Creating 2x vlans on a /16 subnet?

Why no assign the switch a ipaddress in VLAN20.

Our switches have Layer3 switched with VLAN routing enabled so we use multiple ip addresses, but we can manage the switch from any VLAN.

That may not be what you want, but it would solve your problem

how can i assign 2x ips to the 2x vlans i.e. vlan01 172.19.4.5 and vlan20 172.19.4.6?

The problem is that i cant set the above ips as the subnet is 255.255.0.0.
If i change the subnet to 255.255.255.0 to both vlans will they still communicate on the over all 255.255.0.0 lan?

You cannot have the 172.19.4.0/24 in two separate vlans and then expect them to route. you would need to seperate the subnets. The idea of VLANS is to logically separate the broadcast domain.

If you plan to keep them in the same subnet, why are you looking to use VLAN's?

because the voice needs to be on its own vlan apparently..

So can i leave the existing data/vlan as is and create the new voice vlan on a completely different network i.e. 10.0.0.*?
Will the vlan20 voice phones then still talk to 172. range? and also the remote sites on 192s?

exactly. - make sure you add the routes at your cisco firewall too

how will the 172 traffic talk locally between the vlans when on a different vlan/ip/network?

So port 1 (after setting to a trunk) then hasnt any impact or links to the 2x vlans on the switch?

A trunk port will Tag vlan1 AND vlan20 as long as the Cisco is set to tag both sets of traffic then it will work as expected.

The provider of the phone solution requires (ideally) use of a DHCP server (currently on a 172 range) to deploy dhcp ips to the phones with a number of options i.e. scope option 156, tagging etc...
I assume the dhcp server on 172 cant help here?

would the lan02 on the cisco firewall/router (configured on vlan20) be suitable to deploy ips via dhcp?

and to help understand from both side, attached are 2x diagrams:

site a & b - shows existing 2x networks, along with new voice kit (172.19.4.5, bri x2, ip phones, oaisys, dhcp config for voice)

site a - shows our revised plan (again new kit is: oaisys, hp poe, ingate sbc etc)

Which of the above will work?

Thanks
Site-A---Plan-1.jpg
Site-A---B---Plan-2.jpg

That depends on the switch, if it can do "dhcp helper" or "dhcp relay" then yes it can.

Otherwise you could put a server on a VLAN20 port.

try this : http://h30499.www3.hp.com/t5/Switches-Hubs-Modems-Legacy-ITRC/hp-2910al-switch-trunking-and-basic-understanding/td-p/4492878#.Ui2GxMaOTK0

there is a dhcp relay option..

Ok, going back to iP configs: should the vlan20 IP range work with a 172.16.0.0/16, given the data vlan01 is currently on 172.19.0.0/16??

Yup, as /16's they will be considered two separate subnets.

http://www.subnet-calculator.com/cidr.php is a good calculator for subnet work

And can the windows dhcp server that is plugged into the 172.19.0.0 vlan10 network allocate ips to 172.16.0.0 ip phones?

Thanks

Confusing...

Ok, new vlan20 created.
Output:


HP-E2910al-48G-PoE(config)# show running-config

Running configuration:

; J9148A Configuration Editor; Created on release #W.15.08.0012
; Ver #02:11.05:16
hostname "HP-E2910al-48G-PoE"
module 1 type j9148a
power-over-ethernet pre-std-detect
ip default-gateway 172.19.10.15
snmp-server community "public" unrestricted
snmp-server contact "IT" location ""
vlan 1
   name "DEFAULT_VLAN"
   untagged 1-48
   ip address 172.19.4.5 255.255.0.0
   exit
vlan 20
   name "Voice"
   ip address 172.16.4.5 255.255.0.0
   exit
no autorun
password manager

HP-E2910al-48G-PoE(config)#

Ok, So i don't know the HP config that well but i guess it would go some thing like this... I will highlight the Changes i would suggest

HP-E2910al-48G-PoE(config)# show running-config

Running configuration:

