VLAN setup between 4 HP Procurve 2810-48G's
Hello experts. I want to setup a VLAN architecture to avoid broadcast traffic happening from one switch to another switch. We currently have 4 HP Procurve 2810-48G switches which have only a default VLAN setup, but I believe the broadcast traffic can be significantly reduced by VLANing each switch to the others.
So, without knowing a lot about the process of VLANing and only having read technical documents about the pros and cons, can someone tell me the basic setup I would need to consider along with the "gotchas" involved in simply making sure that any broadcast traffic on switch 1 won't be broadcast on switches 2-4 and vice versa for all switches involved?
We are on a subnet of 10.10.0.0/16 for all local traffic.
Thanks in advance for any help, thoughts or considerations in helping me.
So, without knowing a lot about the process of VLANing and only having read technical documents about the pros and cons, can someone tell me the basic setup I would need to consider along with the "gotchas" involved in simply making sure that any broadcast traffic on switch 1 won't be broadcast on switches 2-4 and vice versa for all switches involved?
We are on a subnet of 10.10.0.0/16 for all local traffic.
Thanks in advance for any help, thoughts or considerations in helping me.
You would need to reconfigure the IP address on all of your devices. How many devices do you have?
ASKER
I have 4 devices. They each have a 10.10.1.x IP. We have a router connected to all the devices in the same ER.
Well your IP Segment is horrible oversized. I really doubt you have 65,534 Hosts on your LAN. You should never a mask of lower bits than /24 unless you are supernetting a Backbone. But anyway,...on to what you asked......
Broadcast don't "happen from one switch to another" in the way you are stating that. Broadcasts simply stretch across the Broadcast Domain (L3 Segment) which is exactly what you want them to do and exactly what they are intended for.
Now we can actually discuss the same concept and never once use the word "VLAN",...in fact if I read the word VLAN on more time I may throw up (just kidding),...but if you read day after day here in these forums at all the ways VLANs are misused, abused, misunderstood, misinterpreted, and over-engineered, you'd feel the same way.
The real question here is broadcasts,...and what to do about them. Are Broadcasts bad?,..no,..they are good,..networks cannot function without them,...but too many broadcasts are bad. How do you know if you have too many? Well there is a simple General Rule:
On a IP Segment where most OS's are Windows,...for every 200 machines break off a new subnet. Subnets should be 254 Host (/24bit) segments. If most OS's are Linux/Unix you can push it into the 300's but there is no way to create an IP Subnet that size (it jumps from 254 straight to 510). So even with them just follow the same /24bit model.
However it is quite possible that you may run some specific custom applications that generate a huge amount of broadcasts (maybe due to bad programming and lazy developers). This could justify a smaller IP Segment just to isolate that,..like maybe a /25bit (128Host) or a /26bit (64Host segment). We are a TV Station, and as an example, the new Automation and Video Playout System we are adding in generates a lot of broadcast and so I have it on it's own separate /24bit segment.
The Procurve 2810:
I don't think that one is L3,...only L2. That means it is only a Switch,...not a Router,...so you are screwed,...you have to have a Router to route between L3 IP Segments. But if it were an L3 capable Switch/Router Combo then you would create one more VLAN (VLAN2) on the device and then enable "Routing" on the device so that it becomes a "router". Then you create a "router interface" by assigning some of the Switch ports to each VLAN. For example you can take the first half of your ports and set them to Untagged on VLAN1 (the Default VLAN) and set the second half of the switch ports to VLAN2 as Untagged.
You now have a LAN Router with two IP#s on different IP Segments, one on each newly created Router Interface (notice I could describe that without calling it a VLAN). But,....whoops!!,...now the LAN's Topology has changed!! So now the LAN Router (notice I call the Switch a router,..because that is what it is now) becomes the Default Gateway of the entire LAN with all Hosts on the LAN using the Router Interface that directly faces them as their Default Gateway. Your outbound gateway (Firewall?) now becomes the Default Gateway of the LAN Router (yep, still calling it a router now).
