Network Design and VLAN and Switch Configurtation

sure, this can all be done.

So you will need many vlans including a voice vlan with lldp-med.  The swiches are layer 3 which is a good thing, would be concerned if your router was going to do all the intervlan traffic.

Interconnecting the 4 switches, make sure each uplink has the same vlans tagged.  All end devices will connect to an untagged port for each vlan.  The switch which contains your gateway(s), it will need an ip-helper address pointing to your dhcp server.  Make sure you enable 'ip routing', this allows the vlans to communicate to each other.  The 1910 is a pain to configure, they use a default route for the gateway, rather than a single gateway address like most everything else you configure.

Hi Bryant/Mick

I am using  v1910 as a "core" switch and for routing. I am looking on advise on how to get this configure because it's web based - i know command line can be enabled but i am not sure how one would setup vlan trunk on lacp ports and routing.

Need to do a basic routing - anyone on vlan other then employee routed to firewall and out to internet and can not go to 172. network.

and 3 x 2620 switches will go back to v1910 with using dual port for lacp vlan trunk.

the command line on a  1910 is pretty limited, it's hp's rebranded 3com.  The 2620 is much simpler to manage and has full cli.  

Ok, to get the 1910 going, select <network> then <vlan>, create all your vlans here assign them ports, then select  <vlan interface>, this is where you assign the ip address for the switch and which vlan manages it.  <Ipv4 Routing> set all your static routes.  Remember tagged port is normally your uplinks, untag are end devices.

To restrict users from the 172 network, you will need ACL's which I am sure the 1910 cannot do, but the 2620's can.  

When you state '3 x 2620 switches will go back to v1910 with using dual port for lacp vlan trunk. ' Are you meaning aggregated ports or just passing multiple vlans?

also, when setting vlans and ip address, remember your currently managing the switch via vlan 1, so if you change the port which you are connected to, you may loose connection and have to redo via factory reset

I mean tagged VLAN over Aggregated Link.

I just wanted to do this on 1910 but below is 2620 equv

trunk 1-2 trk1 lacp
trunk 3-4 trk2 lacp

interface 1
   name "LACP upLink to Main SW SW02"
   exit
interface 2
   name "LACP upLink to Main SW SW02"
   exit

...


interface 1
   lacp active
   exit
interface 2
   lacp active
   exit

vlan 10
   name "RAIL"
   tagged Trk1, Trk2
   ip address xxx
   exit


below is current status of 1910 config - I am able to export it.


#
 version 5.20, Release 1513P99
#
 sysname lon-sw-01
#
 domain default enable system
#
 ip ttl-expires enable
#
 password-recovery enable
#
vlan 1
 description VLAN 1
#
vlan 10
 description VLAN 10
#
domain system
 access-limit disable
 state active
 idle-cut disable
 self-service-url disable
#
user-group system
#
local-user admin
 authorization-attribute level 3
 service-type ssh telnet terminal
 service-type web
#
 stp mode rstp
 stp enable
#
interface Bridge-Aggregation1
 link-aggregation mode dynamic
#
interface Bridge-Aggregation2
 link-aggregation mode dynamic
#
interface Bridge-Aggregation3
 link-aggregation mode dynamic
#
interface NULL0
#
interface Vlan-interface1
 ip address 172.31.70.2 255.255.254.0
#
interface GigabitEthernet1/0/1
 port link-type trunk
 port trunk permit vlan 1 10
 poe enable
 stp edged-port enable
 port link-aggregation group 1
#
interface GigabitEthernet1/0/2
 port link-type trunk
 port trunk permit vlan 1 10
 poe enable
 stp edged-port enable
 port link-aggregation group 1
#
interface GigabitEthernet1/0/3
 port link-type trunk
 port trunk permit vlan 1
 poe enable
 stp edged-port enable
 port link-aggregation group 2
#
interface GigabitEthernet1/0/4
 port link-type trunk
 port trunk permit vlan 1
 poe enable
 stp edged-port enable
 port link-aggregation group 2
#
interface GigabitEthernet1/0/5
 port link-type trunk
 port trunk permit vlan 1
 poe enable
 stp edged-port enable
 port link-aggregation group 3
#
interface GigabitEthernet1/0/6
 port link-type trunk
 port trunk permit vlan 1
 poe enable
 stp edged-port enable
 port link-aggregation group 3
#
interface GigabitEthernet1/0/7
 poe enable
 stp edged-port enable
#
interface GigabitEthernet1/0/8
 poe enable
 stp edged-port enable
#
interface GigabitEthernet1/0/9
 poe enable
 stp edged-port enable
#
interface GigabitEthernet1/0/10
 poe enable
 stp edged-port enable
#
interface GigabitEthernet1/0/11
 poe enable
 stp edged-port enable
#
interface GigabitEthernet1/0/12
 poe enable
 stp edged-port enable
#
interface GigabitEthernet1/0/13
 poe enable
 stp edged-port enable
#
interface GigabitEthernet1/0/14
 poe enable
 stp edged-port enable
#
interface GigabitEthernet1/0/15
 poe enable
 stp edged-port enable
#
interface GigabitEthernet1/0/16
 poe enable
 stp edged-port enable
#
interface GigabitEthernet1/0/17
 poe enable
 stp edged-port enable
#
interface GigabitEthernet1/0/18
 poe enable
 stp edged-port enable
#
interface GigabitEthernet1/0/19
 poe enable
 stp edged-port enable
#
interface GigabitEthernet1/0/20
 poe enable
 stp edged-port enable
#
interface GigabitEthernet1/0/21
 poe enable
 stp edged-port enable
#
interface GigabitEthernet1/0/22
 poe enable
 stp edged-port enable
#
interface GigabitEthernet1/0/23
 poe enable
 stp edged-port enable
#
interface GigabitEthernet1/0/24
 poe enable
 stp edged-port enable
#
interface GigabitEthernet1/0/25
 stp edged-port enable
#
interface GigabitEthernet1/0/26
 stp edged-port enable
#
interface GigabitEthernet1/0/27
 stp edged-port enable
#
interface GigabitEthernet1/0/28
 stp edged-port enable
#
user-interface aux 0
 authentication-mode scheme
user-interface vty 0 15
 authentication-mode scheme
#
return

I have not set up port aggregation using a 1910, but it appears you don't have LACP active on the 1910, but do on the 2620, they must be configured the exact same regarding the trunks.  

