Solved

VLAN and VLSM

Posted on 2009-05-14
6
1,771 Views
Last Modified: 2012-05-07
I have a network with 600 nodes. It is spread across 3 buildings on a single campus. There is a core switch and a number of edge switches, each of which has either a gigabit optical fibre connection (for linking areas where there is a high-density of PCs) or a copper gigabit line back to the core switch. We have approximately 10 - 12 edge switches all linking back to the core using this hub-and-spoke topology. All switches are various incarnations of managed HP ProCurve switching hardware, with a Layer 3 capable switch at the core.

We are looking at implementing VLANs (the network is currently a flat network, all of which is running on a default VLAN on the core and edge switches).

Prior to rolling out VLANs site-wide, we are going to do a controlled test; all PCs on one particular edge switch will be placed onto their own VLAN (and therefore their own broadcast domain) to separate them from the main network segment. At present, all the devices running from this edge switch are running on DHCP. I need some assistance in the steps to configure this.

The first step is clearly to designate a subnet of IP addresses which this new VLAN will run on. Due to the way in which the network is configured, we have a fixed range of addresses: 10.3.36.0/22 (255.255.252.0) which gives the range 10.3.36.1 through 10.3.39.254.

At this stage, we are unable to change the subnet mask of any other PCs on the network, since the VLANs are not going to be rolled out site-wide. I am therefore hoping I can designate a subnet for the new VLAN (say, 10.3.39.0/27) and have this work via VLSM to the rest of the network. Firstly, is this possible? Can the main network work on 10.3.36.0/22 in the interim, while my new VLAN operates on 10.3.39.0/27 for test purposes?

Second, I need to properly understand where I configure this. Since all devices on the edge switch are going to be members of the same VLAN, I guess I have 2 options? Either: ignore the config on the Edge Switch, and simply set its uplink port on the core switch to be part of the new VLAN. Alternatively, make each port on the Edge a member of the new VLAN, and then assign the port at the core to this VLAN also. Would this be a problem?

I will then re-arrange DHCP so there is a dedicated scope for the new subnet. The address range used will be excluded from the current scope of addresses for the purposes of testing. Where do I configure the IP Helper for DHCP. At the edge switch or the core?

Finally, I have been looking at this and note a requirement for an 802.11Q VLAN ID. What exactly is this? Is it the subnet ID?

Thanks!
0
Comment
Question by:tigermatt
  • 4
  • 2
6 Comments
 
LVL 16

Accepted Solution

by:
Aaron Street earned 500 total points
Comment Utility
I would suggest giving a completly seperate IP address range.

the ip address and mask tells the device/pc if the device it is trying to get to is on the same network as its self.

lets imagen this

PC A is on your origianl net work.

10.3.37.87/22  Default gate way 10.3.36.1

PC B on your subnet

10.3.39.10  255.255.255.224   Defualt gateway 10.3.39.1

ok now PC B sends a packet to pc A's ip address (lets say a ping)

PC B looks at its ip address and subnet mask and can work out that PC A is on a different network. so send the packet to the Default gateway (DFGW) this will be a router and if the routing is set up correctly send it to the PC A network.

now the reply packet.. PC A looks at its IP addres ITS SUBNET MASK and PC B ip address. It sees PC B as being on the same network as its self. so will try to contact it directly with out sending the packet to the DFGW! as PC B is on a seperate VLAN it will not be able to communicate with it and the packet has no way of getting ot its destination!!!

REmber when a PC is looking to send out a packet. it looks at its own IP and Subnet mask and ONLY the IP of the destination system. (it dosent know the destination system mask)

Now with a lot of fiddeling around you can get this set up to work. however much better would be to chose a second ip address range.

why not chose a 192.168.x.x/24 range for you test network/vlan.

you have exactly the same problem I have had in the past. splitting up a large network in to chunks. you need to add new address ranges rather than split the current range you have, it will be much simpler. and means that you can keep all the rest of the PC's on the old network exactly as they are now same subnet same DFGW, create new ip ranges and migrate PC's over as you go.

each vlan on you core router has an ipaddress assigend to it from its ip address range for the ddevices to use as there default gate way.

