[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

VLAN Configuration

Posted on 2012-08-19
15
Medium Priority
?
1,298 Views
Last Modified: 2012-10-27
I have a pretty large household with quite a few wireless devices (at least 3 person x 8), a wireless home automation system and run my business from here too.  I want to separate traffic on the network.  I came up with the following subnets:

192.168.214.x AP/Wireless (DHCP) (Web Filtered, WPA2)
192.168.213.x AP/Wireless (DHCP) (Non-Web Filtered, SID not broadcasting, WPA2)
192.168.212.x Prod Servers (NO DHCP)
192.168.211.x QA Servers (NO DHCP)
192.168.210.x DEV Servers (NO DHCP)
192.168.209.x Security Systems  (NO DHCP)
192.168.208.x A/V Equipment (NO DHCP)
192.168.200.x Management VLAN (NO DHCP)

I have equipment in three distinct areas of the property connected via Trunk Ports in the switches:

Network Rack
-Firewall (pfSense 2.0)
-Web Filter (Barracuda Web Filter 3.0)
-Modem/Router (ATT U-Verse)
-HP Procurve 2650 48-Port Managed Switch

Server Rack
-Production, DEV and QA physical and Virtual Servers (Linux and Windows)
-Domain Controllers (is also DNS & DHCP server)
-Exchange 2010 Server
-HP Procurve 2650 48-Port Managed Switch

Media Rack
-Network Connected AV/Automation Equipment
-HP Procurve 2650 48-Port (PoE) Managed Switch
-AP/Wireless (DHCP) (Web Filtered, WPA2) (due to installation location and PoE)
-AP/Wireless (DHCP) (Non-Web Filtered, SID not broadcasting, WPA2) (due to installation location and PoE)

My internet connection has 5 static IP addresses
I want to be able to (based upon vlan) direct/restrict traffic to specific gateways.
I want to be able to manage all other vlans from my management vlan

Questions:

1. I know how to setup basic DNS, however, not with a VLAN configuration as I am describing here.
2. Would/should all the systems on all VLANS use the same internal DNS?  If so where should it be configured at?
3. Where should I configure the DHCP for the VLANS with DHCP needs?

If you would recommend me doing this a completely different way, what do you suggest?

Thanks in advance.
0
Comment
Question by:andrej770
  • 7
  • 7
15 Comments
 
LVL 12

Expert Comment

by:Fidelius
ID: 38309443
Hello,

Basically, design is OK. What model of Modem/Router you have?
Router will be key component in this setup as HP 2650 are L2 switches.

For first step I suggest to segment network and allow all traffic between all VLANs, and after everything is working, restrict access.

1. DNS setup can stay as is, because routing will take care for clients to reach it.
2. Yes, all systems can use same internal DNS. Just be sure not to block port 53 tcp/udp traffic between clients and DNS server. It can stay on DC, in any VLAN you are planning to put DC in.
3. For DHCP for VLANs you need to use DHCP Relay option on your router. DHCP server can also stay as is with addition that you need to create a scope for each subnet and you would use options 006, and 015 (in the scopes) to configure your DHCP enable clients.

So, as I sad at the beginning, key part is router to route traffic between VLANs and to support DHCP Relay feature.

Regards!
0
 
LVL 6

Expert Comment

by:SebastianAbbinanti
ID: 38309715
It may not be necessary for every network to use an internal DNS server. The only reason to use an internal DNS server is if you have a local domain that your need to route to. More specifically, if you need to access hosts inside your network by host name.

Since you are running an AD Domain, domain hosts need to use the AD Integrated DNS Server, but other hosts may get along just fine using public DNS like Google's 8.8.8.8.

Lastly, I don't believe that the HP 2650 is a Layer 3 Switch, which means routing is going to be a problem unless multiple VLANs are supported by your firewall. You may consider adding a Cisco 800 series router to the mix. This would replace both your modem and your firewall (using an IOS Firewall option), and also support 802.1Q trunking. Finally, you can create multiple DHCP Scopes for each network and avoid the complexity of Boot P.

Of Course, for the VLAN that contains the AD environment, using the Microsoft DHCP Server Roll would be preferred.

Best of Luck!
0
 

Author Comment

by:andrej770
ID: 38310572
@Fidelius - 2Wire 3600HGV  in bridge mode.

