort of what I meant to say.

  4. #19
    gshaw's Avatar
    Join Date
    Sep 2007
    Location
    Essex
    Posts
    2,672
    Thank Post
    168
    Thanked 221 Times in 204 Posts
    Rep Power
    67
    No worries, made me think and double check my understanding so works out well in the end

    WOL is an interesting one as I might play with it for patching with SCCM in time and I've read a few things about making it work over VLANs. The main thing is NetSupport School but seeing as that's done by the Smartboard PC in the classroom should be OK as it will always be in the same VLAN as the machines it's waking up.

  5. #20

    Join Date
    Jan 2009
    Location
    Northants
    Posts
    143
    Thank Post
    5
    Thanked 11 Times in 10 Posts
    Rep Power
    13
    I wouldn't use the management-vlan option, just have all the switches in a VLAN, better off not using vlan 1, if you have vlan 1 as a non routed vlan with DHCP you can use it as a cleanup/catchall vlan to find clients that are connected to ports not properly VLAN assigned.

    The WOL stuff is useful; we have some power management software, that is used to switch the it suites on for the start of the day so uses WOL, and we can fire up machines directly when wanting to config them or troubleshoot. obviously this is most useful on a large site as it can save a lot of running around.

    Skr

  6. #21

    Join Date
    Dec 2007
    Location
    cumbria
    Posts
    182
    Thank Post
    7
    Thanked 43 Times in 39 Posts
    Rep Power
    25
    Quote Originally Posted by CyberNerd View Post
    It might be worth telling your active directory about the new IP scopes !
    Definitely - add new subnets into AD S&S, I couldn't browse mapped drives until this happened.

  7. #22

    Join Date
    Jan 2009
    Location
    Northants
    Posts
    143
    Thank Post
    5
    Thanked 11 Times in 10 Posts
    Rep Power
    13
    Quote Originally Posted by SkreeM1980 View Post
    I wouldn't use the management-vlan option, just have all the switches in a VLAN, better off not using vlan 1, if you have vlan 1 as a non routed vlan with DHCP you can use it as a cleanup/catchall vlan to find clients that are connected to ports not properly VLAN assigned.
    I think i may have changed my mind on this following some other conversations i was having with Other college IT managers yesterday. I have also been advised that I should move away from telnet where possible for switch management.

    Skr

  8. #23
    gshaw's Avatar
    Join Date
    Sep 2007
    Location
    Essex
    Posts
    2,672
    Thank Post
    168
    Thanked 221 Times in 204 Posts
    Rep Power
    67
    Just been having a think about a migration plan to get onto the new infrastructure...

    - set up new VLAN on the core switch, enable IP routing etc
    - VMWare farm is then reconfigured for VLANs, initially I'll put all the VMs in one VLAN, same IP addressing as the current flat network
    - then I was thinking of going to the edge switches and setting all ports (apart from the trunk fiber) to one VLAN e.g. VLAN10, same IP addressing as current flat network
    - at this point the network should be pretty much the same as it was before
    - then I create a new VLAN for classroom machines and move a few test machines into it so now I've got two VLANs
    - make appropriate DHCP, DNS and AD config changes for new subnet etc
    - check connectivity
    - if this works move all classroom PCs across... done
    - do the same for a test printer
    - if it works OK move the rest across and update GPOs accordingly (gives us a chance to tidy these up at last!)
    - then move servers into their own VLAN as required
    - last part, test ACLs on a new VLAN and if working OK apply to classroom PC VLAN as appropriate

    Hopefully this method should let users continue working while we're doing the reconfiguration and seems the easiest way to do it, any thoughts?

  9. #24
    chazzy2501's Avatar
    Join Date
    Jan 2008
    Location
    South West
    Posts
    1,806
    Thank Post
    215
    Thanked 266 Times in 216 Posts
    Rep Power
    68
    Can I Hijack this thred a bit... Can I (oversimplistically) e.g. have 3 switches 2 edge 1 core

    can I set an untagged vlan (4) for all the edge devices on edge switch 1 do the same for edge switch 2 but with vlan(5) and leave the uplinks as tagged for the core switch. Then on the core switch make the servers port a (un)tagged member of both?

    i.e. Do I need the core switch to route ip traffic between vlans? I don't care if 1 edge device on 1 switch can see another edge device on another switch. In this setup I could avoid subnetting as well?