; J9148A Configuration Editor; Created on release #W.15.08.0012
; Ver #02:11.05:16
hostname "HP-E2910al-48G-PoE"
module 1 type j9148a
power-over-ethernet pre-std-detect
ip default-gateway 172.19.10.15
snmp-server community "public" unrestricted
snmp-server contact "IT" location ""
vlan 1
   name "DEFAULT_VLAN"
tagged 1
  untagged 2-12
   ip address 172.19.4.5 255.255.0.0
   exit
vlan 20
   name "Voice"
   tagged 1
 untagged 13-48
   ip address 172.16.4.5 255.255.0.0
ip helper-address 172.19.4.1 dhcp ----- Whatever your DHCP server address is
   exit
no autorun
password manager

--------------------------------------------------
Dell and cisco tend to work on the interfaces
so to set a trunk port on those devices tends to look like this:-

interface ethernet 1/xg3
sflow 1 sampling 1024
description 'No9_Main_Link'
switchport mode trunk
switchport trunk allowed vlan add 1-2,11
exit

As i say i am not familiar with the HP CLI, but see above for best guess. I would try it on a spare switch first though.

'tagged 1' meaning?
i assume the gateway can stay as is and the 172.16 traffic can still route out through the cisco asa 5505 firewall (connected to lan02 - configured for vlan20)?
How would the switch then be connected to the firewall & other switches?

Ok you would tag if you were creating a "trunk port"... If not and you plan to use two separate cables from the firewall. Then you would build your network something like this

What's the centre switch (i assume switch)?

Yup, the switch we are configuring above...

Updated, to reflect new vlan20 settings.....
Will this work on the 2910 and will traffic route internally?
Network-Diagram-SiteA-v2.vsd

Is my diagram not the same?

I have found a few sites for you.

It looks like your ASA5505 can't route between VLAN's

http://www.richweb.com/can_the_cisco_asa_be_a_router

But from the looks of this, (http://justanothergeeks.blogspot.co.uk/2012/09/hp-procurve-inter-vlan-routing-with.html) you can enable vlan routing at the switch.

The Dude above has gone through the same issue as you, it might be worth a read.

I have been told that the lan01 and lan02 interfaces on the cisco will be connected to vlan01 and vlan20 respectively.

Are you saying that the 2910 should be connected to the firewall and daisy chained to the other switches?

The switch in the centre is the 2910al 48 port.  THe other 2 in your diagram (for us) would be data only switches.

Check with your cisco guy to ensure the routing will work on the ASA...

If the Cisco is going to do the routing then you are going to need to set two ip addresses on the Cisco.

Lan01 will need to be on 172.19.4.0 range
Lan02 will need to be on the new 172.16.4.0 range

Unless you want to configure the other switches they will need to be dedicated to Voice OR Data and connected to one of your ports on the HP2910al - 1-12 for Data or 13-48 for voice.

The switch in the centre is the 2910al 48 port.  THe other 2 in your diagram (for us) would be data only switches.

Then you would ensure these switches will only be in ports 1-12 on your HP

Cisco's LAN01 would be in a port between 1-12
Cisco's LAN02 would be in a port between 13-48

So no trunks required?

Foudn this: http://support.shoretel.com/kb/downloads/best_practices_vlans_and_qos.pdf

nope, not if you are using two cables...

Just a word of warning, that document talks about tagging... you have dedicated ports on your switch. the port is for a phone OR a computer, not for both!

I assume you mean using the inline power adapters with 2x nic ports?  We wont be using these.

Without going into too much detail the phones will have two nic ports in the back of them (essentially a mini hub). One port goes to the switch, the other for your PC. the idea being that you only need 1 connection for both PC and phone.

You won't be able to do this. Each of your desks will need two ports to the switch. One for the computer, the other for the phone. A PC going through a phone won't work as it will pickup a IP address from your voice vlan.

Would my diagram not be sufficient?  i.e. not rely on the 2910 as the primary switch

Network-Diagram-SiteA-v2.vsd
Network-Diagram-SiteA-v3.vsd

Yes, we have planned for this (your last comment)..

