07-26-2011 12:33 PM - edited 07-26-2011 01:06 PM
Hi there, I need expert help on creating VLAN's and routing of VLAN traffic. I
am a beginner when it comes to routing/firewalls and VLAN's. This is probably a
pretty simple setup for most of you...
We are a separate organization apart from the rest of the company.
Our building/organization has a firewall that is also connected via a
fiber converter to the rest of the company. On our LAN we have a windows domain called:
REED.LOCAL, the workstations that are part of the Default VLAN are members of this domain.
On our LAN we have 3 switches, 2 HP Procurve 2810 and a Cisco Linksys switch.
On the 3 switches I want to have 2 VLAN's made available, CSC and APC, the equipment on
these VLAN's will NOT be a member of my REED.LOCAL domain.
My idea is this:
To have one of the Procurve switches as the "MAIN SWITCH" and
uplink the 2 other switches to this "MAIN SWITCH", the servers on my LAN will be on the "MAIN SWITCH".
For routing between the VLAN's we have a firewall that also supports VLAN's.
I want only the "MAIN SWITCH" to have an uplink cable to the firewall that should
function as a router for the VLAN's that are active on all of my switches and also for my internet traffic etc.
I want the VLAN's on all the different switches to be able to route using the firewall
Extra requirement, the VLAN that is called APC is meant for separating workstations that should be able to join a windows domain called APC.RO. This domain and it's servers actually reside on the other side of the firewall and these are NOT in ANY VLAN. However I want the workstations in my APC vlan to be able to communicate with every (APC.RO domain member) workstation and server of that domain on the other side of the firewall.
Later on if there is a budget we want to replace the UTP uplinks with the miniGBIC
Will this setup work this way (see also picture)?
What exactly should the setup look like (tagging of uplink ports?, Gateway's to be filled in on each device?)
Do I need to enable Spanning Tree Protocol?
If so, do I need to configure Spanning Tree Protocol in any way or is just
enabling it on all switches enough?
Hope you can help me out with this setup, thanks,
08-14-2011 10:08 AM
From your topology I understand that your default VLAN is the one where your office PCs connect to.
How to configure this is fairly simple: just make sure that the inter-switch (and the router) ports are tagged on all 3 VLANs. This will allow clients on each VLAN to reach the firewall, which will take care of routing. Your firewall must have an interface (IP address) on each VLAN, and this must be configured as default gateway to the clients on each VLAN. Spanning Tree is a loop protection, so since you don't have loops you don't have to configure that.
The question of devices which are not in any VLAN is a bit ... different issue. You have to remember that each VLAN is also a separate subnet. So if these devcies are on a fourth, separate subnet and your router knows how to forward data to that subnet, it shouldn't be a problem.
HP Networking Engineer