  10. #25

    localzuk's Avatar
    Join Date
    Dec 2006
    Location
    Minehead
    Posts
    17,966
    Thank Post
    519
    Thanked 2,502 Times in 1,942 Posts
    Blog Entries
    24
    Rep Power
    841
    Untagged ports can only be untagged for a single VLAN.

    Your solution would work if your server had 2 network ports, one tagged 4, and one tagged 5. How you would handle DHCP via that method though, I don't know.

  11. Thanks to localzuk from:

    chazzy2501 (27th April 2011)

  12. #26
    chazzy2501's Avatar
    Join Date
    Jan 2008
    Location
    South West
    Posts
    1,806
    Thank Post
    215
    Thanked 266 Times in 216 Posts
    Rep Power
    68
    so the port could be a tagged member of both vlans, but the nic on the server may not be able to support this?

  13. #27

    localzuk's Avatar
    Join Date
    Dec 2006
    Location
    Minehead
    Posts
    17,966
    Thank Post
    519
    Thanked 2,502 Times in 1,942 Posts
    Blog Entries
    24
    Rep Power
    841
    Quote Originally Posted by chazzy2501 View Post
    so the port could be a tagged member of both vlans, but the nic on the server may not be able to support this?
    Indeed, if you tag them, then you have to also tag them on the server and it has to be able to handle tagging.

  14. #28
    chazzy2501's Avatar
    Join Date
    Jan 2008
    Location
    South West
    Posts
    1,806
    Thank Post
    215
    Thanked 266 Times in 216 Posts
    Rep Power
    68
    do you know if 1 nic can be a member of multiple tagged vlans?

  15. #29

    localzuk's Avatar
    Join Date
    Dec 2006
    Location
    Minehead
    Posts
    17,966
    Thank Post
    519
    Thanked 2,502 Times in 1,942 Posts
    Blog Entries
    24
    Rep Power
    841
    Quote Originally Posted by chazzy2501 View Post
    do you know if 1 nic can be a member of multiple tagged vlans?
    I think it can, yes, however this would be down to the NIC driver etc...

  16. #30

    m25man's Avatar
    Join Date
    Oct 2005
    Location
    Romford, Essex
    Posts
    1,637
    Thank Post
    49
    Thanked 463 Times in 338 Posts
    Rep Power
    140
    This is defo the best vlan thread for a while keep up the good work and interesting read..

    However, not wanting to rain on your parade I would highly recommend you make financial provision for something like the good old LinkRunner as a minimum frontline tool for debugging and troubleshooting this lot!
    Its not cheap but I couldnt live without mine.
    Im a Fluke User and Evangelist, I do not work for or sell them, but as a network professional I make my living out of using them and they have paid for themselves countless times over..
    The Linkrunner Pro will make short work of diagnosing, documenting and debugging your VLan setups and you will soon learn never to step out of your office without it.

SHARE:
+ Post New Thread
Page 2 of 3 FirstFirst 123 LastLast

Similar Threads

  1. Windows 7 Gotchas/Tips/FYI
    By ZeroHour in forum Windows 7
    Replies: 28
    Last Post: 19th September 2013, 08:48 AM
  2. Removing ISA 2004 - Tips/Gotchas?
    By contink in forum Internet Related/Filtering/Firewall
    Replies: 13
    Last Post: 16th September 2010, 10:56 PM
  3. Any Gotchas When Ghosting W2K3 Server?
    By SYSMAN_MK in forum O/S Deployment
    Replies: 6
    Last Post: 13th March 2009, 02:27 PM
  4. To Vlan or not Vlan?
    By Theblacksheep in forum Wireless Networks
    Replies: 33
    Last Post: 19th August 2008, 03:22 PM
  5. Any gotchas when installing Citrix Presentation Server 4.5?
    By Geoff in forum Thin Client and Virtual Machines
    Replies: 6
    Last Post: 24th May 2007, 08:57 AM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •