Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

Correct network design for vlans

Posted on 2013-11-06
33
Medium Priority
?
387 Views
Last Modified: 2013-11-14
We have 2x sites that will be adding a 2nd vlan for a voice solution.

Currently our remote site has the following setup:

Router - Cisco ASA 5505 Firewall (vlan1 & 20) - L3 Hp Switch
                                                                        - cisco unmanaged

Should the cisco unmanaged daisy chain off the HP L3 switch?

Also our main site has a similar setup:

Router - Cisco ASA 5505 Firewall (vlan1 & 20) - L3 HP switch
                                                                         - L2 hp switch
                                                                         - L2 hp switch

Same goes for this site, should the 2x L2 HP Switches (just on vlan1) daisy change off the HP 2910al L£ switch?

Thanks

PS - attached.
Network-Diagram-SiteA.jpg
Network-Diagram-SiteB.jpg
0
Comment
Question by:CHI-LTD
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 16
  • 12
  • 3
  • +1
33 Comments
 
LVL 26

Assisted Solution

by:Soulja
Soulja earned 668 total points
ID: 39627483
The switches can daisy chain of off the layer 3 switches, just know that the switches will be on whatever vlan that is configured on the port they uplink to.
0
 
LVL 1

Author Comment

by:CHI-LTD
ID: 39627808
Sure.  So the L3 has vlan1 and 20 configured.
The other L2 switches are vlan1 only.  

At the moment i cannot ping from vlan20 on L3 switch to vlan1 on L2 switch..

Ideas?
0
 
LVL 1

Author Comment

by:CHI-LTD
ID: 39628009
and the other way, so vlan1 on hp L2 switch (172.19.4.4) to vlan20 interface on the L3 switch 172.16.4.5.
0
Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

 
LVL 26

Expert Comment

by:Soulja
ID: 39628069
Post your configs of the l3 switch and the hp switch
0
 
LVL 1

Author Comment

by:CHI-LTD
ID: 39629616
L3:

Running configuration:

; J9148A Configuration Editor; Created on release #W.15.08.0012
; Ver #02:11.05:16
hostname "HP-E2910al-48G-PoE"
module 1 type j9148a
power-over-ethernet pre-std-detect
ip default-gateway 172.19.10.15
no ip icmp redirects
ip route 0.0.0.0 0.0.0.0 172.19.10.15
ip routing
interface 1
   name "to HP1910"
   no power-over-ethernet
   exit
interface 2
   no power-over-ethernet
   exit
interface 3
   no power-over-ethernet
   exit
interface 4
   no power-over-ethernet
   exit
interface 5
   no power-over-ethernet
   exit
interface 6
   no power-over-ethernet
   exit
interface 7
   name "Shoretel E1k"
   speed-duplex 100-full
   exit
interface 8
   name "Shoretel SG90"
   speed-duplex 100-full
   exit
interface 9
   name "Shoretel SG90Bri"
   speed-duplex 100-full
   exit
interface 10
   name "Oaisys Port Mirror"
   exit
interface 48
   name "vlan20 to Firewall"
   exit
snmp-server community "public" unrestricted
snmp-server contact "IT"
vlan 1
   name "DEFAULT_VLAN"
   no untagged 7-48
   untagged 1-6
   ip address 172.19.4.5 255.255.0.0
   exit
vlan 20
   name "Voice"
   untagged 7-48
   ip address 172.16.4.5 255.255.0.0
   ip helper-address 172.19.10.17
   exit
no autorun
password manager

L2:

I cant get the L2 configs off but know its only got vlan1 set...

Thnaks
0
 
LVL 2

Assisted Solution

by:mannyfernandez
mannyfernandez earned 668 total points
ID: 39629853
You can configure the connections where the Cisco switches are connected to as tagged ports for VLAN 1 and 20.  Then on the Cisco side, configure the interfaces as 'switchport mode trunk" (or switchport trunk encap then switchport  mode trunk)

You can then configure the cisco ports as either or vlan 1 or 20.  This will help if and when you plug a PC into the phone jack.  The packets destined to the same VLAN would get forwarded to all ports that have that VLAN configured or the trunk (tagged in HP Speak).  Any packets destined for the other VLANs would be routed using the L3 HP switches.
0
 
LVL 47

Expert Comment

by:Craig Beck
ID: 39629938
You can configure the connections where the Cisco switches are connected to as tagged ports for VLAN 1 and 20.  Then on the Cisco side, configure the interfaces as 'switchport mode trunk" (or switchport trunk encap then switchport  mode trunk)
The Cisco switches are unmanaged aren't they?
0
 
LVL 2

Expert Comment

by:mannyfernandez
ID: 39629980
Oops.  Correct
0
 
LVL 1

Author Comment

by:CHI-LTD
ID: 39630041
Yes the cisco switch and site a is unmanaged.
Could this by why clients are showing a exclamation mark on the network icon (even though internet is fine)?
0
 
LVL 47

Expert Comment

by:Craig Beck
ID: 39630045
Can you ensure that the client on VLAN 20 is using 172.16.4.5 as the default-gateway, and the client on VLAN 1 is using 172.19.4.5 as the default gateway.

