?
Solved

VLAN configuration in a Win Server 08 domain with HP Procurves L3/L2 switches throughout, advice needed.

Posted on 2014-08-04
5
Medium Priority
?
384 Views
Last Modified: 2014-08-10
I currently have a 192.168.0.0/24, class c network configuration.  I'm closing in on having about 15 valid IP addresses, obviously it's a little past time to do something about this, but still not to late.  I weighed just changing the subnet to bump this up to 512 versus setting up VLANs, and everything I looked at said VLANS are the way to go.  

I'm running Win Server 08 and have configured the following within DHCP:
192.168.0.0 - Servers / Routers / AP's
192.168.20.0 - Workstations
192.168.30.0 - Zero Clients
192.168.40.0 - Mobile BYOD Devices
192.168.50.0 - Printers / Cameras

From my understanding, I keep each subnet at a /24 (I think I can go /24, /28, if desired to limit devices, but not sure I'd want to do that, plus I like similarity).  As I understand it, everythings fine on that front.  

My ProCurve switches are setup with the specific VLAN info, I have the appropriate VLAN ID's configured on every switch required.  

I have nearly every port accounted for; meaning that I know what VLAN ID's are required per port, and the appropriate trunked groups for those requiring that.  

My uncertainty comes in here; do I need to do anything to make Windows Server 08 transfer data between VLANs?  For instance, my Server VLAN obviously needs to communicate with everything other VLAN, I realize the trunked ports will allow the various VLANs to pass through, but is that it?  Do I need anything on the server side to pass data in between these vlans?

I know it's kind of a loaded question, and a bit confusing, but I'm trying to ensure I'm on the right path.  Thanks for any insight at all.
0
Comment
Question by:Brian Milovich
  • 2
  • 2
5 Comments
 
LVL 17

Assisted Solution

by:jburgaard
jburgaard earned 1000 total points
ID: 40239979
If your server has one IP , say 192.168.0.2
and your L3-switch has one IP in every vlan
say 192.168.0.1 255.255.255.0
and 192.168.20.1 255.255.255.0
..
and 192.168.50.1 255.255.255.0
L3, so you should have IP-routing configured and doing all intervlan-routing.

On the L3-switch you would have to put IP helper-address pointing to DHCP-server in all  vlans but the one connected
directly.

So an extract from a very condensed config could look like
vlan 2
name server
IP ADDRESS 192.168.0.1 255.255.255.0
untag 1 (port to server f.ex)
tag 50 (port to other switch f.ex)
exit
vlan 20
name Workstations
IP ADDRESS 192.168.20.1 255.255.255.0
IP HELPER-ADDRESS 192.168.0.2
untag 2 (port to workstatin f.ex)
tag 50 (port to other switch f.ex)
exit
IP ROUTING (L3-operation)
0
 
LVL 18

Accepted Solution

by:
Don S. earned 1000 total points
ID: 40240162
The key here is to enable routing somewhere.  The Procurve can do it but it by enabling IP routing which will essentially route everything to everything.  If you want to isolate VLANs from each other, then using your internet router often is best assuming that it is robust enough to handle it.  The server could also be setup to do routing if you added IP addresses for each vlan in the NIC(s) and added the routing role.  Where ever you would do the routing, adding entries for IP helpers would be needed to pass DHCP negotiation through the router.
0
 

Author Comment

by:Brian Milovich
ID: 40240205
I have a Juniper SRX 220, which can do the routing, but from what I understand that would put quite a heavy load on it (my initial thought was that I had to do this on the Srx).  After talking with a couple of other folks in the IT world, they said it'd be best to do this at the switch level.  
So with going what both of you have said, I can do this at the switch level (l3), as long as I setup the IP Helper addresses that pointed to the DHCP server.  I'll be doing DHCP and DNS on this box, so I'll have a single IP Helper address for each vlan?

The drawback to doing this at the Switch level is that it routes everything to everything, meaning I don't get the added security of a VLAN on my Router that can completely isolate particular vlans?  

Does that sound right?
0
 
LVL 18

Expert Comment

by:Don S.
ID: 40240518
Correct
0
 
LVL 17

Expert Comment

by:jburgaard
ID: 40241538
Yes,
you COULD perhaps add some ACL's
0

Featured Post

Hire Technology Freelancers with Gigs

Work with freelancers specializing in everything from database administration to programming, who have proven themselves as experts in their field. Hire the best, collaborate easily, pay securely, and get projects done right.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Know what services you can and cannot, should and should not combine on your server.
In this article, the configuration steps in Zabbix to monitor devices via SNMP will be discussed with some real examples on Cisco Router/Switch, Catalyst Switch, NAS Synology device.
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.
There's a multitude of different network monitoring solutions out there, and you're probably wondering what makes NetCrunch so special. It's completely agentless, but does let you create an agent, if you desire. It offers powerful scalability …
Suggested Courses

840 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question