In terms of the link from Cisco to HP.... yes, both should work.

[EDIT]

Make sure that your CISCO guy is aware that he will be doing the routing between the two subnets.

Good, that should help us in the event we lose a switch....
Whats required on the vlan01 and vlan20 side of things?  i.e. to configure the ports

nothing,

just make sure you have untagged on the relevant port

vlan 1
   name "DEFAULT_VLAN"
  untagged 1-12
   ip address 172.19.4.5 255.255.0.0
   exit
vlan 20
   name "Voice"
   untagged 13-48
   ip address 172.16.4.5 255.255.0.0
   ip helper-address 172.19.4.1 dhcp ----- Whatever your DHCP server address is
   exit

Not tagged?
Difference between tagged and untagged?

tagged means that all the packets have a VLAN tag attached.
untagged means they are treated like normal packets.

As you are dedicating ports to each vlan, this is not needed.

for this:    ip helper-address 172.19.4.1 dhcp ----- Whatever your DHCP server address is

are there any settings that will ensure that it doesnt give out incorrect ips from other scopes etc?

no, when you create the scope in DHCP it matches the ip range from the voice vlan (from the switch ip address) to the scope range.

ah so 172.16.105.1-254?

On the DHCP server, is it creating a new scope, superscope or multiscope?

Getting configuration failed when trying to allocate specific port numbers to the 2x vlans...

Fixed above by configuring the ports on the vlan20, which removed the vlan20 ports from the vlan01..

We use 2x dhcp servers for redundancy.
Can i configure 2x dhcp helpers for a single vlan?

Ok, i have:


HP-E2910al-48G-PoE(vlan-20)# show running

Running configuration:

; J9148A Configuration Editor; Created on release #W.15.08.0012
; Ver #02:11.05:16
hostname "HP-E2910al-48G-PoE"
module 1 type j9148a
power-over-ethernet pre-std-detect
ip default-gateway 172.19.10.15
interface 1
   name "HP1910"
   no power-over-ethernet
   exit
interface 2
   no power-over-ethernet
   exit
interface 3
   no power-over-ethernet
   exit
interface 4
   no power-over-ethernet
   exit
interface 5
   no power-over-ethernet
   exit
interface 6
   no power-over-ethernet
   exit
snmp-server community "public" unrestricted
snmp-server contact "IT" location ""
vlan 1
   name "DEFAULT_VLAN"
   no untagged 7-48
   untagged 1-6
   ip address 172.19.4.5 255.255.0.0
   exit
vlan 20
   name "Voice"
   untagged 7-48
   ip address 172.16.4.5 255.255.0.0
   ip helper-address 172.19.10.17
   ip helper-address 172.19.10.18
   exit
no autorun
password manager

HP-E2910al-48G-PoE(vlan-20)#

Do i need to configure scope options on the dhcp server for vlan20?

DHCP Server - attached.

Correct?
dhcp1.jpg

that looks good... you will need scope options, normally 156 but you will need to get them from your phone provider as they will be unique to your environment

regards the 156 - fine, i think we will get there...

I have a client machine on the vlan20 but not picking up an ip..?

THe scope options are populated in dhcp for the vlan20 scope.  should i remove?

oh, i cant remove as part of server settings.
ideas?

HP-E2910al-48G-PoE(config)# show dhcp-relay
  DHCP Relay Agent         : Enabled
  Option 82                : Disabled
  Response validation      : Disabled
  Option 82 handle policy  : replace
  Remote ID                : mac

  DHCP Relay Statistics:

  Client Requests       Server Responses

  Valid      Dropped    Valid      Dropped
  ---------- ---------- ---------- ----------
  112        0          0          0

  DHCP Relay Option 82 Statistics:

  Client Requests       Server Responses

  Valid      Dropped    Valid      Dropped
  ---------- ---------- ---------- ----------
  0          0          0          0
HP-E2910al-48G-PoE(config)#
HP-E2910al-48G-PoE(config)#

Do i need to configure option 82 on the scope ?

