Solved

Implementing VLANs into a working Network

Posted on 2011-03-12
10
786 Views
Last Modified: 2012-05-11
Hello All,

My company has exhausted all our IPs in the current 192.168.123.x Scope. I am currently working on implementing VLANs to resolve this issue.

I have never implemented VLANs on a live network, let alone on HP equipment. If someone can look over my configs and help me fix what needs to be fixed so the implementation can be done seamlessly.

Thank you in advance.

Darren Dyke

Please see the below configs for each switch:

hostname "West_GB_2910"
module 1 type J9145A

exit
ip default-gateway 192.168.123.254
ip routing
vlan 1
name "DEFAULT_VLAN"
untagged 1-2,4-24
ip address 192.168.123.253 255.255.255.0
no untagged 3
exit
vlan 9
name "VLAN9_VOICE"
untagged 3
ip address 10.123.1.253 255.255.255.0
exit

vlan 400
name "East VLAN"
ip address 192.168.124.253 255.255.255.0
ip helper-address 192.168.123.6
tagged 5
exit
vlan 500
name "West VLAN"
ip address 192.168.125.253 255.255.255.0
ip helper-address 192.168.123.6
tagged 5
exit
vlan 600
name "Private WIFI"
ip address 192.168.126.253 255.255.255.0
ip helper-address 192.168.123.6
tagged 5
exit
vlan 700
name "Public WIFI"
ip address 192.168.127.253 255.255.255.0
ip helper-address 192.168.123.6
tagged 5
exit

fault-finder bad-driver sensitivity high
fault-finder bad-transceiver sensitivity high
fault-finder bad-cable sensitivity high
fault-finder too-long-cable sensitivity high
fault-finder over-bandwidth sensitivity high
fault-finder broadcast-storm sensitivity high
fault-finder loss-of-link sensitivity high
fault-finder duplex-mismatch-HDx sensitivity high
fault-finder duplex-mismatch-FDx sensitivity high
timesync sntp
ip route 0.0.0.0 0.0.0.0 192.168.123.254

==============================================

Running configuration:

; J4903A Configuration Editor; Created on release #I.08.98

hostname "DATA GB WEST"
time timezone -300
time daylight-time-rule Continental-US-and-Canada

trunk 18-19 Trk1 Trunk
trunk 6-7 Trk2 Trunk
trunk 11-12 Trk3 Trunk
ip default-gateway 192.168.123.253
sntp server 192.168.123.254
timesync sntp
sntp unicast
snmp-server community "public" Unrestricted
snmp-server host 192.168.123.58 "public"

vlan 1
name "DEFAULT_VLAN"
untagged 1-5,8-10,13-17,20-24,Trk1-Trk3
ip address 192.168.123.246 255.255.255.0
exit
vlan 500
name "West VLAN"
ip address 192.168.125.246 255.255.255.0
tagged Trk3,1,22-23
exit
vlan 600
name "Private WIFI"
ip address 192.168.126.246 255.255.255.0
tagged Trk3,1,13-14,22
exit
vlan 700
name "Public WIFI"
ip address 192.168.127.246 255.255.255.0
tagged Trk3,1,13-14,22
exit
ip authorized-managers 192.168.123.0 255.255.255.0
spanning-tree Trk1 priority 4
spanning-tree Trk2 priority 4
spanning-tree Trk3 priority 4
password manager
password operator

===============================================

Running configuration:

; J4903A Configuration Editor; Created on release #I.08.98

hostname "EASTGB01"

trunk 2-3 Trk1 Trunk
ip default-gateway 192.168.123.253
sntp server 192.168.123.254
ip routing
timesync sntp
sntp unicast
snmp-server community "public" Unrestricted
snmp-server host 192.168.123.58 "public"
vlan 1
name "DEFAULT_VLAN"
untagged 5-24
tagged Trk1
ip address 192.168.123.241 255.255.255.0
exit
vlan 400
name "East VLAN"
ip address 192.168.125.241 255.255.255.0
tagged Trk1,1,4
exit
vlan 600
name "Private WIFI"
ip address 192.168.126.246 255.255.255.0
tagged Trk1,15
exit
vlan 700
name "Public WIFI"
ip address 192.168.127.246 255.255.255.0
tagged Trk1,15
exit
ip author
fault-finder bad-driver sensitivity high
fault-finder bad-transceiver sensitivity high
fault-finder bad-cable sensitivity high
fault-finder too-long-cable sensitivity high
fault-finder over-bandwidth sensitivity high
fault-finder broadcast-storm sensitivity high
fault-finder loss-of-link sensitivity high
fault-finder duplex-mismatch-HDx sensitivity high
fault-finder duplex-mismatch-FDx sensitivity high
spanning-tree Trk1 priority 4


===============================================

Running configuration:

; J4903A Configuration Editor; Created on release #I.08.98

hostname "WEST OPERATIONS"

ip default-gateway 192.168.123.253
sntp server 192.168.123.254
timesync sntp
sntp unicast
snmp-server community "public" Unrestricted
vlan 1
name "DEFAULT_VLAN"
no untagged 1-24
ip address 192.168.123.240 255.255.255.0
exit
vlan 500
name "West VLAN"
ip address 192.168.125.240 255.255.255.0
tagged 24
untagged 1-23
exit

