Solved

5 Vlans, 2 Hp Procurve Switches, One Router, need help!!

Posted on 2012-03-27
15
626 Views
Last Modified: 2012-04-02
My current setup is for a local small church/school.

2x  HP 1810g-24 gigabit swtiches.
2x WAPs
1x Asus RT-n66u (dot1q supporting)

Goal is to create multiple vlans to separate the groups, fileshare, print, etc. with internet access to vlans.

I created 4 vlan's on top of the default 1. they are as follow...

vlan 1 - default
vlan10 - staff
vlan20 - student
vlan30 - multimedia team
vlan40 - general use

I also created a trunk on switch 1 port 2, and trunked it with port 1 of switch 2.

all wiring is centralized to a server rack.
I am also intending to add in a WAP for the student, and one for the general use.

The trouble i am having is, putting in the right untagged/tagged configurations to allow
the vlan's to see the router. I was able to get it at one point, but I didn't save and couldn't recover the settings.  

I have attached an excel sheet of the layout of the switches.
vlan-distro.xlsx
0
Comment
Question by:Dakren12
  • 5
  • 4
  • 3
  • +1
15 Comments
 

Author Comment

by:Dakren12
Comment Utility
i forgot to mention, all the end hosts are just computers, desktops, laptops, printers, etc... or additional consumer level routers/wap's
0
 
LVL 117

Expert Comment

by:Andrew Hancock (VMware vExpert / EE MVE)
Comment Utility
your trunks need to carry all Tagged VLANs.

your access ports, network ports that connect to staff, student PCs need to be tagged with correct VLANs.

so a student network port is VLAN 20, staff 10 etc

router should understand the tagged traffic

by doing this staff and student traffic will be separated.
0
 
LVL 17

Expert Comment

by:jburgaard
Comment Utility
I agre with hanccocka as far as trunks are concerned: TAG all vlans on up/downlink-ports
OR untag vlan1&Tag the rest
-but do it same way in both ends!

The port leading to router shoud mach config in that end:
my guess would be: untag vlan1&Tag the rest (native vlan =untagged)

But the access-ports must just be UNtagged in one vlan

HTH
0
 

Author Comment

by:Dakren12
Comment Utility
so this is what you guys are saying?

Switch 1 (Port 1 is connected to router, only vlan1 is untagged for router)
               (Port 2 is trunk, tagged for every vlan)

             1 2 3 4 5 6 7 8 9 10  11 12 13 14 15 16 17 18 19 20 21 22 23 24
vlan 1   UTUUU  UUUU  U   U   U   U   U   U  U  U   U   U  U  U   U  U   U
vlan10  T T T T T T  T T T  T   T    T    E   E   E   E   E   E   E   E   E   E   E   E
vlan20  T T E E E E  E E E  E   E    E    E   E  E   E   E    E   E   T   T   T   T   T
vlan30  T T E E E E  E E E  E   E    E    E   E  E   E   E    E   E   E   E   E   E   E
vlan40  T T E E E E  E E E  E   E    E    E   E  E   E   E    E   E   E   E   E   E   E


Switch 2 (Port 1 is trunk, connected to trunk of switch 1, taggged for all vlans)

             1 2 3 4 5 6 7 8 9  10 11 12 13  14 15 16 17  18 19 20 21 22 23 24
vlan 1   T UUUU  UUUU  U   U   U   U  U   U  T   U   U   U   U   U  U   T  U
vlan10  T E E E E E  E E E  E   E    E   E   E   E   E    E   E    E   E    E  E   E   E
vlan20  T E T T T T  T T T  T   E    E   E   E    E   E   E   E    E   T    T   T   T   T
vlan30  T E E E E E  E E E  E   T    E   E   E   E   E    T   E    E   E    E   E   E   E
vlan40  T E E E E E  E E E  E   E    T   T   T   T   U   E    T   T   T    T   T   U  T

Port 16 and 23 is untagged on vlan40 and tagged in vlan1, these port are wireless
access points.

I have attached an excel version
LAYOUT.xlsx
0
 
LVL 17

Expert Comment

by:jburgaard
Comment Utility
normaly a NIC on a PC will not 'understand' a Tagged packet, so UNtag accessports in relevant vlan
0
 

Author Comment

by:Dakren12
Comment Utility
if NIC's wont understand tagged packets.... does that mean i have to UNtag every port that goes to a computer in the corresponding vlans?
0
 
LVL 17

Expert Comment

by:jburgaard
Comment Utility
yes
and maybe also to AccessPoints
0
What Is Threat Intelligence?

Threat intelligence is often discussed, but rarely understood. Starting with a precise definition, along with clear business goals, is essential.

 
LVL 117

Expert Comment

by:Andrew Hancock (VMware vExpert / EE MVE)
Comment Utility
if NIC's wont understand tagged packets.... does that mean i have to UNtag every port that goes to a computer in the corresponding vlans?

Yes.
0
 
LVL 21

Expert Comment

by:Rick_O_Shay
Comment Utility
I looked in the user manual for the Asus RT-n66u router and don't see anyhting about VLANs or VLAN tagging which would be required for your setup.
0
 

Author Comment

by:Dakren12
Comment Utility
hmmmm, I telnet into the router, and i saw this

Jan 1 01:00:07 kernel: 802.1Q VLAN Support v1.8 Ben Greear <greearb@candelatech.com>
0
 
LVL 21

Assisted Solution

by:Rick_O_Shay
Rick_O_Shay earned 500 total points
Comment Utility
If it does do tagging then you need to have the port on the router and the port it is connected to on the switch tagged for all 4 VLANs. Just like you did for the trunks between the switches.

vlan10 - staff
vlan20 - student
vlan30 - multimedia team
vlan40 - general use
0
 
LVL 21

Accepted Solution

by:
Rick_O_Shay earned 500 total points
Comment Utility
You will also need a different IP interface on the router for each VLAN/Subnet.
0
 

Author Comment

by:Dakren12
Comment Utility
i dont think my router support multiple interfaces for each vlan/subnets, do you have a recommendation under $400?
0
 
LVL 21

Assisted Solution

by:Rick_O_Shay
Rick_O_Shay earned 500 total points
Comment Utility
I can't give you a specific recommendation but you might check out Draytek and Netgear which usually have good pricing.

Just make sure they can do what you want for the VLAN routing piece in your design.
0
 
LVL 117

Expert Comment

by:Andrew Hancock (VMware vExpert / EE MVE)
Comment Utility
Draytek 2830N
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

Suggested Solutions

Don’t let your business fall victim to the coming apocalypse – use our Survival Guide for the Fax Apocalypse to identify the risks and signs of zombie fax activities at your business.
When it comes to security, there are always trade-offs between security and convenience/ease of administration. This article examines some of the main pros and cons of using key authentication vs password authentication for hosting an SFTP server.
Viewers will learn how to connect to a wireless network using the network security key. They will also learn how to access the IP address and DNS server for connections that must be done manually. After setting up a router, find the network security…
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.

772 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now