cityofpasco
asked on
Reconfigure network from flat layer 2 to routing switch and VLANs.
I am charged with re-configuring a network that has moved from wireless modems to fiber optic. VLANs for each remote site have been created to organize the network by location and function. A VOIP VLAN will span the entire network. The traffic for the remote sites is being tunneled by a third party and terminates on Port 1 of an HP ProCurve 3500yl-48 routing switch. The routing switch connects via Port 12 to a layer 2 top switch that connects to the firewall and other switches. The top switch and all other switches not connected to the routing switch have co-mingled IP addresses (192.0.0.0/24 and 192.168.0.0/24). All devices on those two segments are statically assigned. DHCP has been implemented for the VLANs at the remote sites. That is working fine.
Just recently I implemented VLAN 103 and found workstations with Windows 7 (192.168.103.x) can not stay connected to Outlook (192.0.0.246). They continue to build sessions to a maximum and then error out. A tracert from workstation to the email server fails to the count of 30. A ping is returned in <1ms. When I checked the other VLANs for traceroutes, I found they all fail at their gateways (192.168.xx.5). The routing switch fails as well (192.168.100.5). I've included information in attached files to help show current configurations. I've also included the results of traceroutes from each VLAN top switch at the remote sites to the email server (192.0.0.246) and another server (192.168.0.214). The VLAN 103 switch is the only switch that is connected directly by fiber to the routing switch at Port 47.
I need another set of eyes to see if there is a misconfiguration or a better way of implementation.
MyNetworkTopologyNowandFuture.vsd
FW-VLANConfiglayout.xlsx
Just recently I implemented VLAN 103 and found workstations with Windows 7 (192.168.103.x) can not stay connected to Outlook (192.0.0.246). They continue to build sessions to a maximum and then error out. A tracert from workstation to the email server fails to the count of 30. A ping is returned in <1ms. When I checked the other VLANs for traceroutes, I found they all fail at their gateways (192.168.xx.5). The routing switch fails as well (192.168.100.5). I've included information in attached files to help show current configurations. I've also included the results of traceroutes from each VLAN top switch at the remote sites to the email server (192.0.0.246) and another server (192.168.0.214). The VLAN 103 switch is the only switch that is connected directly by fiber to the routing switch at Port 47.
I need another set of eyes to see if there is a misconfiguration or a better way of implementation.
MyNetworkTopologyNowandFuture.vsd
FW-VLANConfiglayout.xlsx
ASKER
Thank you for responding to my question. I have modified the .vsd and attached it for your review. Please note the Current topology has a layer 2 switch (SW2) between the routing switch (SW1) and the Firewall. My intent is to remove that and make it a subordinate to the routing switch. The Goal .vsd depicts that.
As far as the 192.0.0.0/24 address range goes, I have inherited this network and it is my intention to move as many devices off this segment and onto the 192.168.xx.xx/24 with this redesign. There are numerous AD, DNS, DHCP, and WINS servers on the 192.0.0.0 segment and by moving workstations and other devices first onto DHCP and new 192.168.xx.xx segments, it will be easier to configure through the scopes any changes in those all important functions. Right now every workstation is statically assigned and a person must touch each one to make any changes.
I had included a rough .xls spreadsheet with my original question submission. Did you not see it there? I will attach it again for your review. It has Firewall and switch information as well as traceroutes and pings results.
MyNetworkTopologyNowandFuture.vsd
FW-VLANConfiglayout.xlsx
As far as the 192.0.0.0/24 address range goes, I have inherited this network and it is my intention to move as many devices off this segment and onto the 192.168.xx.xx/24 with this redesign. There are numerous AD, DNS, DHCP, and WINS servers on the 192.0.0.0 segment and by moving workstations and other devices first onto DHCP and new 192.168.xx.xx segments, it will be easier to configure through the scopes any changes in those all important functions. Right now every workstation is statically assigned and a person must touch each one to make any changes.
I had included a rough .xls spreadsheet with my original question submission. Did you not see it there? I will attach it again for your review. It has Firewall and switch information as well as traceroutes and pings results.
MyNetworkTopologyNowandFuture.vsd
FW-VLANConfiglayout.xlsx
Hi,
Thanks for clarification. Sorry, I missed routing info in .xls.
If I understood correctly, first 24 lines in .xls are regarding firewall, and from 26 to 48 is for SW1. Correct me if I'm wrong.
OK. Traceroute fails probably because of firewall. By default firewalls do not allow traceroute. You probably already checked that, but I'm trying to cover every possible place for problem. As I can see all traceroute attempts are failing after first hop, and second hop is firewall.
Simplest solution as I can see is to disconnect SW2 from firewall, and connect SW1 directly to firewall, and transfer all routing to SW1. Only default route should be pointing to firewall
This scenario will be most efficient transient solution to achieve goal topology.
Result of this transient solution will be, elimination of firewall as source of problems, and it will simplify routing troubleshoot.
Same effect, without physical reconnection can be achieved by putting IP address on VLAN1, so all the routing between VLANs will be done on SW1.
I hope this helps, keep me informed about progress, so we can troubleshoot further.
Regards,
--
Fidelius
Thanks for clarification. Sorry, I missed routing info in .xls.
If I understood correctly, first 24 lines in .xls are regarding firewall, and from 26 to 48 is for SW1. Correct me if I'm wrong.
OK. Traceroute fails probably because of firewall. By default firewalls do not allow traceroute. You probably already checked that, but I'm trying to cover every possible place for problem. As I can see all traceroute attempts are failing after first hop, and second hop is firewall.
Simplest solution as I can see is to disconnect SW2 from firewall, and connect SW1 directly to firewall, and transfer all routing to SW1. Only default route should be pointing to firewall
This scenario will be most efficient transient solution to achieve goal topology.
Result of this transient solution will be, elimination of firewall as source of problems, and it will simplify routing troubleshoot.
Same effect, without physical reconnection can be achieved by putting IP address on VLAN1, so all the routing between VLANs will be done on SW1.
I hope this helps, keep me informed about progress, so we can troubleshoot further.
Regards,
--
Fidelius
ASKER
Thank you for your explanations. Yes, you are correct on the .xls lines of information for firewall and SW1.
I have a question about your suggestion regarding VLAN1. What IP address would I use? How does the routing get moved over to SW1 without disconnecting the 192.0.0.0 and 192.168.0.0 devices? VLAN 99 and VLAN100 do not have any members yet because of STP.
Thanks.
I have a question about your suggestion regarding VLAN1. What IP address would I use? How does the routing get moved over to SW1 without disconnecting the 192.0.0.0 and 192.168.0.0 devices? VLAN 99 and VLAN100 do not have any members yet because of STP.
Thanks.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thank you for explaining and now that I see it, I understand. Thank you for taking time to look this over for me. I am going to accept your answer and close the issue now.
Go in peace.
Go in peace.
First of all, thanks for supplied vsd. It helps a lot, but please name the switches (something like SW1, SW2...etc). This way it is easier to know which switch we are talking about.
As a first suggestion you should change 192.0.0.0/24 range to some 192.168.x.x range. You can find explanation here: http://whois.domaintools.com/192.0.0.0
Pay attention to following paragraph: Addresses from this range SHOULD NOT be used as an alternative to the private IPv4 address ranges assigned by the IETF in the Best Current Practice document, RFC 1918.
Second, try to have 1 IP range = 1 VLAN it will simplify communication and we will be able to troubleshoot easier.
Few questions to clarify situation:
Your topology now is the same as Goal topology?
Who has the address 192.168.100.203?
Please provide routing tables from firewall and 3500 switch.
Thanks in advance!
Regards,
--
Fidelius