IBSIT
asked on
Inter Vlan and routing between subnets with their individual ISP providers.
Good day all,
Hope i can explain this situation well. Here goes.
Goal:
to have a single HP3500yl (layer 3 switch) to host config for an inter-vlan communication with multiple HP Procurves 1800 switches having multiple subnet (Vlan 10, 50, 200 and 201)
Vlan 10….ip address 10.0.0.x/24 gateway 10.0.0.1
vlan 50….ip address 192.168.50.x/24 gateway 192.168.50.1
vlan 200….ip address 192.168.200.x/24 gateway 192.168.200.1
vlan 201….ip address 192.168.201.x/24 gateway 192.168.201.1
I have created the vlans and assigned .254 ip address. Trunked ports between to pass vlans.
here is the tricky part. each subnet have independent ISPs. I would like communications from all subnets to 201.x subnet as this Vlan housed a SAN that i would like to save all data from the different subnets.
if i missed anything out i apologize as i am pretty new to this.
regards,
Hope i can explain this situation well. Here goes.
Goal:
to have a single HP3500yl (layer 3 switch) to host config for an inter-vlan communication with multiple HP Procurves 1800 switches having multiple subnet (Vlan 10, 50, 200 and 201)
Vlan 10….ip address 10.0.0.x/24 gateway 10.0.0.1
vlan 50….ip address 192.168.50.x/24 gateway 192.168.50.1
vlan 200….ip address 192.168.200.x/24 gateway 192.168.200.1
vlan 201….ip address 192.168.201.x/24 gateway 192.168.201.1
I have created the vlans and assigned .254 ip address. Trunked ports between to pass vlans.
here is the tricky part. each subnet have independent ISPs. I would like communications from all subnets to 201.x subnet as this Vlan housed a SAN that i would like to save all data from the different subnets.
if i missed anything out i apologize as i am pretty new to this.
regards,
I usually set up the core (main l3 switch) to be the router. I configure all of the VLANs on the core switch and create a RVI (routed virtual interface - Some vendors call it the vlan interface. I add routes to for the external network that I need to direct specific traffic flow toward. At that point I configure all of my respective DHCP options to hand our IPs on their requesting network. For each requesting client return the vlan interface/l3 interface IP of the switch as the gateway for each client.
At this point your should have routing between the VLAN subnets and the active routes to your ISP should become active when the switch sees a request for that particular IP route.
If you need filtering or security between VLANs you can typically use filters on the switch or route everything through a central firewall and set all of your routes up on the firewall. If you do not filtering and advanced security then I would not use the firewall option. Using the switch as the central router for the network reduces latency and complexity of design.
Hope some of this helps.
At this point your should have routing between the VLAN subnets and the active routes to your ISP should become active when the switch sees a request for that particular IP route.
If you need filtering or security between VLANs you can typically use filters on the switch or route everything through a central firewall and set all of your routes up on the firewall. If you do not filtering and advanced security then I would not use the firewall option. Using the switch as the central router for the network reduces latency and complexity of design.
Hope some of this helps.
Is "IP routing" enabled on the HP3500yl?
ASKER
Ip routing is enabled. Now if i add a route in my router/firewall, will it affect the through-put as it is limited to 10/100. I am trying to have a full gigabit transfer rate between all Vlans.
"Now if i add a route in my router/firewall, will it affect the through-put as it is limited to 10/100. I am trying to have a full gigabit transfer rate between all Vlans."
Yes that is fair to assume you will run into limits.
Now assume you had a software version and the needed level of support on the switch to handle PBR.
Can it handle Policy based routing?
If so, you could perhaps set def.gw. for vlans to point to L3-switch (handle inter-vlan routing) and set up some 'next hop router' conditions.
I do not own a 3500yl, so i do knot know if such a setup would work OK in real life.
HTH
Yes that is fair to assume you will run into limits.
Now assume you had a software version and the needed level of support on the switch to handle PBR.
Can it handle Policy based routing?
If so, you could perhaps set def.gw. for vlans to point to L3-switch (handle inter-vlan routing) and set up some 'next hop router' conditions.
I do not own a 3500yl, so i do knot know if such a setup would work OK in real life.
