Noob - VLANs using 2900's 1

[Stevehewitt]

Hi Guys,

I've been bothering the guys in the TCP/IP forum about this and need some more info specific to ProCurve 2900-24G switches really.

I have three switches, one is a Dell PowerConnect 6248, with a CX4 to a 2900, and another CX4 to a seperate 2900.

(E.G. the Dell switch as two 2900's attached via CX4's)


I'm trying to create a few vLANs for our deployment of VMWare and I'm really struggling with the concepts. As the HP is a much better interface than the Dell, I've started on that. So I've created my vLAN's, given them names, assigned them ports and given them IP's.

However I'm very confused, as I obviously can't give the same IP to each vLAN IP per swtich. (E.g. ProCurve 2900 switch1 has vLAN1 with an IP of 192.168.0.1. When I try to configure ProCurve 2900 switch2, what IP do I give to vLAN1?)

Should the vLAN information (such as IP's) be replicated automatically between switches? If so, how? And any ideas why mine aren't?!

Prehaps the stupidest question of all.... do they need to be stacked? Currently they are not a member of a stack. Is this a requirement? Would this explain why the vLAN information isn't replicated across the switches?

We're a small business so couldn't/can't afford a core L3 switch to opted for the 2900's instead and I thought I'd have a L3 on each server rack instead.

Does this make any sense?

Cheers,




Steve.

"They have the internet on computers now!" - Homer Simpson

 

[unclerico]

However I'm very confused, as I obviously can't give the same IP to each vLAN IP per swtich. (E.g. ProCurve 2900 switch1 has vLAN1 with an IP of 192.168.0.1. When I try to configure ProCurve 2900 switch2, what IP do I give to vLAN1?)

You simply give VLAN1 on switch2 any unused IP address in the 192.168.0.x/24 range. Treat it just like any host in that regard.

Should the vLAN information (such as IP's) be replicated automatically between switches? If so, how? And any ideas why mine aren't?!

They can if Dell supports GVRP. GVRP is basically a VLAN replication protocol that will propagate the VLAN database among switches. I typically don't use GVRP or cisco's VTP variant simply because bad things can happen such as overwriting the VLAN database.

Prehaps the stupidest question of all.... do they need to be stacked? Currently they are not a member of a stack. Is this a requirement? Would this explain why the vLAN information isn't replicated across the switches?

Seriously, there's not such thing as a stupid question when it comes to tech stuff mayn. Things are sooo different from vendor to vendor. Anyways, you don't need to stack them to get this to work. Stacking really gives you the advantage of managing all switches in the stack by a single IP address.

We're a small business so couldn't/can't afford a core L3 switch to opted for the 2900's instead and I thought I'd have a L3 on each server rack instead.

HP's are a very solid choice any way you look at it. We use HP all around except for at our core which is all Cisco gear. If you have any more questions don't be afraid to ask!!!

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)

 

[Stevehewitt]

Cheers for the prompt reply unclerico


Gotcha, so I do the logical thing and give every vLAN switch it's own IP (so 4 vLAN's on a switch, ergo the switch has 4 IP's). Makes sense to me!

But that brings me onto another question.... What is the default gateway I should use for the nodes on a particular switch? For example, ServerA is plugged into an untagged port that belongs to VLAN1. VLAN1 has an IP of 192.168.0.1.

Logically, I'd assume that as the switch is performing routing duties, then the default gateway for the server/node will be 192.168.0.1 - therefore the switch can route the packet out to the relevant port depending on the vLAN it's destined for (or dedicated physical router if going out to the internet).

That all makes sense still, but in that case the server/nodes default gateway will depend on what switch it's plugged into.... but the management overhead of this would be huge. For example how can DHCP give an accurate gateway if it's dependant on the physical location of the node?

Am I making sense or have I completely lost it?!

Thanks again for your help - really appreciated!

Cheers,



Steve.

"They have the internet on computers now!" - Homer Simpson

 

[MrNick0483]

The ip address that you give the particular vlan will be the default gateway a connected station uses. If VLAN1 has an ip of 192.168.0.1, then that will be the default gateway for vlan 1. But just as a side note, for security reasons default vlan one should not be used for normal operation, and you might want to consider creating a vlan that just contains your server.

 

[unclerico]

Ok, this reply is long...sorry

Gotcha, so I do the logical thing and give every vLAN switch it's own IP (so 4 vLAN's on a switch, ergo the switch has 4 IP's).

