VLAN Setup - Windows Server 2003 DHCP - HP ProCurve Switches

Hi All,

VLAN is something totally new to me, so a few questions that I've run into. I'm looking to separate our wireless traffic from our LAN traffic.

I'm currently using a HP 5406ZL switch.

Domain Controller(running dhcp/dns) is connected to Port B23 & B24.
Wireless AP(AeroHive) is connected to port D16.

i created VLAN10 on switch and a new scope(10.10.10.1/23) on the server.
Domain controller is on VLAN1(192.168.0.1/21)
I created a new dhcp scope in the domain controller for 10.10.10.1/23.

I removed D16 from VLAN1 and added it to VLAN10. I changed D16 from untagged to tagged (i read that if you want the port to talk with more than 1 vlan, i had to tag it)

i enabled dhcp-relay and added ip helper-address to vlan 10. (192.168.0.3, which is the DHCP server address)

Is there something i'm missing? when i try to connect, i never get a ip from the DHCP server.


-------------------------------------------------------
; J8697A Configuration Editor; Created on release #K.15.10.0009
; Ver #03:03.1f.ef:f0
hostname "HP-5406zl"
module 1 type j8702a
module 2 type j8702a
module 3 type j8702a
module 4 type j8702a
module 5 type j8702a
ip default-gateway 192.168.0.1
snmp-server community "public" unrestricted
snmp-server contact "IT" location "Technology Closet"
vlan 1
   name "DEFAULT_VLAN"
   no untagged D16
   untagged A1-A24,B1-B24,C1-C24,D1-D15,D17-D24,E1-E24
   ip address dhcp-bootp
   exit
vlan 10
   name "VLAN10"
   tagged D16
   ip address 10.10.10.1 255.255.254.0
   ip helper-address 192.168.0.3
   exit
-------------------------------------------------------
AfternoonShiftAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Axis52401Security AnalystCommented:
Here is a summary of the possible modes

Tagged – When a port is tagged, it allows communication among the different VLANs to which it is assigned.
Untagged – When a port is untagged, it can only be a member on one VLAN.
No untagged – The port is not a member of that VLAN.
Forbid – The port is “forbidden” to join that VLAN.

I think the only thing you are missing is tagging the server ports. Because the server ports are untagged it is only communicating over vlan 1, but since you need dhcp over vlan10 you'll need to tag the server ports too. This will allow the server to communicate over all vlans.
0
AfternoonShiftAuthor Commented:
here's the current config now..  When i tagged port 23 and 24, both VLAN1 and VLAN10 cannot ping or connect to the dhcp server.  I also swapped my laptop port from D13(untagged on VLAN10) to D15(untagged on VLAN1) and still could not get an ip from the server.

 J8697A Configuration Editor; Created on release #K.15.10.0009
; Ver #03:03.1f.ef:f0
hostname "HP-5406zl"
module 1 type j8702a
module 2 type j8702a
module 3 type j8702a
module 4 type j8702a
module 5 type j8702a
ip default-gateway 192.168.0.1
snmp-server community "public" unrestricted
snmp-server contact "Erik" location "Technology Closet"
vlan 1
   name "DEFAULT_VLAN"
   no untagged D13
   untagged A1-A24,B1-B22,C1-C24,D1-D12,D14-D24,E1-E24
   tagged B23-B24
   ip address dhcp-bootp
   exit
vlan 10
   name "VLAN10"
   untagged D13
   ip address 10.10.10.1 255.255.254.0
   ip helper-address 192.168.0.3
   exit
0
jburgaardCommented:
The config probably can be done more than one way.
The switch setup , the server setup and the client-setup however must mach.

On the server do you have 2 ports with an IP on each one for each vlan?
or do you have some sort of link-agregation /failover with a mix of vlans running in the link?

Is some sort of communication to take place between vlans in server or in switch or otherwise (routing)?

The configs above have conflicting assumptions.
0
Cloud Class® Course: Certified Penetration Testing

This CPTE Certified Penetration Testing Engineer course covers everything you need to know about becoming a Certified Penetration Testing Engineer. Career Path: Professional roles include Ethical Hackers, Security Consultants, System Administrators, and Chief Security Officers.