Can you also check that a client on each VLAN can ping their gateway?
0
 
LVL 1

Author Comment

by:CHI-LTD
ID: 39630072
no the vlan20 clients are using DGW of 172.16.10.15 which (sorry i missed this out on the diagram) is the fe02 interface on the ASA.
Clients on vlan1 (either on the HP1910 172.19.4.4 or HP2910 172.19.4.5) are using DGW of 172.19.10.15 - the ASA interface 1.

Just trying to ping from vlan20on the L3 switch to vlan1 on the L2 switch and fails...
0
 
LVL 1

Author Comment

by:CHI-LTD
ID: 39630081
are you saying all hosts connected to either the L3 or L2 switches on vlan1 or 20 should be gatwaying to the vlan1 and vlan20 interfaces on the HP 2910 and the 2910 have DGW of the cisco ASA?
0
 
LVL 47

Expert Comment

by:Craig Beck
ID: 39630098
Ok, which device is doing your routing?  Is it the ASA, or is it the L3 switch?
0
 
LVL 2

Expert Comment

by:mannyfernandez
ID: 39630127
If you are using the ASA as a router between the LANs you need to make sure that the security levels are correct, if you have nat control on or off (depending on the version of asa code) and that you have configured 'indpect icmp' on the service policy.

Also you need to make sure if vlan 1 and 20 are in the same sec level, that you have the permit same security communication
0
 
LVL 1

Author Comment

by:CHI-LTD
ID: 39630131
Just ran some tests:

connected to HP 1910 vlan1 L2 switch with Static IP:
172.19.105.111
255.255.0.0
GW: 172.19.10.15

Can ping 172.19.4.4 (1910 switch), 172.19.4.5 (hp 2910 vlan interface) and 172.16.4.5 (vlan20 interface) but CANNOT ping 172.16.10.15 (the GW of the ASA).


Same config as above but with GW of 172.19.4.4:
Cant ping anything on vlan20.


As above with GW of 172.19.4.5 as GW:
can ping 172.16.4.5 but not 172.16.10.15 or 172.19.4.4.  


Do i need routes added on the HP2910:
172.19.4.4
172.16.10.15
0
 
LVL 47

Expert Comment

by:Craig Beck
ID: 39630144
Keep it simple...

Do you need to firewall between the voice and data VLANs?
0
 
LVL 1

Author Comment

by:CHI-LTD
ID: 39630353
yes we are using the firewall to route.
0
 
LVL 47

Expert Comment

by:Craig Beck
ID: 39630399
So why do you have multiple IP addresses on the L3 switch then?  And why is it even in L3 mode?

If all your devices are using the appropriate default gateway on their correct subnets I would look at the rules you have configured on your firewall.

There is also an option on the ASA to allow or block traffic between interfaces with the same security level.
0
 
LVL 1

Author Comment

by:CHI-LTD
ID: 39632963
It was confirmed by the Telco that we needed L3 switch POE for vlans.
Then my ISP who look after the firewall said they can route using the ASA.

That said all seems to be working apart from getting shoretel communicator software talking to the HQ server.
Clients on vlan1 172.19.105.* GW 172.19.10.15
voice kit on vlan20 172.16.105.100 (statics at present) and HQ server 172.16.10.15

Can ping clients from vlan1 to vlan20...
0
 
LVL 47

Expert Comment

by:Craig Beck
ID: 39633146
So, if you don't really need to route between the VLANs for anything, just use the L3 switches in L2 mode and use the ASA as the gateway for each VLAN.

It looks like you've got that configured on the clients/phones anyway, so now you need to come back to the question...

Do you actually need to route between VLAN1 and VLAN20?
0
 
LVL 1

Author Comment

by:CHI-LTD
ID: 39633186
so to go to L2 routing i just need to turn off ip routing?

'no ip routing'

Yes, we do.  We need the Voip software on hosts on vlan1 172.19.105.* to be able to talk to the Voip server on vlan20 172.16.10.30.

Thanks
0
 
LVL 47

Expert Comment

by:Craig Beck
ID: 39633217
And do you need firewalling between the two VLANs?
0
 
LVL 1

Author Comment

by:CHI-LTD
ID: 39633410
no, just the asa
0
 
LVL 47

Accepted Solution

by:
Craig Beck earned 664 total points
ID: 39633456
So, use the L3 switch as L3, and just use the ASA to route your off-net traffic.

I would point everything at the L3 switch for the gateway, so phones use 172.16.4.5 as their gateway, and PCs/Servers use 172.19.4.5 as their gateway.

Use one link between the ASA and the L3 switch purely for routing traffic to the internet.

This way, all local LAN traffic will route straight across the L3 switch, and internet traffic will go up to the ASA.

