VLAN question

[Skunk]

I have a vlan setup here that I'm trying to get working. My current network is setup across a couple of switches and 2 wlan switches. My server is configured with 2 nics. Nic 1 configured as 10.0.0.x and nic 2 configured as 192.168.100.x and set to vlan 100.

I'm trying to configure this setup so that the wlan aps can tag the wifi traffic as vlan 100 and 1 of the remote switches to do the same. The switch the server’s vlan nic is plugged into is configured as tagged for vlan100 and all the rest are untagged in vlan1 so the bulk of the lan can reach the server.

The wifi aps are set to tag any traffic on vap1 as vlan100. The remote switch is configured to tag all ports except 1 as vlan100. The remaining port is untagged in vlan1.( there is a dedicated line run from this single port to the main switch. All computers plugged into this switch should participate in the vlan only.)

It’s not working though, dhcp requests are not making It to the server, and while sniffing traffic from the tagged vlan nic on the server I see only traffic from itself, nothing remote.

I'm clearly doing something wrong, but I'm not sure where. I’ve tried variations on tagged versus untagged and excluded etc with no luck. Anyone have any ideas?

 

[Smoblikat]

Im no expert, but to go from one network to another you need to use a router.

 

[robmurphy]

I think it would be clearer if you outlined what you want to do.

Do any of the switches have both networks on them?

If you just want to split the switch so that part of the switch has the 192.168.x.x network and the other has the 10.0.0.x you can just use a port based VLAN. The ports are set to access mode and not tagged.

Is it the case the wireless access points carry traffic for both networks? This means you may want a VLAN trunk between the access point and the switch. Spidey is the best person for this, though I dont think he likes VLAN trunking.

It would also help to give details of the NICs, switches, and access points used.

Rob.

 

[Skunk]

We have a division that's being brought in-house and I'm attempting to segregate their traffic from the regular lan traffic. All their traffic should be tagged as vlan100.

The server has a nic on that vlan so they can pull their email, access files etc but everything else should be separate.

The switches are all procurve v1810-48g, and the wlan aps are cisco AP541N.

The wlan aps are configured with 3 vap`s. 2 of which are configured for the native vlan1 and the third is set to tag everything as vlan100.

I've never played with vlan trunking, I'll look into that.

 

[robmurphy]

Please remember that any 2000/XP/VISTA/WIN 7 machines will not work with tagged traffic. This means you will need to configure the ports on you edge switches so that the traffic for the above machines in untagged. This means the port will be an access mode port. This also means the ports will need configuring for the correct network.

Please also be aware that VLANs are not regarded as very secure.

Separate switches at the edge for the different networks my make sense.

Rob.

 

[imagoon]

Please also be aware that VLANs are not regarded as very secure.

Separate switches at the edge for the different networks my make sense.

Rob.

I am not sure what you are trying to say here. How do you break out of a vlan if the edge switches are access ports? The only "nonsecure" thing about vlans is trunking with tagged ports and clients and expecting the client to stay in that vlan.

If you trunk to a switch and that switch exports access ports in each vlan there is no way someone is going to jump to another vlan and there would be no need for 2 switches.

 

[imagoon]

Skunk you may want to pick up a set of the CCNA books, they go in to depth about vlans. You typically do not want to tag vlans on access ports (ports that go to desktops and servers) with the only exception being voice over IP. 2000/XP/Vista/7 can understand tagged ports assuming the NIC card and driver supports it but it is not a smart way to do it. You makes those ports "switchport access vlan 100" {in cisco worlds} and the swtich will handle tagging and untagging the 802.1q tagging from the frames.

As for the server, if that is a Windows Server, good luck ever getting a multiholmed environment working the way you want it to without some deep guru skills when working with the routing.

Can you describe why this traffic needs to be isolated. If it is due to "this group is doing CAD [high load]" then there is a far better way to handle this than multiholming.

 

[Rhyseh]

I am having a hard time trying understand what you are trying to do exactly. Why are you configuring IP addresses on seperate VLAN's for the same server? Why not simply keep the server configured with the standard IP address setup (you should probably have all your servers on a seperate server VLAN anyway), place the desired parts of the network on VLAN 100 and then setup an ip helper address to point to the DHCP server (thus routing DHCP broadcasts). Finally setup an ACL on your L3 switch or router to only allow the connectivity you want them to have and you have a segregated and controlled network.

By the sounds of things you probably need to review you network configuration anyway.

If you can provide some more information I can probably give you a better answer. Diagrams are always helpful for this kind of thing.

 

[Skunk]

The network as it stands is flat. The new division requires connectivity to remote client networks. The client is insisting on a site to site vpn. (we deploy equipment for them, they are configured on-site but we download secure images via the site to site.)