Whoops!!!!,...the outbound Gateway (your Firewall) doesn't work correctly with the new IP Segment. That's right,..it won't,..so you have to add the new IP Range to the Firewall's Local Address Table and you will also have to add a static route on the firewall that tells it to use the LAN Router (yep, still calling the Procurve switch a router now) as the proper "gateway" to get to the rest of the LAN
Well I hope that clarifies some things,...or at least makes you realize how BIG the question you are asking really becomes and hopefully helps you realize if this is even something you need to pursue in the first place.
Also notice that except for the paragraph about the individual config within the Procurve Switch I never used the word "VLAN",...I used,....router,....router
Broadcast don't "happen from one switch to another" in the way you are stating that. Broadcasts simply stretch across the Broadcast Domain (L3 Segment) which is exactly what you want them to do and exactly what they are intended for.
Now we can actually discuss the same concept and never once use the word "VLAN",...in fact if I read the word VLAN on more time I may throw up (just kidding),...but if you read day after day here in these forums at all the ways VLANs are misused, abused, misunderstood, misinterpreted, and over-engineered, you'd feel the same way.
The real question here is broadcasts,...and what to do about them. Are Broadcasts bad?,..no,..they are good,..networks cannot function without them,...but too many broadcasts are bad. How do you know if you have too many? Well there is a simple General Rule:
On a IP Segment where most OS's are Windows,...for every 200 machines break off a new subnet. Subnets should be 254 Host (/24bit) segments. If most OS's are Linux/Unix you can push it into the 300's but there is no way to create an IP Subnet that size (it jumps from 254 straight to 510). So even with them just follow the same /24bit model.
However it is quite possible that you may run some specific custom applications that generate a huge amount of broadcasts (maybe due to bad programming and lazy developers). This could justify a smaller IP Segment just to isolate that,..like maybe a /25bit (128Host) or a /26bit (64Host segment). We are a TV Station, and as an example, the new Automation and Video Playout System we are adding in generates a lot of broadcast and so I have it on it's own separate /24bit segment.
The Procurve 2810:
I don't think that one is L3,...only L2. That means it is only a Switch,...not a Router,...so you are screwed,...you have to have a Router to route between L3 IP Segments. But if it were an L3 capable Switch/Router Combo then you would create one more VLAN (VLAN2) on the device and then enable "Routing" on the device so that it becomes a "router". Then you create a "router interface" by assigning some of the Switch ports to each VLAN. For example you can take the first half of your ports and set them to Untagged on VLAN1 (the Default VLAN) and set the second half of the switch ports to VLAN2 as Untagged.
You now have a LAN Router with two IP#s on different IP Segments, one on each newly created Router Interface (notice I could describe that without calling it a VLAN). But,....whoops!!,...now the LAN's Topology has changed!! So now the LAN Router (notice I call the Switch a router,..because that is what it is now) becomes the Default Gateway of the entire LAN with all Hosts on the LAN using the Router Interface that directly faces them as their Default Gateway. Your outbound gateway (Firewall?) now becomes the Default Gateway of the LAN Router (yep, still calling it a router now).
Whoops!!!!,...the outbound Gateway (your Firewall) doesn't work correctly with the new IP Segment. That's right,..it won't,..so you have to add the new IP Range to the Firewall's Local Address Table and you will also have to add a static route on the firewall that tells it to use the LAN Router (yep, still calling the Procurve switch a router now) as the proper "gateway" to get to the rest of the LAN
Well I hope that clarifies some things,...or at least makes you realize how BIG the question you are asking really becomes and hopefully helps you realize if this is even something you need to pursue in the first place.
Also notice that except for the paragraph about the individual config within the Procurve Switch I never used the word "VLAN",...I used,....router,....router
I have 4 devices.
On the entire LAN!?!?
They each have a 10.10.1.x IP. We have a router connected to all the devices in the same ER.
What does that mean? ER? (Emergency Room?)
Router?,....you mean a "Firewall"?,...and NAT Device?,...those are not "routers", they don't route anything and can't be used as a LAN Router to save it's life. Yea,..I know they call them routers on the retail store shelves,..but they are not real routers.