I believe that the 2600 series switches are multi-layer (L2 & L3).  The 2650, even based upon this EE thread:

http://www.experts-exchange.com/Networking/Misc/Q_27604936.html

Shows that it performs L2 & L3 functions.  I know it does routing (a key L3 function)

Does this change your recommendation?
0
Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

 

Author Comment

by:andrej770
ID: 38310580
@SebastianAbbinanti

I believe that the 2600 series switches are multi-layer (L2 & L3).  The 2650, even based upon this EE thread:

http://www.experts-exchange.com/Networking/Misc/Q_27604936.html

Shows that it performs L2 & L3 functions.  I know it does routing (a key L3 function)

You are correct that the AD based hosts will need internal DNS, but not all systems are AD based.  However, many of the DEV and QA servers are workgroup servers and not connected to the domain.  Actually the only Windows machines connected to the AD are the Exchange 2010 server and the Hyper-V Core servers that are managed my the Virtual Machine Manager.  All other PC's (virtual or physical) are workgroup machines, but need to have the ability to resolve all the local DEV, QA and PROD machine names as well as route internet addresses to the internet.
0
 
LVL 12

Expert Comment

by:Fidelius
ID: 38310844
Hello,

Yes, you're right. It is L3. Sorry, I overlooked it when checking on HP web. So we have all key components.

I assume you are using 2650 in Network rack to do your internal routing. That would be most appropriate.

To configure VLANs and DHCP relay, do the following:

HPswitch(config)# dhcp-relay

Repeat this step for every VLAN that uses DHCP:
HPswitch(conf)# vlan 10
HPswitch(vlan-10)# ip helper-address <address of your DHCP server>
0
 

Author Comment

by:andrej770
ID: 38326324
@Fidelius

So which switch should I do this on?  As mentioned in the initial query, I have 3 - 2650's, so all configuration I do as a result of your recommendation needs to factor in the device or system and what environment it is in (Media, Server or Network.)

Thanks in advance.
0
 
LVL 12

Expert Comment

by:Fidelius
ID: 38326864
Hi,

I would do it on Network 2650. I don't know your exact topology but I assume it looks similar like this (simplified schema without FW and WebFilter):

                    Internet (Modem/Router)
                                     |
                          Network 2650 (L3)
                         /                             \
       Media 2650 (L2)                 Server 2650 (L2)


So on Network switch I would configure:
- all VLANs and L3 SVI with subnets
- DHCP relay option in VLANs for AP/Wireless
- default router toward Internet (probably FW interface is next hop)

Media switch can remain only L2:
- configure only needed VLANs on it without L3 SVI, except management VLAN

Server switch can remain only L2:
- configure only needed VLANs on it without L3 SVI, except management VLAN

If you have additional questions, I don't hesitate to ask.

Regards!
0
 

Author Comment

by:andrej770
ID: 38354237
Additional questions:

Does it make sense to setup a management VLAN to control these L2/L3 devices or is that overkill?  If it is recommended to do that, how do I set that up first?

Lasting, seeing that all of the devices currently on the network at currently operational but on the same subnet, what would be your recommended strategy of what to change first (to the new vlans) and when to change the ip scheme, based upon the subnet scheme stated in the original query.

Thanks,
0
 
LVL 12

Expert Comment

by:Fidelius
ID: 38359550
Management VLAN is recommended.
To setup management VLAN, choose any VLAN (except VLAN 1), and configure on it subnet.
Ports between switches should be tagged in that VLAN.

Before doing any VLAN configurations you will need to configure max-vlans and reboot all 3 switches. HP 2650 by default supports only 8 VLANs (max is 253).
Enter:
configure terminal
max-vlans 20
write memory
reboot

 
Next step is VLAN config for management.
We will pick VLANs based on third octet of subnet IP, so for Management subnet VLAN is 200. Ports 49 and 50 are downlinks to Media and Server switches so VLANs on that ports should be tagged.
On Network 2650 do:
configure terminal
ip routing
dhcp-relay
vlan 200
  name Management
  tagged 49-50
  ip address 192.168.200.1/24
exit

On Media 2650:
configure terminal
vlan 200
  name Management
  tagged 50
  ip address 192.168.200.2/24
exit

On Server 2650:
configure terminal
vlan 200
  name Management
  tagged 50
  ip address 192.168.200.3/24
exit


I would first start with less important VLANs like Wireless/AP VLANs. I assume all APs are connected only to Networking 2650.
So configure on Networking 2650:
vlan 213
  name Web_Filtered_Wless
  tagged 50
  untagged <specify ports on which are APs>
  ip address 192.168.213.1/24
  ip helper address <current IP of DHCP server>
exit
vlan 214
  name Web_Non_Filtered_Wless
  untagged <specify ports on which are APs>
  tagged 50
  ip address 192.168.214.1/24
  ip helper address <current IP of DHCP server>
exit

When you move servers to Server VLAN you will need to change ip helper address to point to new DHCP server address.

