VLAN gotchas

[gshaw]

Just looking for any lessons you've learnt from putting VLANs onto a previously flat network?

We're looking to do it in summer and so far I've thought of...

• Turn on IP routing on core switch
• DHCP helper on switch to point clients to DHCP server (can I put multiple helpers if I have split scope DHCP servers?)
• set default gateway on core switch to point to firewall LAN address
• new scopes on DHCP server for each VLAN
• set default gateway option on DHCP to point to gateway of the VLAN for each scope
• reconfigure firewall with a static route so it can still port forward to servers in a separate VLAN for web services etc
• reconfigure printers into new VLAN and map via GP Preferences
• ensure uplink ports get tagged for all VLANs going to the edge switches and matching ports on core switch (I'm talking ProCurve speak btw)
• ensure documentation is up to date showing which ports are going where on our edge switches when untagging ports to a VLAN i.e. so machines go in the right VLAN!
• check switch ACLs are working as expected

Did you encounter any unexpected issues when doing your VLAN projects and what lessons did you learn?

[maark]

make sure everything is running ok after vlans setup for a while before putting acls on. Also procurve manager is useful if you can afford it for HP - probably worth making sure switches are running latest firmware as well.

[nicholab]

You can just have 1 DHCP server to rule them all! You would actually specify that other vlan to use the other helper address.

The best way I have seen for documenting port allocation is a excel in a visual box format with version control on the 1st sheet.

[gshaw]

You can just have 1 DHCP server to rule them all! You would actually specify that other vlan to use the other helper address.

Could have one but I prefer to split it in case Windows has a wobbly. OK recovery is easier once it's virtualised but I'm paranoid :P

What do you mean about "that other VLAN"? As I understand it in each VLAN I define I put the IP helper address e.g.

Code:

vlan 40
name "Curriculum"
tagged A10-A15
ip helper-address 192.168.11.250 
ip address 192.168.40.254 255.255.255.0

So the DHCP server is in VLAN 11 (for this example) and the PCs looking for DHCP are in VLAN 40. Would look the same for say VLAN 50 just changing the IP address for the VLAN in the config

[teejay]

Could have one but I prefer to split it in case Windows has a wobbly. OK recovery is easier once it's virtualised but I'm paranoid :P

What do you mean about "that other VLAN"? As I understand it in each VLAN I define I put the IP helper address e.g.

Code:

vlan 40
name "Curriculum"
tagged A10-A15
ip helper-address 192.168.11.250 
ip address 192.168.40.254 255.255.255.0

So the DHCP server is in VLAN 11 (for this example) and the PCs looking for DHCP are in VLAN 40. Would look the same for say VLAN 50 just changing the IP address for the VLAN in the config

Yes you can have multiple ip helper addresses.
You only want to specify the ip helper addresses and the ip address on the switch that will be the default route for the vlan.

[gshaw]

Yes you can have multiple ip helper addresses.
You only want to specify the ip helper addresses and the ip address on the switch that will be the default route for the vlan.

Yup that makes sense, if I've got the design right the config above (and the rest of the VLANs) will be going on the core 5406zl in the server room. The edge switches are 2610-24s connected back by fiber and they'll have something like this on them...

Code:

vlan 4
name "Curriculum"
untagged 11-20
tagged 24

Untagged ports for the client machines and tagged port for the fiber uplink

[teejay]

That looks spot on.
Few other things:
Make sure routing is disabled on all the switches that don't require it and the default gateway on all switches except your core switch is updated to your core switch that's doing the routing.
When you've set up the switches, on each one download the configuration file and also go into the console cli interface and do a write mem.
Some of your edge switches may be defaulted to 8 vlans max, change this if required.
For added security you may want to look at moving switch management off the default VLAN.
Oh and make sure you've got a stress ball to hand ;-)

[gshaw]

I've got a collection of stress balls on top of my PC and the latest addition is one that lights up when I throw it around... been carrying it around the corridors recently thanks to upcoming server virtualisation project :-P

On the edge switches would the default gateway be the main management IP address of the core switch (what would usually be in VLAN 1 but as you say might be safer moved to something separate). In what circumstances would the edge switches use this as in theory all the clients should be using the gateway of the VLAN they're in?

E.g. a client in the 192.168.40.0 VLAN would have its gateway set to 192.168.40.254 by DHCP scope 003 Router option.

Just reading around some of the HP configs on their forums some people have IPs for the switch in every VLAN (on their edge config). Didn't think this was necessary?

[teejay]

The default gateway is used by the inter switch communication traffic and if you use stuff life snmp on the switches. If you don't have it set to the core switch and you move say a monitoring server which uses snmp to a vlan then it won't communicate.
You only need an ip address on the core switch, the only other time you'll need an ip address is if you move switch management onto it's own VLAN and then you'll need an ip address for each switch in that VLAN.

[CyberNerd]

It might be worth telling your active directory about the new IP scopes !

[CyberNerd]

On the edge switches would the default gateway be the main management IP address of the core switch (what would usually be in VLAN 1 but as you say might be safer moved to something separate). In what circumstances would the edge switches use this as in theory all the clients should be using the gateway of the VLAN they're in?

Give all the switches IP's from the management VLAN - ie VLAN1 and set the core as the default route. It will only complicate things moving the management vlan to something else, I can't see why it would be more secure? All clients should be using the core switch as the default gateway. I think you may be confusing things - VLANs work at Layer 2 but the routing is working at layer 3.

[gshaw]

It might be worth telling your active directory about the new IP scopes !

Was wondering about this, some people recommend putting each one in Sites and Services and others don't? I'm thinking of erring on the side of caution and putting them all in there.

Same goes for lookup zones in DNS I'd presume, best to have everything in there.

So if I leave the switches on the default management VLAN I'd end up with...

• one IP for the core switch e.g. 192.168.1.1
• an IP for each edge switch e.g. 192.168.1.11 (for say the 10th switch)
• a default gateway command on each edge switch pointing to 192.168.1.1
• clients DHCP pointing to the IP address of the VLAN they're in e.g. 192.168.7.254

[teejay]

It will only complicate things moving the management vlan to something else, I can't see why it would be more secure? All clients should be using the core switch as the default gateway. I think you may be confusing things - VLANs work at Layer 2 but the routing is working at layer 3.

It's recommended by HP to move the management off the default VLAN, http://www.hp.com/rnd/pdfs/Hardening...hite_Paper.pdf

[gshaw]

All clients should be using the core switch as the default gateway. I think you may be confusing things - VLANs work at Layer 2 but the routing is working at layer 3.

Seems to go against all the docs I've been reading so far, if I use the default switch IP as gateway on clients I'd up with something like...

On client

IP address: 192.168.40.100
Subnet: 255.255.255.0
Gateway: 192.168.1.1

Doesn't seem right? Pretty much all the HP guides I've seen so far say that the IP address of the VLAN (set on core switch) should be the default gateway for clients?

[teejay]

Seems to go against all the docs I've been reading so far, if I use the default switch IP as gateway on clients I'd up with something like...

On client

IP address: 192.168.40.100
Subnet: 255.255.255.0
Gateway: 192.168.1.1

Doesn't seem right? Pretty much all the HP guides I've seen so far say that the IP address of the VLAN (set on core switch) should be the default gateway for clients?

No, it's not right, on the core switch you assign an ip address for each vlan as per your configuration in op and use this as your default gateway address in that vlan. In your example you would set the default gateway to 192.168.40.254 if the code example given earlier was used on your core switch.