Solved

VLAN and VLSM

Posted on 2009-05-14
6
1,777 Views
Last Modified: 2012-05-07
I have a network with 600 nodes. It is spread across 3 buildings on a single campus. There is a core switch and a number of edge switches, each of which has either a gigabit optical fibre connection (for linking areas where there is a high-density of PCs) or a copper gigabit line back to the core switch. We have approximately 10 - 12 edge switches all linking back to the core using this hub-and-spoke topology. All switches are various incarnations of managed HP ProCurve switching hardware, with a Layer 3 capable switch at the core.

We are looking at implementing VLANs (the network is currently a flat network, all of which is running on a default VLAN on the core and edge switches).

Prior to rolling out VLANs site-wide, we are going to do a controlled test; all PCs on one particular edge switch will be placed onto their own VLAN (and therefore their own broadcast domain) to separate them from the main network segment. At present, all the devices running from this edge switch are running on DHCP. I need some assistance in the steps to configure this.

The first step is clearly to designate a subnet of IP addresses which this new VLAN will run on. Due to the way in which the network is configured, we have a fixed range of addresses: 10.3.36.0/22 (255.255.252.0) which gives the range 10.3.36.1 through 10.3.39.254.

At this stage, we are unable to change the subnet mask of any other PCs on the network, since the VLANs are not going to be rolled out site-wide. I am therefore hoping I can designate a subnet for the new VLAN (say, 10.3.39.0/27) and have this work via VLSM to the rest of the network. Firstly, is this possible? Can the main network work on 10.3.36.0/22 in the interim, while my new VLAN operates on 10.3.39.0/27 for test purposes?

Second, I need to properly understand where I configure this. Since all devices on the edge switch are going to be members of the same VLAN, I guess I have 2 options? Either: ignore the config on the Edge Switch, and simply set its uplink port on the core switch to be part of the new VLAN. Alternatively, make each port on the Edge a member of the new VLAN, and then assign the port at the core to this VLAN also. Would this be a problem?

I will then re-arrange DHCP so there is a dedicated scope for the new subnet. The address range used will be excluded from the current scope of addresses for the purposes of testing. Where do I configure the IP Helper for DHCP. At the edge switch or the core?

Finally, I have been looking at this and note a requirement for an 802.11Q VLAN ID. What exactly is this? Is it the subnet ID?

Thanks!
0
Comment
Question by:tigermatt
  • 4
  • 2
6 Comments
 
LVL 16

Accepted Solution

by:
Aaron Street earned 500 total points
ID: 24389939
I would suggest giving a completly seperate IP address range.

the ip address and mask tells the device/pc if the device it is trying to get to is on the same network as its self.

lets imagen this

PC A is on your origianl net work.

10.3.37.87/22  Default gate way 10.3.36.1

PC B on your subnet

10.3.39.10  255.255.255.224   Defualt gateway 10.3.39.1

ok now PC B sends a packet to pc A's ip address (lets say a ping)

PC B looks at its ip address and subnet mask and can work out that PC A is on a different network. so send the packet to the Default gateway (DFGW) this will be a router and if the routing is set up correctly send it to the PC A network.

now the reply packet.. PC A looks at its IP addres ITS SUBNET MASK and PC B ip address. It sees PC B as being on the same network as its self. so will try to contact it directly with out sending the packet to the DFGW! as PC B is on a seperate VLAN it will not be able to communicate with it and the packet has no way of getting ot its destination!!!

REmber when a PC is looking to send out a packet. it looks at its own IP and Subnet mask and ONLY the IP of the destination system. (it dosent know the destination system mask)

Now with a lot of fiddeling around you can get this set up to work. however much better would be to chose a second ip address range.

why not chose a 192.168.x.x/24 range for you test network/vlan.

you have exactly the same problem I have had in the past. splitting up a large network in to chunks. you need to add new address ranges rather than split the current range you have, it will be much simpler. and means that you can keep all the rest of the PC's on the old network exactly as they are now same subnet same DFGW, create new ip ranges and migrate PC's over as you go.

each vlan on you core router has an ipaddress assigend to it from its ip address range for the ddevices to use as there default gate way.

