LAN/WAN segmentation and setup with an HP layer 3 switch

Ah!, I forgot,... the "Voice" one....

You will have to create one more VLANs (VLAN5 I suppose) for the Voice Segment.  It will be "Tagged" everywhere that you need it to reach because it will be "sharing the wire" with at least one other VLAN where ever it goes.  There will be a "logical" (or virtual)  separation from other segments due to the tagging,...but because it runs over the same physical wire as other things there is no performace gain with putting it on its own VLAN.  Remember that the physical wire does  not care what VLAN something belongs to,...a packet running over the wire is just a packet running over the wire and bandwidth is still being eaten up on a physical wire that has a physical limit.

Thats a good start.. how would i then go about programming the 2910 to handle and then route the different VLANs coming in from the WAN connection?

Another thought:  Once we add the voip phones, we plan to use 2610 PoE switches which have the ability to limit and give priority to vlans.  If we were to plug those into the WAN instead of the 2510s and plug the 2510's into the 2610's, would we need to change any part of the configuration to accomodate this change?  Is there anything else the 2610's can do that would help give priorty to voice and other protocols for QoS?

Thats a good start.. how would i then go about programming the 2910 to handle and then route the different VLANs coming in from the WAN connection?

I believe all it amounts to is first set the IP Specs of the device,..then creating the VLANs within the 2910's config and then enabling the Routing.  The rest takes care of itself.  The VLANs you can create with the Web Interface,...but I believe you have to enable the routing from the Command Line Internface.  Double check that with your Docs for the device,...mine (a 5304XL) was a different model and it has been a long time since I did it.

I looked at the specs of the 2610s and never saw anything about the QoS. But assuming they do have it,...priorities are just priorities,...they won't make the wire go any faster,..all it does is make something wait while something else communicates.  As far as setting them up you would configure the VLANs on them the same way you did the 2510.  What you do to the config of the 2510s after that is a matter of exactly how you use them.

I am more suited to working out the theories and the designs,...I can't do much with the "click by click" walkthroughs.   It is a lot safer for you to check the Docs for your device.

Be carefull with the PoE.  If there is a power outlet near the switches then there is no point in the PoE.  I never liked the idea of pumping higher voltage into an Ethernet Line unless there was an extremely pressing reason to do it.

The PoE is for the phones.

>Be carefull with the PoE.  If there is a power outlet near the switches then there is no point in the PoE.

Except that a circuit tripping will kill the phone.  Building outage will kill phones too.  With PoE, you've got 10-30 minutes to get emergency calls out, page the office with instructions, etc.

If you've got auxiliary power, one outlet can power the entire phone system.

I've heard the same argument against home running power for things like cameras and access-control systems.  Local power is not always the best idea.

Short of having aux power/UPS, everything is going to come from local power and will die in an outage anyway,...doesn't matter if it is PoE or conventional.

It's a matter of dying immediately, or having a few minutes for emergency instructions, phone calls, etc.  In a facility where part of the primary paging system is via speaker phones...it's important.  Same goes when you have physical security procedures that require communication.

Just saying that fear of 48VDC voltage is not a valid reason to throw out PoE switches.  How many times have you been bit by 90VAC coming over a plain telephone line?

I didn't tell him to not use them.  Just be carefull with it.

Wow.. you guys went off on a tangent.  LOL  Sorry i disappeared, we lost a server at the office and i have some projects going on that got crazy.

I have the power situation down, been doing IT for a while and have worked with PoE before many times.  I have some heavty APC units to supply power for a few hours.  In reality though, the site will shutdown if the power goes out for an extended period.  

Back to the issue at hand though..  i am new to VLANs, but not networking in general.

I would really like to know the details of the HP switch configuration.  I turned on routing, but i dont see anywhere to set routes up.  Thats kinda why i asked in the first place.  I also needed the other information pwindell has provided regarding the tag setup.

When we get the phones, the phone company will be providing 2610 units which also have advanced QoS.

Because it is a Hub & Spoke design,...every IP Segment is "directly connected" to the central router,...meaning the router already "knows" about them,...hence,...there are no "routes" to setup.  You only setup routes for IP Segments that are more than one hop away from the router you are dealing with.  If you use dynamic routing protocols (like RIP and other) then you don't even have to worry about that.  Another way to explain this is that routes point to routers,...you only have one router in the "center",...therefore there is no other router to point to,...therefore there are no "routes" to create.

The Internet connection was never discussed.  This has to be considered.  The difference will be in whether or not each site independently goes to the internet with their own independent firewall or if all sites use a common single firewall at one location.  This is important,..no overlook it.

oh this is a metro-E WAN, so no internet.

I don't mean connect to the Internet with the Metro WAN,...I mean if the network (any or all sites) connects to the Internet in any way, shape, or form not counting the Metro-WAN.

Sorry, was on vacation.

Yes, i understand.  Default route is required.  I plan to setup a subnet off my main network with some switches to verify what we have discussed above and of course the default route for internet.  Our main firewall can handle any lost puppies.

I dont mean to leave this open much longer.  We are still in the process of working things out with the new phone system that depends on this setup.  I may post more questions.  Either way, i should be able to close by mid october.

Ok

i am now working on this again.  I may post a question soon.  Just making sure everyone knows i have not abandoned it.  We are installing the phones soon, so i will be closing this in the next week or two.

I don't think I remember what it was about anymore.   I don't have the strength and stamina to read back through the whole thread again.  :-)

So I hope it works out as it is without rehashing anything.

Ok, i see what you mean by hub and spoke with this thing.  I was able to get the 2910 routing between local vlans.  Took me a few hours to figure out how to assign the IPs to the VLANs, then setup the default route and add ip helpers for dhcp.  

I essentially created two ports on the router for three different networks(segments).  Here is the more imporant part though.  Your visio example is great, that helped me wrap my head around the concept and apply tagged vs untagged.  I also did some searching on some other features the hp switches have.

The last issue i need to work out is the remote sites.  The three segments i created are locally connected to the switch and mainly meant for segmentation.   What i need to work out is the remote sites.  In your example you have one tagged vlan.  What i need are three vlans( one for voice, data, and secure wireless ).  If i set the ports on the 2510s to be untagged as say vlan 5(voice), vlan 10 (data) and vlan 15 (wireless) for each respective type, when i hook that cable from the fiber to the switch, does that port need to have each vlan assigned to it and set as "tagged"?   If so, what about ports that are not apart of any vlan but the default, do i need to do anything special with those ports?

Also, if i have that single uplink to the fiber port with the three tagged vlans on it, will all the broadcast traffic from each vlan be sent acrross the wan? ( i assume so, just want to be sure)  If this it the case, should i go ahead and enable routing on the 2600 units and use those as gateways to WAN?  I would essentially be using them as routers but they would route locally.

Attached is a diagram of what i was thinking.

I will say after putting it to "paper", i think it would make more sense, if the broadcasts are going to traverse the wan, to use option B.  Yes i have to setup routes in the main router for each remote subnet, but it would segment the traffic locally and block broadcasts.  Not to mention the VLAN configuration involved with option A would be large, possibly outside the capabilities of the 2910 in the future assuming each site adds three vlans.

Thoughts?

Thanks for your input, i am going to close this now, we are up and running.  No VLAN accross the WAN because of broadcasting issues, just routing :)

Thanks