Solved

Correct network design for vlans

Posted on 2013-11-06
33
372 Views
Last Modified: 2013-11-14
We have 2x sites that will be adding a 2nd vlan for a voice solution.

Currently our remote site has the following setup:

Router - Cisco ASA 5505 Firewall (vlan1 & 20) - L3 Hp Switch
                                                                        - cisco unmanaged

Should the cisco unmanaged daisy chain off the HP L3 switch?

Also our main site has a similar setup:

Router - Cisco ASA 5505 Firewall (vlan1 & 20) - L3 HP switch
                                                                         - L2 hp switch
                                                                         - L2 hp switch

Same goes for this site, should the 2x L2 HP Switches (just on vlan1) daisy change off the HP 2910al L£ switch?

Thanks

PS - attached.
Network-Diagram-SiteA.jpg
Network-Diagram-SiteB.jpg
0
Comment
Question by:CHI-LTD
  • 16
  • 12
  • 3
  • +1
33 Comments
 
LVL 26

Assisted Solution

by:Soulja
Soulja earned 167 total points
Comment Utility
The switches can daisy chain of off the layer 3 switches, just know that the switches will be on whatever vlan that is configured on the port they uplink to.
0
 
LVL 1

Author Comment

by:CHI-LTD
Comment Utility
Sure.  So the L3 has vlan1 and 20 configured.
The other L2 switches are vlan1 only.  

At the moment i cannot ping from vlan20 on L3 switch to vlan1 on L2 switch..

Ideas?
0
 
LVL 1

Author Comment

by:CHI-LTD
Comment Utility
and the other way, so vlan1 on hp L2 switch (172.19.4.4) to vlan20 interface on the L3 switch 172.16.4.5.
0
 
LVL 26

Expert Comment

by:Soulja
Comment Utility
Post your configs of the l3 switch and the hp switch
0
 
LVL 1

Author Comment

by:CHI-LTD
Comment Utility
L3:

Running configuration:

; J9148A Configuration Editor; Created on release #W.15.08.0012
; Ver #02:11.05:16
hostname "HP-E2910al-48G-PoE"
module 1 type j9148a
power-over-ethernet pre-std-detect
ip default-gateway 172.19.10.15
no ip icmp redirects
ip route 0.0.0.0 0.0.0.0 172.19.10.15
ip routing
interface 1
   name "to HP1910"
   no power-over-ethernet
   exit
interface 2
   no power-over-ethernet
   exit
interface 3
   no power-over-ethernet
   exit
interface 4
   no power-over-ethernet
   exit
interface 5
   no power-over-ethernet
   exit
interface 6
   no power-over-ethernet
   exit
interface 7
   name "Shoretel E1k"
   speed-duplex 100-full
   exit
interface 8
   name "Shoretel SG90"
   speed-duplex 100-full
   exit
interface 9
   name "Shoretel SG90Bri"
   speed-duplex 100-full
   exit
interface 10
   name "Oaisys Port Mirror"
   exit
interface 48
   name "vlan20 to Firewall"
   exit
snmp-server community "public" unrestricted
snmp-server contact "IT"
vlan 1
   name "DEFAULT_VLAN"
   no untagged 7-48
   untagged 1-6
   ip address 172.19.4.5 255.255.0.0
   exit
vlan 20
   name "Voice"
   untagged 7-48
   ip address 172.16.4.5 255.255.0.0
   ip helper-address 172.19.10.17
   exit
no autorun
password manager

L2:

I cant get the L2 configs off but know its only got vlan1 set...

Thnaks
0
 
LVL 2

Assisted Solution

by:mannyfernandez
mannyfernandez earned 167 total points
Comment Utility
You can configure the connections where the Cisco switches are connected to as tagged ports for VLAN 1 and 20.  Then on the Cisco side, configure the interfaces as 'switchport mode trunk" (or switchport trunk encap then switchport  mode trunk)

You can then configure the cisco ports as either or vlan 1 or 20.  This will help if and when you plug a PC into the phone jack.  The packets destined to the same VLAN would get forwarded to all ports that have that VLAN configured or the trunk (tagged in HP Speak).  Any packets destined for the other VLANs would be routed using the L3 HP switches.
0
 
LVL 45

Expert Comment

by:Craig Beck
Comment Utility
You can configure the connections where the Cisco switches are connected to as tagged ports for VLAN 1 and 20.  Then on the Cisco side, configure the interfaces as 'switchport mode trunk" (or switchport trunk encap then switchport  mode trunk)
The Cisco switches are unmanaged aren't they?
0
 
LVL 2

Expert Comment

by:mannyfernandez
Comment Utility
Oops.  Correct
0
 
LVL 1

Author Comment

by:CHI-LTD
Comment Utility
Yes the cisco switch and site a is unmanaged.
Could this by why clients are showing a exclamation mark on the network icon (even though internet is fine)?
0
 
LVL 45

Expert Comment

by:Craig Beck
Comment Utility
Can you ensure that the client on VLAN 20 is using 172.16.4.5 as the default-gateway, and the client on VLAN 1 is using 172.19.4.5 as the default gateway.