IF you want it a bit clearer let me know and I will pull out dsome digrams.

Also get hold of packet tracer from cisco to test it out on (its a nice network/router simulator)
0
 
LVL 58

Author Comment

by:tigermatt
Comment Utility

I'm sorry - I should have made it more clear. The current network subnet cannot be changed. There's no two ways about it. 10.3.36.1 to 10.3.39.254 is what I have to work with.

Can I do this?
0
 
LVL 16

Expert Comment

by:Aaron Street
Comment Utility
sorry the 802.1q tagging is for sending traffic from mutiply vlans down a single physical link with out gettign them mixed up.

the sending switch attacches a tag to each frame which tells the recivign swith what VLAN the frame comes from.

teh VLAN id is exactly what you think. simply the number of the vlan.



there are many ways you can set this up. you can even do it with out vlans if you wish. espicaly if you have a whole switch for the seperate network. then you simple run the routing on the port on the core switch where the access swith links back to.

however better is to set up an IP address on the VLAn interface and trunk all the VLANS across the network. this is a nice way to do it becasue it means you could say have two PC's sitting next to each other pluged in to the same switch. but in different vlans so in differnt network. or pcs across site from eachother sitting in the same valn and so in the same ip network..

again I can give you some more info on this

AS for dhcp helper. any switch/router that has this function can be used. although most people do it on the same router that is running as the default gateway. rember a DHCP request is a layer 2 packet. so the router must have at least one interface in the same VLAn as the PC requesting the address to be able to recive the request and forward it on to the DHCP server.
if you are using windows DHCP then its a 30 second job to set up a new scope. it then works like this.

dhcp server recives a request....

is it a untaged request (comes from local subnet) if so does the DHCP server have a scope with the local ip address range (a range in which its own IP address sits) if so reply with a ip if not ignore the packet.....

the requests is a taged packet (come form a DHCP helper device). check the tag and see what ip range it comes from, the DHCP helper attached a tag with its own ipaddress from the network it recived the request on.
the DHCP server then check to see if it has a scope in this range. if so reply with an IP.. if not ignore the packet...

this way a DHCP server can have mutiply scopes and will always use the correct one depening whre the request originated.

All i can say is get hold of packet tracer and have a good play before you go any further...

there are better simulators out there, but this one will get you going and has all the features to test what you are trying..
Als if you haveit I even have a network file I should be able to send you showing most of the above in action.
0
How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

 
LVL 16

Expert Comment

by:Aaron Street
Comment Utility
why cant it be changed?

you are not going to change the current network subnet.. it will stay identical!

you will only be chainging the ip range and sub net of the test network PC. every thing else will stay identical.....

i had the same issue where I could not touch the existing network...

the only way to allow this is to use a new range for the new part of the network. other wise you get in to having to add static routes to every PC, and strange routes on the routing equipment.
0
 
LVL 16

Expert Comment

by:Aaron Street
Comment Utility
below is the digram of it if you do it with out vlans.

with vlans the locical view is the same, althought the physical location of the ddevices may be spread over all the switchs.
test.jpg
0
 
LVL 58

Author Comment

by:tigermatt
Comment Utility
Yeah, you're right. I should have realised we couldn't create a subnet within a subnet.

The subnets cannot be changed and we cannot create new subnets because we have a managed Internet service, and this is controlled by our ISP. If we introduce any additional subnets we run the risk of having our service terminated. Not ideal, it needs a better firewall, but it's what we have to live with.

-Matt
0

Featured Post

Threat Intelligence Starter Resources

Integrating threat intelligence can be challenging, and not all companies are ready. These resources can help you build awareness and prepare for defense.

Join & Write a Comment

Suggested Solutions

Creating an OSPF network that automatically (dynamically) reroutes network traffic over other connections to prevent network downtime.
Getting hacked is no longer a matter or "if you get hacked" — the 2016 cyber threat landscape is now titled "when you get hacked." When it happens — will you be proactive, or reactive?
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

763 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now