Something like this on the L3 switch...

ip route 0.0.0.0 0.0.0.0 192.168.255.1
interface 48
   name "Routed link to Firewall"
   exit
vlan 1
   name "DEFAULT_VLAN"
   no untagged 7-48
   untagged 1-6
   ip address 172.19.4.5 255.255.0.0
   exit
vlan 20
   name "Voice"
   untagged 7-47
   ip address 172.16.4.5 255.255.0.0
   ip helper-address 172.19.10.17
   exit
vlan 999
   name "Internet"
   untagged 48
   ip address 192.168.255.2 255.255.255.252
   exit

Open in new window

The ASA would connect to port 48 on the L3 switch and use 192.168.255.1 255.255.255.252 on its interface.  You'd add a static route to the ASA something like this...

interface Ethernet0
 ip address 192.168.255.1 255.255.255.252
 nameif inside
 security-level 100
!
route inside 172.16.0.0 255.255.0.0 192.168.255.2
route inside 172.19.0.0 255.255.0.0 192.168.255.2

Open in new window

0
 
LVL 1

Author Comment

by:CHI-LTD
ID: 39633614
how will we handle voip traffic on the firewall though?
0
 
LVL 1

Author Comment

by:CHI-LTD
ID: 39633632
and currently my l2 switch daisied to vlan 1 on the hp2910 isnt pingable from vlan20.
0
 
LVL 47

Expert Comment

by:Craig Beck
ID: 39633688
You said you don't need VoIP traffic through the firewall...

Don't confuse the firewall with a router.  The firewall 'can' route, but if you don't want to firewall between the data and voice VLANs why do you need to put any of that traffic through the firewall unless it's going to the internet?
0
 
LVL 47

Expert Comment

by:Craig Beck
ID: 39633807
and currently my l2 switch daisied to vlan 1 on the hp2910 isnt pingable from vlan20.
One step at a time... it won't work until you get the routing sorted.
0
 
LVL 1

Author Comment

by:CHI-LTD
ID: 39638160
we need voip traffic through the firewall as its using SIP not ISDN.

Ideas how to get the Hp1910 on vlan1 and HP2010 vlan1 and vlan20 talking?  I can ping most devices but not from 1910 vlan1 to 2910 vlan20..
0
 
LVL 47

Expert Comment

by:Craig Beck
ID: 39638372
The VoIP traffic can go through the firewall - that's not an issue.

The point I'm making is that if phones on one VLAN need to get to the PBX on another VLAN, they don't need to go through the firewall to do that.

Really, you're not getting the whole picture here.  We're telling you exactly how to get VLAN1 and VLAN20 talking.  You just need to follow us, and do what we're asking.
0
 
LVL 1

Author Comment

by:CHI-LTD
ID: 39638520
but if we go your route how will we ensure QOS is applied?
0
 
LVL 47

Expert Comment

by:Craig Beck
ID: 39639105
Slow down... QoS is far easier to implement across a switch than it is through a Firewall!

Honestly, I can't say this any simpler, but one step at a time.  You shouldn't even be thinking about QoS yet.

If you're going from A-B on a network with a couple of VLANs through one L3 switch this really isn't going to be an issue you'll need to address yet anyway.  Let's get this broken down into nice and easy sections so we all know what were dealing with, instead of bouncing around all over the place.

Deal with the routing first.  We've already established that you don't need to firewall between the data and voice VLANs, so there's the first issue sorted.  We simply route between the two subnets at the L3 switch - no firewall involved.  (I know you said that you need SIP traffic through the firewall, but that's between the PBX and the SIP provider, not between the PBX and the phones.)

This then tells you roughly how you connect your firewall.  As we're not routing through it between VLANs, we can configure it in a point-to-point fashion, where the main router (the L3 switch) sends all traffic to the internet via the firewall.

When you've done all that, then you can think about QoS and how you configure it.  If you need QoS across the internet then we'll need to do some work at the firewall, but if not just deal with it at the L3 switch, and the L2 switches if they support it.  If the L2 switches don't support QoS, there's not much point really in even bothering with it.
0
 
LVL 1

Author Closing Comment

by:CHI-LTD
ID: 39648456
ditched the asa and 2x vlans and used the hp l3 switch
0

Featured Post

[Webinar] Lessons on Recovering from Petya

Skyport is working hard to help customers recover from recent attacks, like the Petya worm. This work has brought to light some important lessons. New malware attacks like this can take down your entire environment. Learn from others mistakes on how to prevent Petya like worms.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In the hope of saving someone else's sanity... About a year ago we bought a Cisco 1921 router with two ADSL/VDSL EHWIC cards to load balance local network traffic over the two broadband lines we have, but we couldn't get the routing to work consi…
This past year has been one of great growth and performance for OnPage. We have added many features and integrations to the product, making 2016 an awesome year. We see these steps forward as the basis for future growth.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…

609 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question