Can you also check that a client on each VLAN can ping their gateway?
0
 
LVL 1

Author Comment

by:CHI-LTD
Comment Utility
no the vlan20 clients are using DGW of 172.16.10.15 which (sorry i missed this out on the diagram) is the fe02 interface on the ASA.
Clients on vlan1 (either on the HP1910 172.19.4.4 or HP2910 172.19.4.5) are using DGW of 172.19.10.15 - the ASA interface 1.

Just trying to ping from vlan20on the L3 switch to vlan1 on the L2 switch and fails...
0
 
LVL 1

Author Comment

by:CHI-LTD
Comment Utility
are you saying all hosts connected to either the L3 or L2 switches on vlan1 or 20 should be gatwaying to the vlan1 and vlan20 interfaces on the HP 2910 and the 2910 have DGW of the cisco ASA?
0
 
LVL 45

Expert Comment

by:Craig Beck
Comment Utility
Ok, which device is doing your routing?  Is it the ASA, or is it the L3 switch?
0
 
LVL 2

Expert Comment

by:mannyfernandez
Comment Utility
If you are using the ASA as a router between the LANs you need to make sure that the security levels are correct, if you have nat control on or off (depending on the version of asa code) and that you have configured 'indpect icmp' on the service policy.

Also you need to make sure if vlan 1 and 20 are in the same sec level, that you have the permit same security communication
0
 
LVL 1

Author Comment

by:CHI-LTD
Comment Utility
Just ran some tests:

connected to HP 1910 vlan1 L2 switch with Static IP:
172.19.105.111
255.255.0.0
GW: 172.19.10.15

Can ping 172.19.4.4 (1910 switch), 172.19.4.5 (hp 2910 vlan interface) and 172.16.4.5 (vlan20 interface) but CANNOT ping 172.16.10.15 (the GW of the ASA).


Same config as above but with GW of 172.19.4.4:
Cant ping anything on vlan20.


As above with GW of 172.19.4.5 as GW:
can ping 172.16.4.5 but not 172.16.10.15 or 172.19.4.4.  


Do i need routes added on the HP2910:
172.19.4.4
172.16.10.15
0
 
LVL 45

Expert Comment

by:Craig Beck
Comment Utility
Keep it simple...

Do you need to firewall between the voice and data VLANs?
0
Highfive Gives IT Their Time Back

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

 
LVL 1

Author Comment

by:CHI-LTD
Comment Utility
yes we are using the firewall to route.
0
 
LVL 45

Expert Comment

by:Craig Beck
Comment Utility
So why do you have multiple IP addresses on the L3 switch then?  And why is it even in L3 mode?

If all your devices are using the appropriate default gateway on their correct subnets I would look at the rules you have configured on your firewall.

There is also an option on the ASA to allow or block traffic between interfaces with the same security level.
0
 
LVL 1

Author Comment

by:CHI-LTD
Comment Utility
It was confirmed by the Telco that we needed L3 switch POE for vlans.
Then my ISP who look after the firewall said they can route using the ASA.

That said all seems to be working apart from getting shoretel communicator software talking to the HQ server.
Clients on vlan1 172.19.105.* GW 172.19.10.15
voice kit on vlan20 172.16.105.100 (statics at present) and HQ server 172.16.10.15

Can ping clients from vlan1 to vlan20...
0
 
LVL 45

Expert Comment

by:Craig Beck
Comment Utility
So, if you don't really need to route between the VLANs for anything, just use the L3 switches in L2 mode and use the ASA as the gateway for each VLAN.

It looks like you've got that configured on the clients/phones anyway, so now you need to come back to the question...

Do you actually need to route between VLAN1 and VLAN20?
0
 
LVL 1

Author Comment

by:CHI-LTD
Comment Utility
so to go to L2 routing i just need to turn off ip routing?

'no ip routing'

Yes, we do.  We need the Voip software on hosts on vlan1 172.19.105.* to be able to talk to the Voip server on vlan20 172.16.10.30.

Thanks
0
 
LVL 45

Expert Comment

by:Craig Beck
Comment Utility
And do you need firewalling between the two VLANs?
0
 
LVL 1

Author Comment

by:CHI-LTD
Comment Utility
no, just the asa
0
 
LVL 45

Accepted Solution

by:
Craig Beck earned 166 total points
Comment Utility
So, use the L3 switch as L3, and just use the ASA to route your off-net traffic.

I would point everything at the L3 switch for the gateway, so phones use 172.16.4.5 as their gateway, and PCs/Servers use 172.19.4.5 as their gateway.

Use one link between the ASA and the L3 switch purely for routing traffic to the internet.