AfternoonShiftAuthor Commented:
The server is running 2 ips. 192.168.0.2(DNS) and 192.168.0.3(DHCP). I don't have any NICs setup for the VLAN10 ip address.  I was assuming i wouldn't need to do much to the server as i read someone say "it just works" once i have the ip-helper set up in the layer3 switch.  The NICs are just just for failover and aren't bridged or anything like that.

Here's the ipconfig from a connected PC on VLAN1
Physical Address. . . . . . . . . : 5C-F9-DD-72-54-FC
DHCP Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
IPv4 Address. . . . . . . . . . . : 192.168.1.39(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.248.0
Lease Obtained. . . . . . . . . . : Tuesday, July 15, 2014 5:51:45 PM
Lease Expires . . . . . . . . . . : Tuesday, August 19, 2014 5:52:47 PM
Default Gateway . . . . . . . . . : 192.168.0.1
DHCP Server . . . . . . . . . . . : 192.168.0.3
DNS Servers . . . . . . . . . . . : 192.168.0.2
                                    192.168.0.4
NetBIOS over Tcpip. . . . . . . . : Enabled
dhcp.png
0
jburgaardCommented:
L3-switch must hold IP of vlan=default gateway of clients
so if this switch is supposed to be the inter-vlan switching device it should have in vlan1 static :
ip address 192.168.0.1 255.255.248.0
vlan 10:
ip address 10.10.10.1 255.255.254.0
eventually some default gateway to rest of world like
IP ROUTE 0.0.0.0  0.0.0.0  192.168.0.254 or something

But to act as L3 configure:
IP ROUTING

For a start configure one of the ports to connect to the server:
UNtag B23 in vlan1 (for now leave B24: not connected or disabled)
(assuming  you have not done any vlan-config of server port)

HTH
0
jburgaardCommented:
If testing the basic settings are in place:
ping , DHCP etc. working, then link aggregation can be set up.
In procure world the term TRUNK means more connections building a link.
(Some other vendors use the term trunk differently)

If you make a trunk of B23-B24 to a couple of ports in the server, it is not the single ports that should be tagged/untagged in some vlan(s) -but the trunk.

So a config could have:
trunk B23,B24 trk1 trunk
vlan 1
untag trk1
exit
0
convergintCommented:
This should work:

; J8697A Configuration Editor; Created on release #K.15.10.0009
; Ver #03:03.1f.ef:f0
hostname "HP-5406zl"
module 1 type j8702a
module 2 type j8702a
module 3 type j8702a
module 4 type j8702a
module 5 type j8702a
ip default-gateway 192.168.0.1
snmp-server community "public" unrestricted
snmp-server contact "IT" location "Technology Closet"
dhcp-snooping
dhcp-snooping authorized-server 192.168.0.3
dhcp-snooping vlan 2 10
ip routing
interface D16
   name "Wireless_AP"
   exit
interface B23
   name "ServerNIC1_192.168.0.2"
   exit
interface B24
   name "ServerNIC2_192.168.0.3"
   dhcp-snooping trust
   exit
vlan 1
   name "MGMT VLAN"
   no untagged A1-A24,B1-B24,C1-C24,D1-D24,E1-E24
   no ip address
   exit
Vlan 2
   name "Corporate VLAN"
   untagged A1-A24,B1-B24,C1-C24,D1-D15,D17-D24,E1-E24
   ip address 192.168.0.10 255.255.248.0
   exit
vlan 10
   name "Wireless VLAN"
   untagged D16
   ip address 10.10.10.1 255.255.254.0
   ip helper-address 192.168.0.3
   exit

On your access point I'm assuming that you only have one VLAN required so therefore you need to make sure you are not tagging any ports on the wireless AP.  You'll only need to tag the port on both the switch and AP if you have something like both a guest and corporate VLAN.  It is also good practice not to use VLAN 1 for the corporate LAN so that is the reason why I made VLAN 2 with a static gateway IP of 192.168.0.10 (obviously change it to something else if you need).  I also like using the DHCP snooping to better protect your network and it also makes it so you can see what you DHCP server is from the config.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
AfternoonShiftAuthor Commented:
thanks convergint1! :) i wasn't aware of the dhcp-snooping....that came in handy! :)

IP routing was my main issues as well. I now use the switch to route all traffic between both VLANs.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
DHCP

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.