HP-E2910al-48G-PoE(config)# show ip helper

 IP Helper Addresses

 VLAN: 1
  IP Helper Address
  -----------------

 VLAN: 20
  IP Helper Address
  -----------------
  172.19.10.17
  172.19.10.18


HP-E2910al-48G-PoE(config)# show ip

 Internet (IP) Service

  IP Routing : Disabled

  Default Gateway : 172.19.10.15
  Default TTL     : 64
  Arp Age         : 20
  Domain Suffix   :
  DNS server      :

  VLAN                 | IP Config  IP Address      Subnet Mask     Proxy ARP
  -------------------- + ---------- --------------- --------------- ---------
  DEFAULT_VLAN         | Manual     172.19.4.5      255.255.0.0      No
  Voice                | Manual     172.16.4.5      255.255.0.0      No


HP-E2910al-48G-PoE(config)# show vlan

 Status and Counters - VLAN Information

  Maximum VLANs to support : 256
  Primary VLAN : DEFAULT_VLAN
  Management VLAN :

  VLAN ID Name                             | Status     Voice Jumbo
  ------- -------------------------------- + ---------- ----- -----
  1       DEFAULT_VLAN                     | Port-based No    No
  20      Voice                            | Port-based No    No


HP-E2910al-48G-PoE(config)#

I can't see why that would fail

Can you try setting a hard ip address in VLAN20 and try pinging the ip address of the switch   172.16.4.5

Hard/static ip on the client/PC?

The switch IP is 172.19.4.5
The vlan20 ip is 172.16.4.5

ok, static on the PC 172.16.105.1 / 255.255.0.0
GW = 172.16.4.5

can ping both the 172.16.4.5 and 172.19.4.5 IPs of the switch...  cant route out to the 172.19.0.0/24 network though..

Are the switch settings correct?

it's not a 172.19.0.0/24 it is a /16....

Has your cisco guy configured the route? your gateway should be the cisco address

yes sorry, typo.
not yet.  this site wont have the vlan20 setup on the firewall.  
we are moving sites and will be deploying a new firewall with vlan20 on lan02 i believe.

this is proving the vlan20 will work on our existing lan...

As long as you can ping the switch but not other devices on the other VLAN then your VLAN's are working..

Why the DHCP relay is not working i am not sure, you may want to check your config against something like this. - http://www.hp.com/rnd/support/config_examples/5300xl_dhcp_relay.pdf - Can you run sh ip helper-address?

Without the cisco routing, you will not be able to route between the VLAN's as it currently stands.

can i enable routing on the switch for this test?

i already come across this doc..

You could..., As i mentioned previously have a look at the webpage above.

https://www.experts-exchange.com/questions/28232417/Creating-2x-vlans-on-a-16-subnet.html?anchorAnswerId=39476337#a39476337.

That gent did exactly the same thing you are asking. If you are testing then I would strongly suggest that you use a test switch.

ok, ip routing enabled, still no ip from dhcp to my PC on vlan20...

do i need to configure dns on the switch
do i need to configure 82 option in dhcp?

DNS is not needed. Not sure what option 82 is, or where you are seeing it.

Let me just confirm how your network is set up

HP is a 48 port switch
Port 1 to LAN01 on Cisco firewall
port 2 to DHCP server Address set to 172.19.10.17 & 172.19.10.18 with windows firewall disabled.
Port 3 to Client PC A - This receives a DHCP reply and the correct ip address in the 172.19.0.0/16 range?
Port13 to LAN02 on Cisco firewall
Port 14 to Client PC B - Not receiving a DHCP reply, but when hard set to a 172.16.0.0/16 address it can ping the 172.16.4.5 address...

They are my assumptions... I have a couple of questions.

Your DHCP server has two ip addresses? ... is the DHCP server bounded to both interfaces or just the one? if just one then which is it? make sure your IP helper address is set to the correct address.

Can you run wireshark on your PC while on VLAN20 to see what traffic is being sent and received. You should also run it on your DHCP server to see if you are getting a request packet.

Not quite.