If the switch is simply an access switch or a plain old Layer 2 switch then you don't HAVE to give each VLAN it's own IP (as a matter of fact some switches allow you to only give a single VLAN an IP address and it's for management only). The Layer 3 core/distribution switch is where you're going to give each VLAN an IP address and this IP will be the default gateway for every device on the subnet

What is the default gateway I should use for the nodes on a particular switch?

It depends on which VLAN the port is a member of. If you have your layer 3 switch with VLAN 1, 2, and 3. VLAN 1 has an IP of 192.168.0.1, VLAN 2 192.168.2.1, VLAN 3 192.168.3.1. You would create VLAN 2 and VLAN 3 on every switch that has hosts connected (VLAN1 is already on each switch by default). Between the core/distribution switch and the access layer switches you would configure one or more tagged ports connecting the switches together. Now you make the individual ports on the access layer switches members of the required VLAN. Set the Default Gateway of the server to the IP address of the VLAN defined on the core switch.

Core/Distribution e48 ----- e48 Access Layer Switch
e47
|
|
|
e48
Access Layer switch

The diagram above has a single uplink between each access layer switch and the core/distribution switch (port 48 from the core to port 48 on the top access layer switch and port 47 from the core to port 48 on the bottom). You've got two servers hanging off each access layer switch; one is on VLAN2 the other is on VLAN3. Your DHCP server is on VLAN1 and has an IP address of 192.168.0.20

The core config would look like this (pseudocode):

VLAN1
 ip address 192.168.0.1 255.255.255.0

VLAN2
 ip address 192.168.2.1 255.255.255.0
 ip helper-address 192.168.0.20

VLAN3
 ip address 192.168.3.1 255.255.255.0
 ip helper-address 192.168.0.20

VLAN2 tagged ethernet 47-48
VLAN3 tagged ethernet 47-48

The top access layer switch would look like this:

VLAN1
 ip address 192.168.0.2 255.255.255.0
 !only a single IP address for management

VLAN2
 !define VLAN2 on the switch
VLAN3
 !define VLAN3 on the switch

VLAN2 tagged ethernet 48
VLAN3 tagged ethernet 48

VLAN2 untagged ethernet 3
 !server is plugged in to this port and has a default gateway of 192.168.2.1

VLAN3 untagged ethernet 4
 !server is plugged in to this port and has a default gateway of 192.168.3.1

Bottom access layer switch config:

VLAN1
 ip address 192.168.0.3
 !single IP address for management only

VLAN2
 !define the VLAN
VLAN3
 !define the VLAN

VLAN2 untagged ethernet 3
 !server is plugged in to this port and has a default gateway of 192.168.2.1

VLAN3 untagged ethernet 4
 !server is plugged in to this port and has a defualt gateway of 192.168.3.1

For example how can DHCP give an accurate gateway if it's dependant on the physical location of the node?

It's not. The host will send the DHCPDISCOVER broadcast message. The message will be forwarded across the tagged port from the access layer switch to the core/distribution switch and will then be forwarded to the DHCP server (specified by the ip helper-address command). The core switch will forward the DHCP broadcast as a unicast message to the DHCP server and it will include the IP address of the interface that it received the message on (i.e. if your host resides on VLAN2 the header would include 192.168.2.1 as a field in the header). The DHCP server will see this as the GIADDR attribute and it will look in its DHCP database for an address pool that would include this GIADDR (in this case it's a pool for 192.168.2.0/24). The normal DHCPOFFER/DHCPREQUEST/DHCPACK process will finish as normal. Voila, your host has it's IP address.

I hope I didn't complicate things too much.

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)

 

[Stevehewitt]

Cheers Guys.

Looks like I've made a bit of a mistake then.....

I have 5 racks in total, and due to budget restraints and geographical problems I ended up opting for 3 x HP 2900's and 2 Dell PowerConects (as they were free!)

Therefore my switch infrastructure comprises of five Layer 3 switches interconnected by 10Gig pipes (CX4 and fiber), with some L2 client switches hanging off.

I think I understand what you are saying, but doesn't that assume that other than the core switch, all other switches handle a single vLAN each?


If you have any patience left with me and my questions -)), can I setup a hyperthetical situation:

-2 Racks
-Each rack has a Layer 3 HP 2900 switch
-Each rack has 3 servers that all need to be in seperate vLANs
- VLAN1 is clients and servers
- VLAN2 is DMZ
- VLAN3 is Management
-The 2900's are connected to each other via CX4

In this situation, there is no core switch. So I create my 3 vLANs on the first rack fine. As the switch is doing L3 routing for me I enable IP routing, and I also give each vLAN it's own IP as the nodes will need to use that as the gateway between the vLANs.

