?
Solved

Single DHCP server for 3 VLAN's on Procurve 2610

Posted on 2010-09-11
12
Medium Priority
?
1,342 Views
Last Modified: 2012-05-10
Hello,

I'm trying to set up the following configuration.
I have a single DHCP server on a W2K8 server (single NIC) and a Procurve 2610 switch (has layer 3 routing features). I want to create 3 Vlan's, one with the DC, webfilter, router, one for the student network and the third for teachers. the student and teacher network must be able to reach first network but not each other.
How do I set this up?

Thanx
0
Comment
Question by:Hitconsult
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 7
  • 2
  • 2
  • +1
12 Comments
 
LVL 8

Expert Comment

by:ludo_friend
ID: 33652522
Hi there

easy :) on the ip interface of each vlan on the procurve, assign an "ip helper-address 1.1.1.1 " (1.1.1.1 being your w2k8 dhcp server)
0
 
LVL 1

Expert Comment

by:santoso-g
ID: 33653692
Basically you will need to set up ACL (Access Control List) so that second & third networks (source IP) are permitted to go to first network (destination IP). Second network (source IP) is denied to enter third network (destination IP). Third network (source IP) is denied to enter second network (destination IP).
First network (source IP) can be set either permitted or denied to second and third networks (destination IP) depends on your scenario. In Cisco, there is a parameter "established" to permit first network to go to second or third network only if the IP communication comes from second or third network first.
0
 
LVL 37

Expert Comment

by:ArneLovius
ID: 33654341
The HP 2610 has support for access control lists, so you can these to restrict where traffic can flow.

You will also need to setup a helper address on each VLAn that requires DHCP that is not on the same VLAN as the DHCP server, and setup appropriate scopes (or superscope) on the DHCP server.

You may have issues with the capabilities of the 2610 ACLs for what you are trying to achieve. It is better to establish your infrastructure requirements before specifying hardware...
0
Free Tool: IP Lookup

Get more info about an IP address or domain name, such as organization, abuse contacts and geolocation.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

 

Author Comment

by:Hitconsult
ID: 33654883
Hello,

I will confgure the Vlans, ip helper addresses and the ACL. I will keep you posted on the progress.

Thanx
0
 
LVL 1

Accepted Solution

by:
santoso-g earned 800 total points
ID: 33655625
And do not forget to make sure the routing works well (any network can ping to other networks) before applying ACL. If the routing does not work well in the first place, you'll have terrible time to troubleshoot your ACL.
Step to configure your HP Procurve:
- Create 3 VLANs.
- Put at least one IP device (PC or laptop) in each VLAN with static IP addresses. Two devices per VLAN are recommended. You can also move device from one network to another for testing.
- Make sure you can only ping devices in the same VLAN. You should not be able to ping device in other VLAN.
- Create routing in HP Procurve to make all devices ping each other even they are not in the same VLAN.
- Remove static IP addresses in all your devices (PC or laptop) and make their IP configuration to automatic IP from DHCP. NOTE: Make sure your DHCP server has static IP address and put in the first VLAN.
- Configure ip helper-address in HP Procurve and make sure all your devices (PC or laptop) get IP address from DHCP server
- Test ping again from one VLAN to another and make sure the devices (PC or laptop) can ping each other since you have not configured ACL.
- Configure ACL one by one and test each ACL. Do not try to configure all ACL in one time since it will make testing time much longer.
0
 

Author Comment

by:Hitconsult
ID: 33670648
Hello,

I did the configuration of the static routes between vlan's. As long I'm using telnet, I can ping between vlans but when I try to ping using the command prompt it doesn't work. Did I forget something?

Thanx
0
 

Author Comment

by:Hitconsult
ID: 33670828
Hello,

When I try to use the IP address of the vlan as gateway I get an error that the switch IP address must not be the same as the gateway.

example :

VLAN 1 : ip = 192.168.254.1
VLAN 2 : ip = 192.168.253.1
VLAN 3 : ip = 192.168.252.1

ip route 192.168.253.0/24 192.168.253.1 (says that 192.168.253.1 can't be used as gateway and Switch IP address)

What am I doing wrong??

Thanx
0
 

Author Comment

by:Hitconsult
ID: 33672203
after a few modifications I am able to ping some devices in other Vlans but not all. For example there is a server on 192.168.254.200 and a client PC at 192.168.254.190, I can ping the client 2 from a PC on Vlan 20 but not the server (server and client 2 are on vlan 10).

This is my show run

hostname "ProCurve Switch 2610-24"
ip routing
snmp-server community "public" Unrestricted
vlan 1
   name "DEFAULT_VLAN"
   untagged 1
   ip address 192.168.250.1 255.255.255.0
   no untagged 2-28
   exit
vlan 10
   name "Main"
   untagged 21-28
   ip address 192.168.254.1 255.255.255.0
   exit
vlan 20
   name "Leerlingen"
   untagged 2-12
   ip address 192.168.252.1 255.255.255.0
   exit
vlan 30
   name "Secretariaat"
   untagged 13-20
   ip address 192.168.251.1 255.255.255.0
   exit
ip route 0.0.0.0 0.0.0.0 192.168.254.221
0
 

Author Comment

by:Hitconsult
ID: 33675282
Hello,

I found the answer to the  ping problem, Every device needs the ip address from its Vlan as gateway. Problem is the webfilter and cable router, I can't change their gateway. If I don't change the gateway settings, no PC can reach the webfilter or cablerouter.

Please advise
0
 
LVL 37

Assisted Solution

by:ArneLovius
ArneLovius earned 200 total points
ID: 33675616
What platform is the webfilter running on ?

I would hope that it would be able to have static routes added to it...

0
 

Author Comment

by:Hitconsult
ID: 33711495
Hi all,

I got the Vlan's working. I'm setting up the ACL's. I'm going to use extended ACL's but can anyone of you tell me if the interface number is in fact the switch IP address of the VLAN? I have three VLAN's, do I use interface 1 for the first VLAN, interface 2 for the second and interface 3 for VLAN 3?

Thx
0
 

Author Closing Comment

by:Hitconsult
ID: 33756818
Thanx everyone
0

Featured Post

Important Lessons on Recovering from Petya

In their most recent webinar, Skyport Systems explores ways to isolate and protect critical databases to keep the core of your company safe from harm.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Arrow Electronics was searching for a KVM  (Keyboard/Video/Mouse) switch that could display on one single monitor the current status of all units being tested on the rack.
WARNING:   If you follow the instructions here, you will wipe out your VTP and VLAN configurations.  Make sure you have backed up your switch!!! I recently had some issues with a few low-end Cisco routers (RV325) and I opened a case with Cisco TA…
We’ve all felt that sense of false security before—locking down external access to a database or component and feeling like we’ve done all we need to do to secure company data. But that feeling is fleeting. Attacks these days can happen in many w…
Is your data getting by on basic protection measures? In today’s climate of debilitating malware and ransomware—like WannaCry—that may not be enough. You need to establish more than basics, like a recovery plan that protects both data and endpoints.…

650 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question