Help with VLAN Routing Setup

Hi All,

Due to expansion I've had to look into setting up a VLAN for the first time on our HP switches. We have 1 4104gl core switch, 3 2650's and 3 1700s.

Our subnet is running off the default_VLAN / I have setup VLAN2 on / as a test on a 2650 switch. I've set port 23 and 24 as un-tagged. When I plug 2 test machines into those ports and configure static addresses I can ping each machine on the subnet but can't ping anything on the subnet?

What do I need to do to get each subnet communicating?  Is it possible to have the two subnets talking to each other when VLAN2 is setup on one switch and no router is present?
Do I need to configure some kind of IP routing on the switch?

Ultimately, I'd like all our VPN users to gain an IP address from / But still be able to access the for E-mail and other applications. Any suggestions on the best way to configure each switch are appreciated.



Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

You will need a router to get communication between the VLANs.  what is your current router? Brand? Model?  Configure some subinterfaces on the router, and enable dot1.q encapsulation on the subinterfaces. I would also set up  a dhcp scope on the router for your new vlan.  I work mostly with Cisco, that will be where I can provide the most help. I am familiar with HP's Procurves and thier vlan configurations also.
I'm  sorry, it looks as though the 4100 series can do some basic routing.  I will try to produce some documentation, or someone else who is more familiar than I can field the question.
Some people on this forum don't feel this model is adequate for Routing.  Ill wait to hear what you are using for your router on the network.
Put Your Flow Data to Work

SolarWinds® Flow Tool Bundle combines three easy-to-download, easy-to-use flow analysis tools that can help you quickly distribute, test, and configure your flow traffic.

jfreckeltomAuthor Commented:
HI Sharedit,

Thank-you for replying. Our main router or similar is a SonicWall Pro 4060 firewall. At present we have a couple of other subnets running of the LAN interfaces. The SonicWall provides the routing between them. We don't any Cisco hardware at present or a physical stand alone router. We do however have a spare SonicWall firewall a pro 3060, which I think could act as a router.

So even if VLAN2 is setup on only on 1 2650 it wont be able to communicate with the default_VLAN unless a router bridges the connection?

Also I take it I need to also setup VLAN2 with the same subnet on the other remaining switches?

Thanks again.  
I will never understand people using 192.168.x.x on production, it is ment to be use for home network.
It is more beneficiar to switch IP to for example, use "logical " blocks /24 , and separations with VLAN's. - office - guests - contractors - VPN users -  remote branch
 and so this case you have 65K adresses available to you.
This way much more easy meanage securty, and will make live easier too.
Sorry, did not put correct numbers
on - office - guests - contractors - VPN users -  remote branch
are you familiar with the HP web gui?

you will want to setup your vlans. On any trunked link, which will be the link between your switch and router, and also switch to switch if you are passing vlans between them, leave the native vlan as untagged and set the new vlan up as tagged on those particular ports.  

I recently did this with some procurves for the first time, and I do recall it being that simple.

I have attached a pdf which explains vlan subinterfaces on sonicwalls

I am not to familiar with sonicwall I just happened to have the PDF. at the end of it it explains how to set up a dhcp scope on the sonicwall for that vlan.  

If the sonicwall truly is a firewall then it might not be able to do the routing back to your network, if it is a router as well I would expect it to work.  

As for your IP scheme, I don't really have a problem with it.  

With NAT it really doesn't matter what your IP range is, but if you are going to use a standard 192.168.x.x IP you will need to be conscious of the fact that if your office happens to be using 192.168.1.x, and your VPN user at home has the same IP scheme, which is possible with such a common default IP setting, they can have problems connecting and working remotely because the networks on both ends will have the same IPs, which makes routing difficult.

additionally if you were going to pick some odd ball 12.214.46.x  you might one day find you cant browse to some URL because the URL resolved to an IP on you network.  I wonder what the odds of that happening are?

also, i dont find this:

any easier to distinguish than this:

10.10.2.x/24 was ment still on /16, did put /24 by mistake.
jfreckeltomAuthor Commented:
Sharedit, Thanks for the PDF and for being so helpful.

We are just in the process of reviewing the PDF and thinking about how we are going to split the resources into different subnets like dkarpekin suggested.

I did advise do only one subnet........
but assign IP to resources by "blocks"- each block- ~254 addresses, and group them by VLAN's as well..........this way you dont need "extra" routers on networks (you need router to connect diffrent networks)
Single router on will handle all VLAN's agregation.
For example:
all "office PC"- be with in range of IP on VLAN1 (you can use two blocks, if you'll think, you might need more eventually)
all "servers farm/routers"- within on"trunk" be able see all VLAN's
all "test equipment"- within on VLAN2
all "VPN users" - within on VLAN3

and so on............

This way- diffrent VLAN cannot "see" each other -
i.e "office PC" will not see "test equipment"- or "VPN users"  , but on same time, they can access "shared resources"- "servers farm/routers".
Enforce security will be easy to do base on those "logical" blocks, use ACL.
This is general idea, and it will need to bee supported by proper hardware.

Puting multipale routers can lead to "nighmare" to manage/enforce security, and provide shared resources.
I was confused at first but I think what dkar is suggesting will depend on your Server NICs being able to be assigned to different VLANs.  Or having multiple NICs

This would work but I think the subnet will need to be /24.  /16 will put everyone on the same network, your router/firewall will require subinterfaces (for routing internet traffic out and back in), and each subif will need to be on a different network.
10.10.1.x/16 is on the same network as 10.10.4.x/16. the router would not know where to send because that address is contained on both of those networks.  I would guess you would never get to that point, Im sure the router wouldnt let you assign the same network to multiple interfaces.

Each VLAN would use a different IP to get to the same server, and each VLAN would have its own default gateway.

jf, is the new vlan to seperate your network or are you just expanding the number of available addresses you can use? just curious as to the purpose? you mentioned expansion.
jfreckeltomAuthor Commented:
Hi All. Thanks for all your comments, but I finally found the solution from another thread. Turns out that Sonicwalls do not work well with VLANS when you configure the Sonicwall VLAN support. It just cannot handle packets coming/going via different IPs on the same X4 interface port. So I reverted to a standard interface port on the Sonicwall, added all VLANs as network address objects and then created a static route for each VLAN subnet, using the SW X4 interface and the Pimary IP of the switch as the gateway.

I then enabled "IP Routing" on the switch, set all clients to have a D/G specific to the VLAN IP of the switch they were on, created a default route on the switch to the Sonicwall interface IP and hey presto. VLAN clients can communicate across VLANs and also see other physical subnets via the Sonicwall and vice versa.

As an aside, I also got DHCP working from one central Win2k3 DHCP server on the Production VLAN, serving all VLAN subnets. To do this I created standard scopes for every VLAN subnet on the DHCP server, I then enabled DHCP relay, DHCP snooping and DHCP Option 82 (with append) globally on the switch. I then added an IP Helper entry pointing to the DHCP server for every VLAN. Worked straight away and now I have one DHCP server serving multiple VLAN subnets.

Thanks all

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
I told you a firewall would not route traffic out the same interface it came in on.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Switches / Hubs

From novice to tech pro — start learning today.