On the entire LAN!?!?
They each have a 10.10.1.x IP. We have a router connected to all the devices in the same ER.
What does that mean? ER? (Emergency Room?)
Router?,....you mean a "Firewall"?,...and NAT Device?,...those are not "routers", they don't route anything and can't be used as a LAN Router to save it's life. Yea,..I know they call them routers on the retail store shelves,..but they are not real routers.
ASKER
Okay, well, thanks for the information. Yes, I used ER as equipment room, and if I am not to refer to a virtual LAN as vlan then I am at a lose as to what to refer to them as. I understand your reasoning as to why the term "vlan" can be used improperly, but since I am specifically asking about vlans I am not sure how that would be used improperly in what I asked.
However, I do see that I was not very specific in my questioning as I am indeed wanting to limit excessive broadcasts across the L3 by possibly using VLANs; hence, asking the experts here for advice.
Secondly, the first thing I noticed upon working here is the /16 mask. Now, the reasoning behind that is simply that we have branch locations which use 10.10.1.x, 10.10.2.x, 10.10.3.x, etc on down the long until we reach the 100+ plus stores we have. Again, not my design but it is what it is and it is what I have to work with.
And you are probably bordering on being wrong about my "router" but I dont want to make assumptions here. We have a Fortinet 200B device which does indeed operate as router, firewall and natting device all in one. It does route packets as a L3 device and it also provides switching capabilities as well on the L2 layer.
Sorry, I read the question about how many devices we have and as such I simply applied that question to the switching devices I am referring to. I now believe this was a question about how many nodes/devices would need to be confiigured once VLANing were in place (beyween the switches and the router).
I hope it is nice outside where you are as you could use some fresh air for those dry heaves you are having :P
However, I do see that I was not very specific in my questioning as I am indeed wanting to limit excessive broadcasts across the L3 by possibly using VLANs; hence, asking the experts here for advice.
Secondly, the first thing I noticed upon working here is the /16 mask. Now, the reasoning behind that is simply that we have branch locations which use 10.10.1.x, 10.10.2.x, 10.10.3.x, etc on down the long until we reach the 100+ plus stores we have. Again, not my design but it is what it is and it is what I have to work with.
And you are probably bordering on being wrong about my "router" but I dont want to make assumptions here. We have a Fortinet 200B device which does indeed operate as router, firewall and natting device all in one. It does route packets as a L3 device and it also provides switching capabilities as well on the L2 layer.
Sorry, I read the question about how many devices we have and as such I simply applied that question to the switching devices I am referring to. I now believe this was a question about how many nodes/devices would need to be confiigured once VLANing were in place (beyween the switches and the router).
I hope it is nice outside where you are as you could use some fresh air for those dry heaves you are having :P
ASKER
down the line*, not long
The Fortinet is a Firerwall that is capable of doubling as a LAN Router "in a pinch",..it is not designed to be a fully functional LAN Router. When I see people try to make heavy use of them in that sense it often turns out ugly. It is not a "retail" device so it is not the kind of thing I was asking about. My comments about that were more of a question to ask what you had then anything else.
How many device (nodes, Hosts) do you have at each physical facility? That would be one of the most important pieces of information that we lack here.
Running each remote location on 10.10.1.x, 10.10.2.x, 10.10.3.x is good and proper but you need a "routed relationship" between the facilities,...not a switched L2 relationship. But that is not a reason to run a /16bit mask on your facility,...in fact it is a specific reason not to. Running a /16bit mask actually creates an IP Conflict between the sites at a routing level and makes routing impossible,...which leaves you with a Switched (L2) relationship between the sites would would be really really really horrible from a design point of view.
Anyway there needs to be a lot more of your network design made clear and brought out into the open. Everything you are asking about effects the design,..in fact it is a "design question" and there is really no way to give a correct solution without understanding what is already there to start with. Along with being picky about my terminology, I am very picky about giving people the "right" advice according to the best of my understanding of the situation,...but I cannot do that without good information to work from. People are totally free to ignore what I tell them to do,...but I will only give what I think is the correct solution,...I won't give what I think is a second-rate solution or hack-job advice,....I'll just step out of the conversation and let others do that.