I skip across the server room to the other rack, and create the same vLAN's again with the same tags and names. However I can't give the vLAN's the same IP's as they would confict with the other switch. Ergo I have to give the vLAN's a different IP. I then setup the servers default gateways with the respective default gateway depending what vLAN that server is in (which depends on the port being used)

However, this means that the nodes in the first rack are using a different default gateway than the nodes in the second rack... even if they are in the same vLAN....



If I was using a core switch, I understand that you define the vLAN and give it the IP and simply set a port on the switch to untagged and plug in a L2 switch that will carry all traffic for that vLAN... but what if you want a mixture of vLAN's accessible on a single rack. Surely you wouldn't require multiple physical switches (one L2 physical switch for each vLAN spured from the core) - but the only other option is to have each switch in a rack running multiple vLANs. If that's the case then I'll need to give each vLAN on EACH SWITCH a unique IP - meaning that there will be a unique default gateway per vLAN per switch/rack.

Is this correct? As having 5 default gateways for a single vLAN (dependant on the physical switch the node is plugged into) is obviously not a realistic option!

I'm sure I'm still getting this wrong, so sorry for the continued silly questions and thanks again for your time and patience!

Cheers,




Steve.

"They have the internet on computers now!" - Homer Simpson

 

[unclerico]

Let's work with your scenario. Take a look at this drawing and see if it clears anything up:

http://www.box.net/shared/6zp0pfutnl

You will almost always have one "core" switch whether you realize it or not. This is the switch that will connect to the firewall. As you can see in the drawing only one switch has IP Routing enabled, but both switches have all of the VLAN's defined. On the "core" switch you give each VLAN an IP address; this is the Default Gateway for the hosts on the subnet (VLAN). On the other switches you only give one VLAN an IP address for management purposes. Notice the default gateways assigned to the hosts in the rack on the left; they are all pointing to the "core" switch. As this hypothetical network grows you would most definitely make some design changes.

Remember that only devices performing Layer 3 functions will route traffic thus these are the default gateway's for the respective subnets.

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)

 

[Stevehewitt]

unclerico, I only wish I could give more than one star - your a gentleman sir!
Thank you - that's really helped me!!!

So essentially, the non-core switch would need to have IP routing disabled as it's not actually routing traffic between vLAN's...?

If I can just confirm the steps so they are clear in my head:

1) On the L3 switch that is connected to the firewall, create your vLAN's including the IP's, tagging and names.

2) On the same switch ensure that you have your interconnects to other switches (such as CX4) setup so that the vLAN packets are tagged

3) Other rack based switches (that need to have multiple vLAN's) should have IP routing turned off, but should still have each vLAN defined (manually if you are not using GVRP) such as tag and name - however the IP address should be left empty other than for the management vLAN. As long as there are tagged trunks to the core switch the other switches know what to do!!!

4) Client switches (what's connected to the patch panels) will need to have an untagged connection from a port off any of the racked switches. (As long as the client switch is serving a single vLAN)

Am I right in the above methodology?

Thanks again for all of your help guys - I really appreciate you taking the time out to help me. I'll do a FAQ on this for noobs like me and obviously give credit for your assistance.

Cheers, and if there's any VMWare or Windows/AD questions you have I'll be happy to repay the favor!



Steve.

"They have the internet on computers now!" - Homer Simpson

 

[unclerico]

Correctamundo my man. We're always glad to help out ;-)

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)

 

[Stevehewitt]

One quick question if you have a second guys....

How do I stop a 2900 that has IP routing enabled from routing a particular VLAN...?

I have our DMZ VLAN running and I don't want the 2900's routing anything from it/to... instead it should be passed to my firewall instead.

I assume I need to make a static entry on the core switch (which I can do) but I don't know how to tell the 2900 to stop routing a particular VLAN.

Is it as simple as just not giving it an IP address?!

Cheers again chaps - and that FAQ I promised it coming!!!




Steve.

"They have the internet on computers now!" - Homer Simpson

 

[unclerico]

Is it as simple as just not giving it an IP address?!

Exactly!!! Since the clients on the subnet would use that IP as the default gateway taking it away will not allow the traffic to route to other subnets.

I assume I need to make a static entry on the core switch (which I can do) but I don't know how to tell the 2900 to stop routing a particular VLAN.

If the DMZ interface on the firewall is connected directly to the switch that hosts the DMZ VLAN then it will work fine. You would need to give the hosts on the DMZ VLAN the IP of the DMZ interface on the firewall as the default gateway so that traffic can route correctly. I hope I'm making sense.

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)