Try this suggestions first so we can track and resolve issues if they arise. If all is ok, we can move further with migration.

If anything is unclear, don't hesitate to ask.

Regards!
0
 

Author Comment

by:andrej770
ID: 38381827
The procurve doesn't like either of these commands:

tagged 49-50
  ip address 192.168.200.1/24
0
 
LVL 12

Expert Comment

by:Fidelius
ID: 38382709
Try this, it should be the same but another syntax:
vlan 200 tagged 49-50
vlan 200 ip address 192.168.200.1/24


If it doesn't work please send switch config so I can see if there is some conflict inside.
0
 

Author Comment

by:andrej770
ID: 38405746
ok, I have the management vlans done
0
 
LVL 12

Expert Comment

by:Fidelius
ID: 38406057
OK. Next configure, VLAN 214 on Networking 2650:

vlan 214 name Web_Non_Filtered_Wless
vlan 214  untagged <specify ports on which are APs>
vlan 214  tagged 50
vlan 214  ip address 192.168.214.1/24
vlan 214  ip helper address <current IP of DHCP server>


If you have AP ports on Media or Server 2650, configure them as follows:
vlan 214 name Web_Non_Filtered_Wless
vlan 214  untagged <specify ports on which are APs>
vlan 214  tagged 50


Default gateway on APs should be set to 192.168.214.1. Change IP address of APs to subnet 192.168.214.0/24. For example:
AP1 - 192.168.214.2/24
AP2 - 192.168.214.3/24
and so on...

Regards!
0
 

Author Comment

by:andrej770
ID: 38431325
Ok, I have the 214 VLAN done
0
 
LVL 12

Accepted Solution

by:
Fidelius earned 1600 total points
ID: 38434849
Great!
Now we can do the same for VLAN 213 on Networking 2650:
vlan 213 name Web_Filtered_Wless
vlan 213  untagged <specify ports on which are APs>
vlan 213  tagged 50
vlan 213  ip address 192.168.213.1/24
vlan 213  ip helper address <current IP of DHCP server>


On Media 2650 switch configure:
vlan 213 name Web_Filtered_Wless
vlan 213  untagged <specify ports on which are APs>
vlan 213  tagged 50


For default gateway apply same as for VLAN 214, just the GW IP is now 192.168.213.1, and the subnet is 192.168.213.0/24

After VLAN 213 is done. We can go further and configure VLAN 208,
- 192.168.208.x A/V Equipment (NO DHCP)
By your initial post, I assume all A/V Equipment is connected only to Media 2650 switch.

On Networking 2650 configure:
vlan 208 name AV_Equipment
vlan 208  tagged 50
vlan 208  ip address 192.168.208.1/24


On Media 2650 configure as follows:
vlan 208 name AV_Equipment
vlan 208  untagged <ports on which A/V Equipment is connected>
vlan 208  tagged 50


In VLAN 208, default gateway is 192.168.208.1, and all A/V Equipment should have addresses form subnet 192.168.208.0/24

After this we should be done with Media 2650 switch, and we can move on to Server 2650 switch.

Regards!
0

Featured Post

When ransomware hits your clients, what do you do?

MSPs: Endpoint security isn’t enough to prevent ransomware.
As the impact and severity of crypto ransomware attacks has grown, Webroot has fought back, not just by building a next-gen endpoint solution capable of preventing ransomware attacks but also by being a thought leader.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

So, you're experiencing issues on your network and you've decided that you need to perform some tests to determine whether your cabling is good.  You're likely thinking that you may need to spend money which you probably don't have on hiring/purchas…
Is your computer hacked? learn how to detect and delete malware in your PC
There's a multitude of different network monitoring solutions out there, and you're probably wondering what makes NetCrunch so special. It's completely agentless, but does let you create an agent, if you desire. It offers powerful scalability …
Monitoring a network: how to monitor network services and why? Michael Kulchisky, MCSE, MCSA, MCP, VTSP, VSP, CCSP outlines the philosophy behind service monitoring and why a handshake validation is critical in network monitoring. Software utilized …
Suggested Courses
Course of the Month20 days, 7 hours left to enroll

867 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question