The server is dual homed simply for dhcp services at this point. I was going to allow some of the clients to participate in both, in order to access exchange etc, but I've changed my mind. I suppose i could stick an isc-dhcp on a simple server in that work group, and remove the dual home.

I've attached a crude diagram of what I'm trying to accomplish. I was under the impression that i could tag all the ports as vlan100 and allow all the same to participate untagged in the default vlan, but I'm obviously very wrong.

http://i.imgur.com/2rH8u.png

 

[imagoon]

You need a router. DHCP is easy. Put an IP helper on the router between vlan1 and vlan100. You can host hundreds of DHCP ranges from one server. Once the router is setup the networks will be logically isolated but able to access resources on each other if needed IE email.

Also you keep saying "tagged" so I am not sure you know what you are saying. It is very different to tag a frame and to set an access port to a certain vlan. In most networks tagging generally ends at the switch/route layers as it is a layer 2 service. The only major exception to this is virtual servers.

If you insist on tagging to the desktops for some reason, expect a lot of issues like the dumb switch possibly dropping any 1500MTU + frames. 802.1q = 1518 MTU frames.

Also as an FYI I recommend against using vlan 1 once you go to vlans. Vlan1 is err "special" in that technically it should never be tagged but some devices do tag the 802.1q fields with "0001" which causes all kinds of strange issues. It also by default is the native vlan for all trunks and you can end up with a lot of data on it if you misconfigure.

Personally I would use 1 NIC on the server, either a) install a layer 3 switch or b) do "router on a stick" and trunk to that. Layer 3 switching will have the best results. From there trunk to the switch you have on the middle right, and set an access port to vlan 100 and attach your dumb switch. From there setup the required routing which would need more information than you provide here. On that server I would then configure multi-LAN DHCP (easy.)

 

[Nothinman]

Another concern is that Windows doesn't deal with being multi-homed very well, you'll have much better luck with 2 instances of Windows.

 

[Skunk]

Im using tagged in the HP sense, which seems to be defined a little different than the Cisco term. (our switches are all procurves)

E — exclude all ports from this VLAN.
T — participate in the selected VLAN and tag all frames.
U — participate in the selected VLAN and leave all outgoing frames untagged. Each port can have only one untagged VLAN membership. If a port is an untagged member of a VLAN and a second VLAN is selected for untagged membership, then the first VLAN membership is automatically changed to E (Exclude).

So i was attempting to "tag" all the ports used by the computers in the vlan.

In the HP port configuration i would configure as such. Port 1 as an example.

default vlan1 untagged.
vlan100 tagged.

That should allow port 1 to participate in both vlans but per the docs, only tagged traffic should pass over the switch.

Id rather not use a router inside the lan to connect the two as the switches should currently be able to do it. I'm just missing something in the configuration.

 

[imagoon]

Im using tagged in the HP sense, which seems to be defined a little different than the Cisco term. (our switches are all procurves)

E — exclude all ports from this VLAN.
T — participate in the selected VLAN and tag all frames.
U — participate in the selected VLAN and leave all outgoing frames untagged. Each port can have only one untagged VLAN membership. If a port is an untagged member of a VLAN and a second VLAN is selected for untagged membership, then the first VLAN membership is automatically changed to E (Exclude).

So i was attempting to "tag" all the ports used by the computers in the vlan.

In the HP port configuration i would configure as such. Port 1 as an example.

default vlan1 untagged.
vlan100 tagged.

That should allow port 1 to participate in both vlans but per the docs, only tagged traffic should pass over the switch.

Id rather not use a router inside the lan to connect the two as the switches should currently be able to do it. I'm just missing something in the configuration.

Ok I can tell you don't get this, no offense. The correct config is "U" [untagged] for the vlan you want to work with. "T" is for tagging meaning the port is exporting tagged frames. Most clients with out special configuration will ignore the tagged frames because they are invalid. Ethernet is 1500MTU, the tagged frames will be 1518MTU. The default config on clients will drop these frames and increment the error counts.

The only place you will tag frames is on the inter-switch connections [otherwise known as a trunk.]

You VLAN100 machines will need to be connected to VLAN100 as "U" connections.

Honestly you might get this to work but is not going to "work right." The server being multiholmed will likely cause issues with both sets of clients and will almost guarantee that Exchange will freak at some point. Windows server do not support multiholmed routed connections properly without extra routing configurations and/or RRAS. Windows Server also requires [by default] that all interfaces be world accessible. Basically what will happen is one day the machines on your 10.x network are going to try and connect to the DNS name of your server, it is going to reply with the address on the other port which is inaccessible and cause clients to fail.