How many device (nodes, Hosts) do you have at each physical facility? That would be one of the most important pieces of information that we lack here.
Running each remote location on 10.10.1.x, 10.10.2.x, 10.10.3.x is good and proper but you need a "routed relationship" between the facilities,...not a switched L2 relationship. But that is not a reason to run a /16bit mask on your facility,...in fact it is a specific reason not to. Running a /16bit mask actually creates an IP Conflict between the sites at a routing level and makes routing impossible,...which leaves you with a Switched (L2) relationship between the sites would would be really really really horrible from a design point of view.
Anyway there needs to be a lot more of your network design made clear and brought out into the open. Everything you are asking about effects the design,..in fact it is a "design question" and there is really no way to give a correct solution without understanding what is already there to start with. Along with being picky about my terminology, I am very picky about giving people the "right" advice according to the best of my understanding of the situation,...but I cannot do that without good information to work from. People are totally free to ignore what I tell them to do,...but I will only give what I think is the correct solution,...I won't give what I think is a second-rate solution or hack-job advice,....I'll just step out of the conversation and let others do that.
As I think about what I think you have there, it can be made more efficient. There probably wouldn't be any VLANs,...it would be all physical (just LANs without the "V"). Give me something to work with and I'll try to give you something decent to consider.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
OK, let's clear one thing, this forum is not about who's wrong and who's right.
I'm not calling anyone wrong or right,...and I don't think the conversation is pointless.
To limit the broadcast domains, you want to create VLANs. OK.
No,..you create IP Segments. Maybe that ends up being VLANs,...and maybe it doesn't,..it depends on the equipment involved and the infrastructure involved,...neither of which we know the truth of in this case. I'm confident that you already know that, so let's wait till we have the information we need to be able to know what we are talking about. I have already asked for such information twice in this so-called pointless conversation and am just waiting for the OP to reply with such information.
I have no intention of arguing about all this,..but it looks like that is exactly what you want to do.
I'm not calling anyone wrong or right,...and I don't think the conversation is pointless.
To limit the broadcast domains, you want to create VLANs. OK.
No,..you create IP Segments. Maybe that ends up being VLANs,...and maybe it doesn't,..it depends on the equipment involved and the infrastructure involved,...neither of which we know the truth of in this case. I'm confident that you already know that, so let's wait till we have the information we need to be able to know what we are talking about. I have already asked for such information twice in this so-called pointless conversation and am just waiting for the OP to reply with such information.
I have no intention of arguing about all this,..but it looks like that is exactly what you want to do.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
No intention to argue from my side either.
Ok, no problem.
Can user subnet his 10.10.0.0/16 range?
He won't be able to. As Mr Monk always said,.."Here the thing". He just can't start changing the mask from /16 to /24. As soon as he does it will take down the whole infrastructure because the Central Site and remote Sites could not longer communicate due to now being different subnets but with over lapping addresses spaces,...remember the remote Sites still would have the /16 mask because he can't be everywhere at once to reconfigure everything at once,.. plus the VPN Tunnels are built around that. He said earlier "....down the line until we reach the 100+ plus stores...." so even if they only have half of that,...say maybe 50 remote sites,..that would make quite a mess.
Here the approach. Start at one remote Site, take down the Tunnel and "unconfigure" it. Re-address the Remote Site using an address Range that is totally and completely outside of the original 10.10.?.? range. Then recreate/reconfigure the Tunnel and while doing that establish it as a routed relationship instead of the L2 relationship that it appears to previously have been.
