All HP Switches VLAN, Routing ACL newbie questions

[elanvolant]

Here is the setup.

2 E2510-48Gs for gigabit desktop traffic
1 2824 for gigabit server traffic
2 E2520-24-POE for VOIP traffic
2 2650s for server/NAS management and WiFi traffic
1 2910al-24G-POE for Layer3/4 routing for above traffic and VOIP traffic

2 SonicWall Firewalls, one with DSL connectivity, one with Ethernet over Copper for Citrix access and VPN

I am setting them up this week at a new location. Previously we had 3 switches and no VLANs.

I am designating the following:
10.1.0.x for desktops and current server traffic (Default VLAN 1)
10.1.1.x for future VMware/NAS traffic (VLAN 10)
10.1.2.0 for wireless clients with Internet-only traffic (VLAN 20)
10.1.3.0 for VOIP phones and voicemail server (VLAN 30)

I've never set up VLANs before and therefore never needed to route between subnets so my understanding of the steps and questions are as follows:

1) Assign the VOIP and WiFi ports to their respective VLANs on the respective switches
2) Create physical connections between switches (that cross VLANs) on 2910al, assign appropriate VLAN and related IP to the right ports and turn on IP Routing. This will automatically route between VLANs assigned on the switch correct?
3) I want to prevent all traffic between 10.1.2.x and 10.1.0.x except for three specific PCs (which I can assign static IPs or use MAC addresses to identify). How do I do that? I want no traffic from 10.1.2.x to go to the other subnets either. I will have one port in VLAN 20 going to the SonicWall which will provide DHCP and metered Internet access.
4) Should I assign management IPs to the switches all in the 10.1.0.x range? For example, it's not good practice to assign the POE switches management IPs in 10.1.3.x. If I keep the management IPs in 10.1.0.x, then I need uplinks connecting all the switches with at least one port assigned to the Default VLAN?
5) Do I need turn on tagging on any ports? I don't really understand the need for tagging in my configuration. For instance, the DHCP requests will have a DHCP server in the VLAN requesting IPs. So one DHCP server for VOIP, another for WiFi traffic and and another in the Default VLANs. I assume these will not be routed by the 2910al by default.
6) In the web interface on the HP switches it offers four modes for tagging - No, tagged, untagged, and forbid. I assume I am using untagged in all contexts except for the ports that uplink to the 2910al and the ones that come in from the 2910al. For those I use tagged, correct?

I attached a PDF of my first attempt at a network diagram. Thanks in advance for any input you can offer.

 

[elanvolant]

Also, is there any benefit to stacking all the switches together (an can I only stack the models of switches together)?

 

[VinceWhirlwind]

Normally, you would want a "core" which is your layer3 switch doing the routing. All other switches are layer2, "edge", just switching.

1/ As you say, assign the correct VLAN to each "edge" switchport as "untagged".

2/ Link each "edge" switch to the "core" and then configure each of the VLANs required by the "edge" switch onto the switch<---->switch link ports as "tagged" VLANs. When you extend VLANs to edge switches, only one VLAN can be "untagged", each additional VLAN must be "tagged".

3/ This is what your "core" is for - at the core, configure access lists.

4/ Why not - either that or create a subnet/VLAN specifically for "NET_Admin"

5/ DHCP is nothing to do with tagging. Again, this is what your "core" is for - the "core" sees the DHCP broadcasts on each VLAN and forwards them to the DHCP server which is only on VLAN20. It knows where to forward the DHCP broadcasts because on each VLAN interface you configure an "IP Helper" address.

6/ "edge" switchports are assign to just one VLAN and are "untagged".
uplinks have multiple VLANs and use "tagged". The exception being for your virtualised server environment which will often use "tagged" because it may use multiple VLANs.

 

[elanvolant]

Your answers are awesome and totally helped me get the mental model for how VLAN configuration works.

Can I ask a question about routing on my core switch? I have on my 2910 two VLANs configured. VLAN 30 and Default VLAN. The management address of the 2910 is 10.1.0.205. I assigned an IP to VLAN 30 (10.1.3.1). I turned on IP Routing. I tried pinging from an address in 10.1.0.x to 3.x and it didn't work when my router was set to 10.1.0.1, but it did work when I changed my router setting on my computer's NIC to 10.1.0.205. Does this mean to route my traffic I need to set the route on my NIC to 10.1.0.205. If I want to change this (to say 10.1.0.1) do I need to change the management IP on my 2910 to 10.1.0.205?

If so, what is the best way via the CLI to do this?

Thanks.

- Elan

 

[VinceWhirlwind]

If you enable IP routing, then an IP addresses on a VLAN interfaces is no longer a "management address" but becomes the router address for the subnet it is in.

Other devices on that same subnet are configured with that router address as their default gateway.

So, your router address for VLAN 30 is 10.1.3.1, therefore your voice server and IP phones should all have 10.1.3.1 as their default gatweway.

If all your devices in VLAN 1 have their default gateway set as 10.1.0.1, then your 2910's VLAN1 IP address should be 10.1.0.1