Vlan question.

N

newdamage1

Limp Gawd
Joined
Mar 5, 2007
Messages
144
I finally updated my lab switch here at the house, (HP 1810-24g) and started to play around with ways to separate my "lab" portion of my network away from the "production" portions.

Let me describe what I have running, 2 Esxi hosts, 1 nas for vm shared storage, Vcenter has 3 dvswitches one for a dv192.168.1 (prod), and a dv172.16.5 (lab) and dv172.16.1 (iscsi).
Each has a set of nic's attached on each host.

What I would like to do (and not had a great deal of success) is to completely separate the prod and lab lans (separate domain, dhcp, dns, etc) I initially figured this was something I could do with vlans, and moved 2 ports for the lab to vlan 10, which does (mostly) work. BUT test servers in vlan 10 still get dhcp offers from my dhcp server that is vlan 1. Since everything is connected to the same switch, how would I block dhcp?

suggestions appreciated!
 
You should make sure that the test ports are ONLY in VLAN10. Note that every VLAN should (logically) correspond with an IP subnet.

Also check whether your switch is routing between VLANS by default (is your HP a L3 switch or not?)
 
Jeroen1000 said:
You should make sure that the test ports are ONLY in VLAN10. Note that every VLAN should (logically) correspond with an IP subnet.

Also check whether your switch is routing between VLANS by default (is your HP a L3 switch or not?)
Click to expand...

Its just a basic managed layer 2 switch, lacp, trunking, vlans. Web interface only. If I understand you correctly, I should remove the vlan 10 ports from the untagged vlan 1 (exclude is the switches term) so it's only on vlan 10.

I do have an astaro utm that will be the router for the vlan 10 network, but ive not created that interface for it yet, I dont think its routing, but that's easy to fix, I'll move the nic out of that dvswitch and test.
 
A L2 switch cannot route. So you are understanding me correctly. Access/untagged ports should (exceptions exist) be in one VLAN only.

For DHCP, you will need to create a trunk/ tagged port between router and switch and also create a DHCP server for VLAN10.
This requires your router to understand VLAN-tags.

For now, I would focus on L2 first.
 
Jeroen1000 said:
A L2 switch cannot route. So you are understanding me correctly. Access/untagged ports should (exceptions exist) be in one VLAN only.

For DHCP, you will need to create a trunk/ tagged port between router and switch and also create a DHCP server for VLAN10.
This requires your router to understand VLAN-tags.

For now, I would focus on L2 first.
Click to expand...

Adding exceptions for vlan 1 on those ports looks to be the ticket. (I also added vlan 10 to the dvport group) No more dhcp offers from the other vlans. yea!

As for the next step in learning\testing, I went ahead and created an interface in astaro for the lab lan. I can now ping computers across the vlans. BUT, it wont dhcp lease across them, which is what I wanted. But I don't understand how they can talk, but not dhcp offer. Need to do some research to understand that one. Thanks for the help.
 
VLAN stuff is mostly about 2 things: 1. create the VLAN. 2. add ports to it.
When a port is in more than 1 VLAN it is a trunk (tagged) port. Otherwise it is an access (untagged) port.

Often the hardest part is figuring out how each brand names the options above.
As a bonus you can perform (RX) ingress filtering and TX filtering (a form of egress filtering).

As for DHCP:
The easiest would be a per VLAN DHCP pool. It is a VERY bad idea to hand out addresses from the same subnet to multiple VLANs
 
newdamage1 said:
As for the next step in learning\testing, I went ahead and created an interface in astaro for the lab lan. I can now ping computers across the vlans. BUT, it wont dhcp lease across them, which is what I wanted. But I don't understand how they can talk, but not dhcp offer. Need to do some research to understand that one. Thanks for the help.
Click to expand...

You're getting there. As Jeroen1000 has mentioned it's best you'd go forth with configuring a DHCP pool for each VLAN, this simplifies the process of IP addressing to separate devices in the two VLAN subnets. Generally you'd have 2 DHCP pools as from what I've read briefly you want the two VLAN's to have there own IP addresses allocated by a DHCP server, exclude the IP address of either VLAN's gateway address, specify the subnet address and subnet mask of which that device and VLAN falls under (e.g 192.168.1.0, no host id) and a default router gateway address as all routing between VLAN's are always passed back to the router. In a working Cisco environment an ip helper address of the exit interface is specified to point and forward all VLAN packets in and out due to the separate broadcast domains, ip helper address relays the broadcast to all devices on that segment.
 
Does he have a separate stand-alone DHCP server? If not, most routers I've worked with can just tie a DHCP pool to their routed VLAN interface. No need for IP helper then.
 
Well that's the question it's a bit vague generally in Cisco environments I've worked with a DHCP pool is specified which means no dedicated DHCP server. An ip helper will help if there are more then 1 routers connected and other end is connected to the internet side i.e ISP connection. But who knows, if not then yes an ip helper is not needed.
 
You must log in or register to reply here.
Back
Top