HTH
ASKER
Ok can you let me know if this will work:
Source switch 3500yl (L3) Routing enabled. Create all Vlans, SVI each Vlan with .254 address. Client Switches, assign .254 as gateway and trunk ports between Source and client, create the appropriate vlans on the clients. I should have bidirectional access? then once all has been completed i will set a Static Route in order to get out to the internet through ISP router. Please let me know if i am on the right track as i seem to have a problem so far. I am able to see VLAN 200 from my source switch and all devices on that subnet, but when i go to the actual vlan200 and plug in a client it is getting a dhcp address from source and not the vlan200 DHCP Server, and even though i am getting an ip from Source VLAN, i am not able to ping or no kind of communication to the source VLAN.
Source switch 3500yl (L3) Routing enabled. Create all Vlans, SVI each Vlan with .254 address. Client Switches, assign .254 as gateway and trunk ports between Source and client, create the appropriate vlans on the clients. I should have bidirectional access? then once all has been completed i will set a Static Route in order to get out to the internet through ISP router. Please let me know if i am on the right track as i seem to have a problem so far. I am able to see VLAN 200 from my source switch and all devices on that subnet, but when i go to the actual vlan200 and plug in a client it is getting a dhcp address from source and not the vlan200 DHCP Server, and even though i am getting an ip from Source VLAN, i am not able to ping or no kind of communication to the source VLAN.
...will set a Static Route in order to get out to the internet through ISP router...
One or more ISP to internet?
-more ISP's is a problem as
On your L3 switch you can only have one static default route to internet, like
IP ROUTE 0.0.0.0 0.0.0.0 192.168.200.1
Perhaps output from your core-switch(L3) 'show running' command
and DHCP-server-details (switchport, IP of server(s), Asigned range, client-IP, client-netmask, client-DGW)
and PC-switchport
could help us help you with the DHCP-problem
One or more ISP to internet?
-more ISP's is a problem as
On your L3 switch you can only have one static default route to internet, like
IP ROUTE 0.0.0.0 0.0.0.0 192.168.200.1
Perhaps output from your core-switch(L3) 'show running' command
and DHCP-server-details (switchport, IP of server(s), Asigned range, client-IP, client-netmask, client-DGW)
and PC-switchport
could help us help you with the DHCP-problem
ASKER
ok i have three different subnets, all of which have their own dedicated isp, one source HP Procurve 3500YL and the rest HP Procurve 1800. Is there any way to get it to work? btw i don't have any switchports on the switch, is there a way to not go via switchports as we have two 3500yl that is using PoE and it is maxxed out?
"Is there any way to get it to work?"
In short: no, I am afraid not.
I have been reading the 'advanced traffic manual': the 3500yl does NOT support PBR
You do not want routing over 10/100Mb
You can only have one default route to internet
My mentioning of switch-ports combined with other config questions is just was my way to find out in detail what you have.
In short: no, I am afraid not.
I have been reading the 'advanced traffic manual': the 3500yl does NOT support PBR
You do not want routing over 10/100Mb
You can only have one default route to internet
My mentioning of switch-ports combined with other config questions is just was my way to find out in detail what you have.
ASKER
So routing to multiple routers is a no, but can i still maintain a gigabit through but between switches and their respective VLAN? If so can you assist?
yes,
yes, but details please in a way I can understand.
'I should have bidirectional access? '?
so specific as you can-->
if I try from my PC with IP <x.y.r.t>, dgw<x.y.r.d> and connected to access-port <p> on switch <S> in vlan <V> ping to PC.. / to gateway ... /to router ........ I get ..., is that to be expected ?
yes, but details please in a way I can understand.