The plan is to eventually separate the vlans 01 & 20 directly from the newly configured 2x lan/vlan ports on the firewall.  Currently this is a test to see if i can route vlan20 traffic internally between the .19 and .16 lans, power up a shoretel poe phone and talk to dhcp etc...

Currently our setup like this:
Cisco Router to -
Cisco ASA 5505 Firewall lan0/5 to -
HP1910 port 21 (default vlan01), port 1 (vlan01) to -
netgear unmanaged switch to
HP2910al port 1 (vlan01) to
PC on port 30 (vlan20)

Guess this isnt going to route internally?

Plan is to:
Firewall lan01 (vlan01) to
HP1910 port 1 (vlan01) to
another Hp1910 (vlan01) linked to
Servers (inc DHCP) and all client machines on (vlan01)
172.19.0.0/16
&
Firewall lan02 (vlan20) to
HP2910 port 48 (vlan20) to
ip phones and shoretel kit all on vlan20
172.16.0.0/16

Thanks

Ok, If I were you I would try and simplify the network while testing.

for the purpose of the test, put your DHCP server to the 2910al (VLAN1 Port) directly ... then put a PC in a VLAN20 port on the 2910al then try and again to get an ip address. Once that works then introduce your new switches to find out which one is causing the DHCP requests to be dropped.

The DHCP box is a VM so cant move it...

and is plugged into the hp1910 switch on vlan01..

I have left the other trouble shooting paragraphs just in case it still does not work

thanks, no, the scope is active, just deactivated it yesterday on the safe side

Ok,

then I would try what I suggest above.

Let me know how you get on, if you can show the wireshark logs that would be helpful.

can you recommend a free dhcp server?

i have applied a static IP to the PC again for each vlan and can only ping the vlan ip on its connected port, cant ping the other vlan ips....

Depends on your Linux experience. I would normally throw down a ubuntu install. But it can be quite involved...

Doing a quick search for something like this. http://www.dhcpserver.de/dhcpsrv.htm but i have never used it.

You are saying if you put a PC in VLAN01 port 1-6 you are not able to ping anything else on the network?

Sorry, my mistake the static must have been wrong.  
using dhcp on the client works and picks up an ip fine and can ping everything on the vlan01 and other switches on vlan01..

we have also disabled STP, ICMP redirects (as advised by the comms co)...

Have you got the logs yet?

wireshark ones?

Is the subnet mask (255.255.0.0) correct for the 2x vlans?   Should it be 255.0.0.0?

Config:

Running configuration:

; J9148A Configuration Editor; Created on release #W.15.08.0012
; Ver #02:11.05:16
hostname "HP-E2910al-48G-PoE"
module 1 type j9148a
power-over-ethernet pre-std-detect
ip default-gateway 172.19.10.15
no ip icmp redirects
ip route 0.0.0.0 0.0.0.0 172.19.10.15
ip routing
interface 1
   name "to HP1910"
   no power-over-ethernet
   exit
interface 2
   no power-over-ethernet
   exit
interface 3
   no power-over-ethernet
   exit
interface 4
   no power-over-ethernet
   exit
interface 5
   no power-over-ethernet
   exit
interface 6
   no power-over-ethernet
   exit
interface 7
   name "Shoretel E1k"
   speed-duplex 100-full
   exit
interface 8
   name "Shoretel SG90"
   speed-duplex 100-full
   exit
interface 9
   name "Shoretel SG90Bri"
   speed-duplex 100-full
   exit
interface 10
   name "Oaisys Port Mirror"
   exit
interface 48
   name "vlan20 to Firewall"
   exit
snmp-server community "public" unrestricted
snmp-server contact "IT"
vlan 1
   name "DEFAULT_VLAN"
   no untagged 7-48
   untagged 1-6
   ip address 172.19.4.5 255.255.0.0
   exit
vlan 20
   name "Voice"
   untagged 7-48
   ip address 172.16.4.5 255.255.0.0
   ip helper-address 172.19.10.17
   exit
no autorun
password manager

So is there any specifics you can help me with regards to capturing the logs etc?