==============================================


Running configuration:

; J4903A Configuration Editor; Created on release #I.08.98

hostname "EAST DEV GB"
snmp-server contact "Tom Packert"
ip default-gateway 192.168.123.253
snmp-server community "public" Unrestricted
vlan 1
name "DEFAULT_VLAN"
no untagged 1-24
ip address 192.168.123.238 255.255.255.0
exit

vlan 400
name "East VLAN"
ip address 192.168.125.238 255.255.255.0
tagged 21
untagged 1-20,22-24
exit
net-diagram.jpg
0
Comment
Question by:drnfx
  • 5
  • 3
  • 2
10 Comments
 
LVL 5

Expert Comment

by:tiago_aviz
ID: 35116865
Dumb question: why not enlarge the network mask for the internal network?
0
 

Author Comment

by:drnfx
ID: 35116890
Change the subnet mask at this point is not an option... this is a LIVE network and VLANs are the easiest option....
0
 
LVL 5

Expert Comment

by:tiago_aviz
ID: 35116926
I would have to disagree. You can change the network mask for a broader network on all servers and firewalls first, and then change it on your dhcp servers, extending the address scope. I've done this over and over on live networks.

As for the hp switch configuration, I wouldn't know if it would work as I only work with cisco equipment.
0
 

Author Comment

by:drnfx
ID: 35117037
I agree... but that is not one of my options...

Thank you for the input, i am a cisco guy myself... foreign to the antiquated HPs
0
 
LVL 17

Accepted Solution

by:
jburgaard earned 500 total points
ID: 35118136
As far as I can see access-ports ARE untagged in their vlan, fine.

The interswitch links should carry all relevant vlans with same pattern of tagging in both ends.
I wonder why you did not bring vlan1 along on all switches, you may have your reason,  this is however not the way I implemented my setup. I only setup routing on one of my switches.

You do not mention details of changes to you routing.
I can see you have setup Ip helper-address to DHCP-server, fine.

Scope options in DHCP should have a default gateway setting of the Vlan-IP in THE routing switch(fx. not IP of the firewall).
In the device with IP 192.168.123.254 there should be implemented routes back to the new vlans via 192.168.123.253
fx something like IP ROUTE 192.168.124.0  MASK 255.255.255.0 GW 192.168.123.253

HTH
0
How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

 

Author Comment

by:drnfx
ID: 35128500
I actually forgot to tag vlan 1, i was writing these configs from scratch.

I agree only one switch should have routing... I would like to make it on the 123.253 since that switch is the one connected to the Astaro Firewall. I haven't been able to test this config yet because I am waiting for some more NICs that will allow me to create an Ethernet VLAN and tag the VLANs on the firewall.

What routes should I have on the 123.253?

0
 
LVL 17

Expert Comment

by:jburgaard
ID: 35130829
route to dgw like
ip route 0.0.0.0 0.0.0.0 192.168.123.254
is what you need
The inter-vlan routing is automatically build for the vlans with IP's on the routing switch.
 
-to show at CLI:
show ip route

HTH
0
 

Author Comment

by:drnfx
ID: 35131089
Okay, I already have this route in... so in theory as long as i tag vlan 1 then this should work.

Will keep you informed.

Thanks for input :)
0
 

Author Comment

by:drnfx
ID: 35167281
jburgaard: thanks for all your input thus far, I have one more question for you...

The reason why I didn't include vlan 1 was because I forgot to ask how to change the default VLAN for the switches...

I want to create another vlan, vlan 300 and that is going to be the admin vlan where all the switches/routers/servers are going to rely, the IP schema will be the same: 192.168.123.x however I am unsure how to set that as the new default vlan.
0
 
LVL 17

Expert Comment

by:jburgaard
ID: 35173588
I have not tried. AFIK you can not do that.

If you want to implement a common ground in communication with Cisco-devices, untagging vlan 300 on HP port linking to cisco will match a native vlan on Cisco-device.

If this is a matter of security please have look at:
http://www.hp.com/rnd/pdfs/Hardening_ProCurve_Switches_White_Paper.pdf

Generaly you can find detailed info in 'Advanced traffic managment guide' for you switch
fx look at chap 2 in http://ftp.hp.com/pub/networking/software/2600-2800-4100-6108-AdvTraff-Oct2005-59908853.pdf -mentioning the 'primary vlan' (DHCP to switch) and the 'secured management vlan' (not participating in routing)
HTH
0

Featured Post

Find Ransomware Secrets With All-Source Analysis

Ransomware has become a major concern for organizations; its prevalence has grown due to past successes achieved by threat actors. While each ransomware variant is different, we’ve seen some common tactics and trends used among the authors of the malware.

Join & Write a Comment

Suggested Solutions

This tutorial will go through the steps required to write a script that will back up the configuration settings of a HP-ProCurve switch. You will need to get the following things to follow this tutorial: Telnet Scripting Tool e.g. TST10.exe …
AWS has developed and created its highly available global infrastructure allowing users to deploy and manage their estates all across the world through the use of the following geographical components   RegionsAvailability ZonesEdge Locations  Wh…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now