Also, in your original question you stated two subnets(I assume also 2 vlans), but the subnet for the 1910 shows 255.255.254.0  If you are using the ip addresses of 172.31.70.x and 172.31.71.x  and a subnet of 255.255.254.0, these conflict, they are the same network.  The mask would have to be 255.255.255.0 if you are using the stated ip addresses and two vlans

Hi Mick,

the design has changed since i initially made the post. I now have the config below. 

not added to the config above but need to know this is correct. Since switch was partially working engineer has started work on it so I do not want to made any changes, i know below is correct. Partial config is shown below.

what i am trying to do is - 

[switch 1 HP v1910] ====lag vlan trunk========[switch 2HP 2620]
|| ||
|| ===lag vlan trunk========[switch 3 HP 2620]
||
||===lag vlan trunk========[switch 4 HP 2620]

#
interface Bridge-Aggregation1
 link-aggregation mode dynamic
#
interface Bridge-Aggregation2
 link-aggregation mode dynamic
#
interface Bridge-Aggregation3
 link-aggregation mode dynamic
#
interface NULL0
#
interface Vlan-interface1
 ip address 172.31.70.2 255.255.254.0 
#
interface GigabitEthernet1/0/1
 port link-type trunk
 port trunk permit vlan 1 10
 poe enable
 stp edged-port enable
 port link-aggregation group 1
#
interface GigabitEthernet1/0/2
 port link-type trunk
 port trunk permit vlan 1 10
 poe enable
 stp edged-port enable
 port link-aggregation group 1
#
interface GigabitEthernet1/0/3
 port link-type trunk
 port trunk permit vlan 1
 poe enable
 stp edged-port enable
 port link-aggregation group 2
#
interface GigabitEthernet1/0/4
 port link-type trunk
 port trunk permit vlan 1
 poe enable
 stp edged-port enable
 port link-aggregation group 2
#
interface GigabitEthernet1/0/5
 port link-type trunk
 port trunk permit vlan 1
 poe enable
 stp edged-port enable
 port link-aggregation group 3
#
interface GigabitEthernet1/0/6
 port link-type trunk
 port trunk permit vlan 1
 poe enable
 stp edged-port enable
 port link-aggregation group 3

#
 ip route-static 0.0.0.0 0.0.0.0 Vlan-interface1 172.31.70.1

HP 2620

 -------------

trunk 49-50 trk1 lacp


ip default-gateway 172.31.70.1
ip route 0.0.0.0 0.0.0.0 172.31.70.1
ip route 172.31.70.0 255.255.254.0 172.31.70.1

interface 49
   name "LACP Link to Main SW SW01"
   exit

interface 50
   name "LACP Link to Main SW SW01"
   exit

vlan 1
   name "DEFAULT_VLAN"
   untagged 1-48,51-52,Trk1
   ip address 172.31.70.3 255.255.254.0
   exit

vlan 99
   name "MGMT-RESWERVED"
   tagged Trk1
   no ip address
   exit
spanning-tree Trk1 priority 4
loop-protect 1-48
no dhcp config-file-update

Select allOpen in new window

Your subnets/ip addresses need to be looked at, there is a definite problem there.  172.31.70.0 and 172.31.71.0 with a subnet mask of 255.255.254.0, are the same network, routes are not needed and two separate vlans cannot share the same network without having problems.  A subnet mask of 255.255.255.0 would seperate these into two networks.

You have default routes to your gateway, but unless your gateways reside on the outside of another router, devices do not need a route to their gateway, they just go if there if a physical path exists, which looks like you have; it appears all 4 of these switches are interconnected. NOTE: I assume the 1910 is the gateway, if not, it's the only switch which would use default routes to gateway, only because it does not allow for a gateway address to be entered like the 2620's.

Once your vlan ip addresses/subnets are worked out, enable <ip routing> on the switches and all vlans will be able to communicate, no routes needed.  The only time you would use static routing is when the network is unknown, like the internet or a DMZ for examples.

I rambled a bit, but hopefully you can take something out of all that.  If I'm totally off point, you can let me know that also, I'm basing my info from the original post and the most recent.

Thanks Mick.

ip route 0.0.0.0 0.0.0.0 172.31.70.1 (.1 will be firewall eventually)

I have deleted this already - was a mistake.

ip route 172.31.70.0 255.255.254.0 172.31.70.1

--------

vlan 1 - will be 172.31.70.0/23 - we have more users and desktop devices needing network access  than previously though.

vlan XX - will be guest vlan - ip 192.168.0.0/24  and will go to internet directly via FW - will route all traffic.

also we need to get polycom vvx300 using lync UC to go on network too (this I have not though about  - ideally would like phone to connect tothe  network port and guest users connect to network to via phone.  vvx300 will need to communicate with lync server on 172 network and will have 172 ip but guest pcs will get 192.168 range. can this be done?

Many thanks