 

[Skunk]

No offense taken at all. I understand I'm not getting it. Everything I thought I knew isn't working.

I did start with the untagged approach for the vlan i was trying to work with, but that wasn't working either, so I started second guessing myself and testing things i knew shouldn't work but once you start to second guess yourself....

 

[imagoon]

No offense taken at all. I understand I'm not getting it. Everything I thought I knew isn't working.

I did start with the untagged approach for the vlan i was trying to work with, but that wasn't working either, so I started second guessing myself and testing things i knew shouldn't work but once you start to second guess yourself....

But the key question is... Is it sinking in at all or are we still lost? "Its not working" is a pretty common status for vlans early on. Vlans are deceptive in they look really simple but as you can see, they are not always.

 

[Skunk]

Its sinking in.

I've gone back to my original setup of untagged for vlan100.

So i have the first 24 untagged in vlan1 and excluded from vlan100. Computers connected here can pull an ip and access the internet.

The second 24 are configured as untagged in vlan100 and excluded from vlan1.
computers connected to these ports cannot pull an ip.

Server has gone back to its original setup of single nic. Its configured via the HP software with vlan1 and vlan100. The newly created virtual adapter for vlan100 is configured with the ip address of the subnet I want to use for the vlan.

I want to clarify that the two lans should not communicate with each other except for the server with the dhcp service installed, and that is simply for dhcp services. I do not want traffic routed between the two.

The ultimate goal is to have the site to site connected from the gateway to the vlan, thus keeping that traffic off the main lan.

Ultimately the powers that be would like to service multiple clients this way, which is why we've gone the vlan route. Once that base is setup, we can expand our vlan count as necessary.

 

[imagoon]

Ok well for one, your DHCP server will need to know how to hand out ranges for vlan100, do you have multiple scopes set up? Does the port for the server have untagged 1 and tagged 100 configured on it? Does the "vlan100" NIC have an IP assigned? Can a static ip on VLAN100 (on one of those untagged 100 ports) ping the server?

 

[Skunk]

DHCP has a scope for both ranges, and the vlan100 nic has an ip address assigned for the subnet i want.

If i set the IP manually, i can ping another lab machine on the the vlan100, as well as the ip set on the server. It can not ping anything on the same vlan on another switch. I have not configured a trunk between them yet.

 

[imagoon]

DHCP has a scope for both ranges, and the vlan100 nic has an ip address assigned for the subnet i want.

If i set the IP manually, i can ping another lab machine on the the vlan100, as well as the ip set on the server. It can not ping anything on the same vlan on another switch. I have not configured a trunk between them yet.

Ok, is DHCP assigned to that vlan100 NIC, is it authorized, is the scope enabled?

 

[Skunk]

Its a server 2008 machine. You can't assign a scope to a specific nic. The dhcp server is listening on both though. It is authorized.

It's not handing them out on the other subnet either, i checked that.


That is, the machines connected to the vlan ports are not pulling from either scope. The machines on the regular lan, pull from the 10.0.0.x scope normally.

 

[imagoon]

Its a server 2008 machine. You can't assign a scope to a specific nic. The dhcp server is listening on both though. It is authorized.

It's not handing them out on the other subnet either, i checked that.


That is, the machines connected to the vlan ports are not pulling from either scope. The machines on the regular lan, pull from the 10.0.0.x scope normally.

Yes but the scopes can be enabled and disabled on a per scope basis. I would need to do some tracing but I think DHCP on 2008 is multihomed aware but if not it could indicate that the reply is going out on the other NIC.

edit:

I verified that 2 nics will work. I assume you set a static IP for the server in VLAN100? It should match scope to NIC ip and use the one that matches, assuming it is enabled and authorized.

 

[Skunk]

Both scopes are enabled.

The ip does match the scope.

Ip is set to 192.168.100.2 scope assigns 192.168.100.35-192.168.100.250

 

[imagoon]

Both scopes are enabled.

The ip does match the scope.

Ip is set to 192.168.100.2 scope assigns 192.168.100.35-192.168.100.250

Is the event log showing anything for DHCP? You may need to break out wireshark and see what is going on.

 

[Skunk]

Nothing in the event logs. I've been sniffing with netmon, and that interface isn't seeing any dhcp requests. It does show the pings back and forth.

I did add another switch with a trunk and traffic does pass across successfully. So it appears I was right in the first place with my setup.


Ill install wireshark and try with that.

 

[imagoon]

Is the server seeing the other broadcasts? DHCP is a broadcast tech (uses 255.255.255.255 however). You can try pinging the broadcast address and see if the pings hit the server in netmon / wireshark.