'I should have bidirectional access? '?
so specific as you can-->
if I try from my PC with IP <x.y.r.t>, dgw<x.y.r.d> and connected to access-port <p> on switch <S> in vlan <V> ping to PC.. / to gateway ... /to router ........ I get ..., is that to be expected ?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
If 'main-switch' port 24 is connected to
'HP-E3500yl-24G' (alias switch2) on port 22
there will be no communication in vlan 1
vlan1: NO untag Trk10 ---- untag Trk10
-by the way the HP-term 'trunk' is used for aggregation of multiple ports to make one link (where Cisco use the term for multiple vlans on one port fx)
'HP-E3500yl-24G' (alias switch2) on port 22
there will be no communication in vlan 1
vlan1: NO untag Trk10 ---- untag Trk10
-by the way the HP-term 'trunk' is used for aggregation of multiple ports to make one link (where Cisco use the term for multiple vlans on one port fx)
ASKER
Ok i don't want communication for vlan1 to pass through, i want vlan 4 and 200. the way it is setup will that work?
Communication within vlan 4 should work between switches as vlan 4 is tagged same way on trk10 on 'main-switch' and trk10 on 'HP-E3500yl-24G'
and the same WITHIN vlan 200
If dgw on PC's are 192.168.201.5 / 192.168.200.250
and netmask's 255.255.255.0
then routing should also take place between vlans
HTH
and the same WITHIN vlan 200
If dgw on PC's are 192.168.201.5 / 192.168.200.250
and netmask's 255.255.255.0
then routing should also take place between vlans
HTH
ASKER
With that configuration, somehow i am getting the main switch Vlan4 DHCP leases once i am on vlan200 and i am also not able to ping vlan 4 from vlan 200. I am sure i am missing something.
Where is/are your DHCP-server(s) connected?
I do not see any 'IP Helper address'-statemens.
A helper address would be expected if fx one windows DHCP-server was dishing out in more vlans.
I do not see any 'IP Helper address'-statemens.
A helper address would be expected if fx one windows DHCP-server was dishing out in more vlans.
One of the reasons for creating vlans in the first place is to avoid broadcast. Each vlan becomes a separate broadcast-domain.
DHCP works by means of broadcast, so if you do not want to set up a DHCP-server in each vlan, you have to do a trick.
On the L3-switch in each DHCP-client-vlan you would point to IP if the DHCP-server if the server is not there already
So this is configured in each vlan:
IP HELPER-ADDRESS <IP of DHCP-server>
HTH
DHCP works by means of broadcast, so if you do not want to set up a DHCP-server in each vlan, you have to do a trick.
On the L3-switch in each DHCP-client-vlan you would point to IP if the DHCP-server if the server is not there already
So this is configured in each vlan:
IP HELPER-ADDRESS <IP of DHCP-server>
HTH
ASKER
Each Vlan have their independent DHCP Server, but i thought that the dhcp would take presidence on its own VLAN.
ASKER
Ok i have made some changes based on your recommendations and it seemed to work. Now its just a matter of routing isp
without shortcuts and without helper-address I also would expect (DHCP-)broadcast to stay within broadcast-domain(=vlan )
and so not let DHCP-server and DHCP-client talk across vlans.
If you had a shortcut between the vlans, I would expect a broadcast-storm, you could however try the command on the switches where vlan 4 and 200 are present:
show lldp info remote
-if in a line a switch is shown with both local-port and remote-port, that is not good
If you try tracing back and forth between (evnt.static) clients in vlan 4 and vlan 200 do you hit 192.168.201.5 / 192.168.200.250 ??
(in windows fx tracert 192.168.201.17)
and so not let DHCP-server and DHCP-client talk across vlans.
If you had a shortcut between the vlans, I would expect a broadcast-storm, you could however try the command on the switches where vlan 4 and 200 are present:
show lldp info remote
-if in a line a switch is shown with both local-port and remote-port, that is not good
If you try tracing back and forth between (evnt.static) clients in vlan 4 and vlan 200 do you hit 192.168.201.5 / 192.168.200.250 ??
(in windows fx tracert 192.168.201.17)
ok then
ASKER
jbuurgard is very helpful. I thank you
glad to help :)
If so on the 10.0.0.1-router add an
IP ROUTE 192.168.201.0 255.255.255.0 10.0.0.254 to reach vlan 201 network via L3-switch (on interface known to 10.0.0.1-router)
And for packets to come back,
on the 192.168.201.1-router add an
IP ROUTE 10.0.0.0 255.255.255.0 192.168.201.254 to reach vlan10 via L3-switch
Similar routes are needed for the other vlans
HTH