This way, all local LAN traffic will route straight across the L3 switch, and internet traffic will go up to the ASA.

Something like this on the L3 switch...

ip route 0.0.0.0 0.0.0.0 192.168.255.1
interface 48
   name "Routed link to Firewall"
   exit
vlan 1
   name "DEFAULT_VLAN"
   no untagged 7-48
   untagged 1-6
   ip address 172.19.4.5 255.255.0.0
   exit
vlan 20
   name "Voice"
   untagged 7-47
   ip address 172.16.4.5 255.255.0.0
   ip helper-address 172.19.10.17
   exit
vlan 999
   name "Internet"
   untagged 48
   ip address 192.168.255.2 255.255.255.252
   exit

Open in new window

The ASA would connect to port 48 on the L3 switch and use 192.168.255.1 255.255.255.252 on its interface.  You'd add a static route to the ASA something like this...

interface Ethernet0
 ip address 192.168.255.1 255.255.255.252
 nameif inside
 security-level 100
!
route inside 172.16.0.0 255.255.0.0 192.168.255.2
route inside 172.19.0.0 255.255.0.0 192.168.255.2

Open in new window

0
 
LVL 1

Author Comment

by:CHI-LTD
Comment Utility
how will we handle voip traffic on the firewall though?
0
 
LVL 1

Author Comment

by:CHI-LTD
Comment Utility
and currently my l2 switch daisied to vlan 1 on the hp2910 isnt pingable from vlan20.
0
 
LVL 45

Expert Comment

by:Craig Beck
Comment Utility
You said you don't need VoIP traffic through the firewall...

Don't confuse the firewall with a router.  The firewall 'can' route, but if you don't want to firewall between the data and voice VLANs why do you need to put any of that traffic through the firewall unless it's going to the internet?
0
 
LVL 45

Expert Comment

by:Craig Beck
Comment Utility
and currently my l2 switch daisied to vlan 1 on the hp2910 isnt pingable from vlan20.
One step at a time... it won't work until you get the routing sorted.
0
 
LVL 1

Author Comment

by:CHI-LTD
Comment Utility
we need voip traffic through the firewall as its using SIP not ISDN.

Ideas how to get the Hp1910 on vlan1 and HP2010 vlan1 and vlan20 talking?  I can ping most devices but not from 1910 vlan1 to 2910 vlan20..
0
 
LVL 45

Expert Comment

by:Craig Beck
Comment Utility
The VoIP traffic can go through the firewall - that's not an issue.

The point I'm making is that if phones on one VLAN need to get to the PBX on another VLAN, they don't need to go through the firewall to do that.

Really, you're not getting the whole picture here.  We're telling you exactly how to get VLAN1 and VLAN20 talking.  You just need to follow us, and do what we're asking.
0
 
LVL 1

Author Comment

by:CHI-LTD
Comment Utility
but if we go your route how will we ensure QOS is applied?
0
 
LVL 45

Expert Comment

by:Craig Beck
Comment Utility
Slow down... QoS is far easier to implement across a switch than it is through a Firewall!

Honestly, I can't say this any simpler, but one step at a time.  You shouldn't even be thinking about QoS yet.

If you're going from A-B on a network with a couple of VLANs through one L3 switch this really isn't going to be an issue you'll need to address yet anyway.  Let's get this broken down into nice and easy sections so we all know what were dealing with, instead of bouncing around all over the place.

Deal with the routing first.  We've already established that you don't need to firewall between the data and voice VLANs, so there's the first issue sorted.  We simply route between the two subnets at the L3 switch - no firewall involved.  (I know you said that you need SIP traffic through the firewall, but that's between the PBX and the SIP provider, not between the PBX and the phones.)

This then tells you roughly how you connect your firewall.  As we're not routing through it between VLANs, we can configure it in a point-to-point fashion, where the main router (the L3 switch) sends all traffic to the internet via the firewall.

When you've done all that, then you can think about QoS and how you configure it.  If you need QoS across the internet then we'll need to do some work at the firewall, but if not just deal with it at the L3 switch, and the L2 switches if they support it.  If the L2 switches don't support QoS, there's not much point really in even bothering with it.
0
 
LVL 1

Author Closing Comment

by:CHI-LTD
Comment Utility
ditched the asa and 2x vlans and used the hp l3 switch
0

Featured Post

Free Trending Threat Insights Every Day

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

Join & Write a Comment

We've been using the Cisco/Linksys RV042 for years as: - an internet Gateway - a site-to-site VPN device - a leased line site-to-site subnet-to-subnet interface (And, here I'm assuming that any RV0xx behaves the same way as an RV042.  So that's …
Getting hacked is no longer a matter or "if you get hacked" — the 2016 cyber threat landscape is now titled "when you get hacked." When it happens — will you be proactive, or reactive?
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

17 Experts available now in Live!

Get 1:1 Help Now