• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1427
  • Last Modified:

Single DHCP server for 3 VLAN's on Procurve 2610

Hello,

I'm trying to set up the following configuration.
I have a single DHCP server on a W2K8 server (single NIC) and a Procurve 2610 switch (has layer 3 routing features). I want to create 3 Vlan's, one with the DC, webfilter, router, one for the student network and the third for teachers. the student and teacher network must be able to reach first network but not each other.
How do I set this up?

Thanx
0
Hitconsult
Asked:
Hitconsult
  • 7
  • 2
  • 2
  • +1
2 Solutions
 
ludo_friendCommented:
Hi there

easy :) on the ip interface of each vlan on the procurve, assign an "ip helper-address 1.1.1.1 " (1.1.1.1 being your w2k8 dhcp server)
0
 
santoso-gCommented:
Basically you will need to set up ACL (Access Control List) so that second & third networks (source IP) are permitted to go to first network (destination IP). Second network (source IP) is denied to enter third network (destination IP). Third network (source IP) is denied to enter second network (destination IP).
First network (source IP) can be set either permitted or denied to second and third networks (destination IP) depends on your scenario. In Cisco, there is a parameter "established" to permit first network to go to second or third network only if the IP communication comes from second or third network first.
0
 
ArneLoviusCommented:
The HP 2610 has support for access control lists, so you can these to restrict where traffic can flow.

You will also need to setup a helper address on each VLAn that requires DHCP that is not on the same VLAN as the DHCP server, and setup appropriate scopes (or superscope) on the DHCP server.

You may have issues with the capabilities of the 2610 ACLs for what you are trying to achieve. It is better to establish your infrastructure requirements before specifying hardware...
0
Get your problem seen by more experts

Be seen. Boost your question’s priority for more expert views and faster solutions

 
HitconsultAuthor Commented:
Hello,

I will confgure the Vlans, ip helper addresses and the ACL. I will keep you posted on the progress.

Thanx
0
 
santoso-gCommented:
And do not forget to make sure the routing works well (any network can ping to other networks) before applying ACL. If the routing does not work well in the first place, you'll have terrible time to troubleshoot your ACL.
Step to configure your HP Procurve:
- Create 3 VLANs.
- Put at least one IP device (PC or laptop) in each VLAN with static IP addresses. Two devices per VLAN are recommended. You can also move device from one network to another for testing.
- Make sure you can only ping devices in the same VLAN. You should not be able to ping device in other VLAN.
- Create routing in HP Procurve to make all devices ping each other even they are not in the same VLAN.
- Remove static IP addresses in all your devices (PC or laptop) and make their IP configuration to automatic IP from DHCP. NOTE: Make sure your DHCP server has static IP address and put in the first VLAN.
- Configure ip helper-address in HP Procurve and make sure all your devices (PC or laptop) get IP address from DHCP server
- Test ping again from one VLAN to another and make sure the devices (PC or laptop) can ping each other since you have not configured ACL.
- Configure ACL one by one and test each ACL. Do not try to configure all ACL in one time since it will make testing time much longer.
0
 
HitconsultAuthor Commented:
Hello,

I did the configuration of the static routes between vlan's. As long I'm using telnet, I can ping between vlans but when I try to ping using the command prompt it doesn't work. Did I forget something?

Thanx
0
 
HitconsultAuthor Commented:
Hello,

When I try to use the IP address of the vlan as gateway I get an error that the switch IP address must not be the same as the gateway.

example :

VLAN 1 : ip = 192.168.254.1
VLAN 2 : ip = 192.168.253.1
VLAN 3 : ip = 192.168.252.1

ip route 192.168.253.0/24 192.168.253.1 (says that 192.168.253.1 can't be used as gateway and Switch IP address)

What am I doing wrong??

Thanx
0
 
HitconsultAuthor Commented:
after a few modifications I am able to ping some devices in other Vlans but not all. For example there is a server on 192.168.254.200 and a client PC at 192.168.254.190, I can ping the client 2 from a PC on Vlan 20 but not the server (server and client 2 are on vlan 10).

This is my show run

hostname "ProCurve Switch 2610-24"
ip routing
snmp-server community "public" Unrestricted
vlan 1
   name "DEFAULT_VLAN"
   untagged 1
   ip address 192.168.250.1 255.255.255.0
   no untagged 2-28
   exit
vlan 10
   name "Main"
   untagged 21-28
   ip address 192.168.254.1 255.255.255.0
   exit
vlan 20
   name "Leerlingen"
   untagged 2-12
   ip address 192.168.252.1 255.255.255.0
   exit
vlan 30
   name "Secretariaat"
   untagged 13-20
   ip address 192.168.251.1 255.255.255.0
   exit
ip route 0.0.0.0 0.0.0.0 192.168.254.221
0
 
HitconsultAuthor Commented:
Hello,

I found the answer to the  ping problem, Every device needs the ip address from its Vlan as gateway. Problem is the webfilter and cable router, I can't change their gateway. If I don't change the gateway settings, no PC can reach the webfilter or cablerouter.

Please advise
0
 
ArneLoviusCommented:
What platform is the webfilter running on ?

I would hope that it would be able to have static routes added to it...

0
 
HitconsultAuthor Commented:
Hi all,

I got the Vlan's working. I'm setting up the ACL's. I'm going to use extended ACL's but can anyone of you tell me if the interface number is in fact the switch IP address of the VLAN? I have three VLAN's, do I use interface 1 for the first VLAN, interface 2 for the second and interface 3 for VLAN 3?

Thx
0
 
HitconsultAuthor Commented:
Thanx everyone
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Upgrade your Question Security!

Your question, your audience. Choose who sees your identity—and your question—with question security.

  • 7
  • 2
  • 2
  • +1
Tackle projects and never again get stuck behind a technical roadblock.
Join Now