Repeat this at every Site, systematically, one at a time. When finished, the Main Site is still using the 10.10.?.? with a /16bit mask. So then all that is left is to make sure that all the equipment is set to the same first three octets (I'm assuming there is less than 200 machines at the main Site). Then change the Mask on all the equipment to a /24,...and it is done. They can retain their existing IP# as long as the first 3 octets are the same
Things to note:
1. The 4 Procurves in the equipment room in the original question were never involved,...at all.
2. No VLANs were created. A VLAN is a specific thing involving a specific technology refereed to in IEEE 802.1Q which often, but not always, includes Frame Tagging. So just because an IP Segment was created and setup does not make it a VLAN. Now does that mean that it isn't possible that some product might incorrectly call something a VLAN in the Docs or in the User Interface? No,...people who write Documentation and design User Interfaces screw up and misuse terminology all that time,..that's why this industry is so screwed up today.
I am also making the following assumptions about the system since I lack the details I'd like to have (and I hate doing that).
1. I am assuming there are less than 200 machines at each location.
2. I am assuming there is a Fortinet Device at each location and that a Site-2-Site VPN Tunnel is use between the "pair" of devices.
3. I am assuming that there is no dedicated Point-to-point private lease lines (as opposed to VPNs) between the sites using dedicated routing devices with the Fortinets being used as only Local Firewalls.
4. I am assuming that the relationship between the Sites is all Layer2-Switched. I base this on him saying that he had to keep the /16bit mask in order to communicate with the other sites that are using Address Ranges that fit within the same /16 Network range
Ok, no problem.
Can user subnet his 10.10.0.0/16 range?
He won't be able to. As Mr Monk always said,.."Here the thing". He just can't start changing the mask from /16 to /24. As soon as he does it will take down the whole infrastructure because the Central Site and remote Sites could not longer communicate due to now being different subnets but with over lapping addresses spaces,...remember the remote Sites still would have the /16 mask because he can't be everywhere at once to reconfigure everything at once,.. plus the VPN Tunnels are built around that. He said earlier "....down the line until we reach the 100+ plus stores...." so even if they only have half of that,...say maybe 50 remote sites,..that would make quite a mess.
Here the approach. Start at one remote Site, take down the Tunnel and "unconfigure" it. Re-address the Remote Site using an address Range that is totally and completely outside of the original 10.10.?.? range. Then recreate/reconfigure the Tunnel and while doing that establish it as a routed relationship instead of the L2 relationship that it appears to previously have been.
Repeat this at every Site, systematically, one at a time. When finished, the Main Site is still using the 10.10.?.? with a /16bit mask. So then all that is left is to make sure that all the equipment is set to the same first three octets (I'm assuming there is less than 200 machines at the main Site). Then change the Mask on all the equipment to a /24,...and it is done. They can retain their existing IP# as long as the first 3 octets are the same
Things to note:
1. The 4 Procurves in the equipment room in the original question were never involved,...at all.
2. No VLANs were created. A VLAN is a specific thing involving a specific technology refereed to in IEEE 802.1Q which often, but not always, includes Frame Tagging. So just because an IP Segment was created and setup does not make it a VLAN. Now does that mean that it isn't possible that some product might incorrectly call something a VLAN in the Docs or in the User Interface? No,...people who write Documentation and design User Interfaces screw up and misuse terminology all that time,..that's why this industry is so screwed up today.
I am also making the following assumptions about the system since I lack the details I'd like to have (and I hate doing that).
1. I am assuming there are less than 200 machines at each location.
2. I am assuming there is a Fortinet Device at each location and that a Site-2-Site VPN Tunnel is use between the "pair" of devices.
3. I am assuming that there is no dedicated Point-to-point private lease lines (as opposed to VPNs) between the sites using dedicated routing devices with the Fortinets being used as only Local Firewalls.
4. I am assuming that the relationship between the Sites is all Layer2-Switched. I base this on him saying that he had to keep the /16bit mask in order to communicate with the other sites that are using Address Ranges that fit within the same /16 Network range
I agree with pwindell. That is the right direction to go.
Just one note. Even if you don't create any VLAN, on every managed switch there is at least VLAN 1, by default native or untagged.
Just one note. Even if you don't create any VLAN, on every managed switch there is at least VLAN 1, by default native or untagged.
To use VLANs to limit broadcast you will need to subnet your network.
1 subnet -> 1VLAN
You will also need router or L3 switch for inter-vlan routing.