IF you want it a bit clearer let me know and I will pull out dsome digrams.

Also get hold of packet tracer from cisco to test it out on (its a nice network/router simulator)
0
 
LVL 58

Author Comment

by:tigermatt
ID: 24389989

I'm sorry - I should have made it more clear. The current network subnet cannot be changed. There's no two ways about it. 10.3.36.1 to 10.3.39.254 is what I have to work with.

Can I do this?
0
 
LVL 16

Expert Comment

by:Aaron Street
ID: 24390069
sorry the 802.1q tagging is for sending traffic from mutiply vlans down a single physical link with out gettign them mixed up.

the sending switch attacches a tag to each frame which tells the recivign swith what VLAN the frame comes from.

teh VLAN id is exactly what you think. simply the number of the vlan.



there are many ways you can set this up. you can even do it with out vlans if you wish. espicaly if you have a whole switch for the seperate network. then you simple run the routing on the port on the core switch where the access swith links back to.

however better is to set up an IP address on the VLAn interface and trunk all the VLANS across the network. this is a nice way to do it becasue it means you could say have two PC's sitting next to each other pluged in to the same switch. but in different vlans so in differnt network. or pcs across site from eachother sitting in the same valn and so in the same ip network..

again I can give you some more info on this

AS for dhcp helper. any switch/router that has this function can be used. although most people do it on the same router that is running as the default gateway. rember a DHCP request is a layer 2 packet. so the router must have at least one interface in the same VLAn as the PC requesting the address to be able to recive the request and forward it on to the DHCP server.
if you are using windows DHCP then its a 30 second job to set up a new scope. it then works like this.

dhcp server recives a request....

is it a untaged request (comes from local subnet) if so does the DHCP server have a scope with the local ip address range (a range in which its own IP address sits) if so reply with a ip if not ignore the packet.....

the requests is a taged packet (come form a DHCP helper device). check the tag and see what ip range it comes from, the DHCP helper attached a tag with its own ipaddress from the network it recived the request on.
the DHCP server then check to see if it has a scope in this range. if so reply with an IP.. if not ignore the packet...

this way a DHCP server can have mutiply scopes and will always use the correct one depening whre the request originated.

All i can say is get hold of packet tracer and have a good play before you go any further...

there are better simulators out there, but this one will get you going and has all the features to test what you are trying..
Als if you haveit I even have a network file I should be able to send you showing most of the above in action.
0
Microsoft Certification Exam 74-409

Veeam® is happy to provide the Microsoft community with a study guide prepared by MVP and MCT, Orin Thomas. This guide will take you through each of the exam objectives, helping you to prepare for and pass the examination.

 
LVL 16

Expert Comment

by:Aaron Street
ID: 24390102
why cant it be changed?

you are not going to change the current network subnet.. it will stay identical!

you will only be chainging the ip range and sub net of the test network PC. every thing else will stay identical.....

i had the same issue where I could not touch the existing network...

the only way to allow this is to use a new range for the new part of the network. other wise you get in to having to add static routes to every PC, and strange routes on the routing equipment.
0
 
LVL 16

Expert Comment

by:Aaron Street
ID: 24390152
below is the digram of it if you do it with out vlans.

with vlans the locical view is the same, althought the physical location of the ddevices may be spread over all the switchs.
test.jpg
0
 
LVL 58

Author Comment

by:tigermatt
ID: 24482482
Yeah, you're right. I should have realised we couldn't create a subnet within a subnet.

The subnets cannot be changed and we cannot create new subnets because we have a managed Internet service, and this is controlled by our ISP. If we introduce any additional subnets we run the risk of having our service terminated. Not ideal, it needs a better firewall, but it's what we have to live with.

-Matt
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Cisco RSTP portfast 3 53
fiber and Gig ports on 3650 5 40
using BGP Attributes 2 36
HP Switches - Stacked to the max but need more ports, can I? 3 41
Hi there, This article summarizes what you need if you are going to set up your home or small business Network Attached Storage (NAS) to be accessible from the internet. Of course there are configuration differences based on your NAS or router ma…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

863 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

23 Experts available now in Live!

Get 1:1 Help Now