Wired Intelligent Edge

Β View Only
  • 1.  Connecting vlans on 2 switchs to make 1 larger vlan

    Posted Nov 01, 2024 04:47 AM

    I'm new to Vlans so please excuse my ignorance. I have one vlan on one switch 192.168.167.1/24 with 6 untagged ports, each connects to a single device. I have a second switch with a Vlan 192.168.167.254/24 with 10 untagged ports. Both switches are HP2530-48p. Each switch also have a default Vlan encompassing the other ports. The default vlan and the second Vlan on the same switch that I added do not need to talk to each other, just the two 2nd vlans on each switch need to talk to each other. I tried connecting vlans together with a patch cable to/from one port & it caused issues with some devices unable to talk to other devices even if on the same switch vlan. How best can I connect both Vlans together to make a 16 port vlan across the two switches? I think part of my issue is is using 192.168.167.1 as a gateway on one and 192.168.168.254 as a gateway on the other - I'm thinking now they should be the same gateway on both switches. Currently the Vlan IP is the same as the gateway on each device, so as .1 one one switch and as .254 on the other. I think maybe I can use .254 as the VLAN IP on the second switch but should use the .1 as the gateway if I want the two VLANs to talk to each other - right?

    Do I need to use a trunking port on each VLAN to connect the two or a tagged port? 

    A secondary question which is not as important as above is connecting VLAN to the Internet. The other ports on each switch using the default VLAN connect to the Internet using a different gateway IP, currently there are 5 HP2530 switches in this network, each switch is connected to the next switch with a simple jumper. Ie, switch 1 has port 48 jumpered to port 47 of switch 2. Switch 2 port 48 is jumpered to port 47 of switch 3 and so on. The last switch has port 48 connected to an Aruba 24 port switch with that switch connected to a primary and backup Watchguard appliance, that is connected to a fibre drop for Internet.

    To connect this 16 port vlan from above to the Internet, would I just take one port from the vlan and connect it to my 24 port Aruba switch where if correctly configured, would then connect thru the watchgaurds to the fibre drop?

    I do not want the 16 port vlan to communicate with the other network, only to connect to the same Internet drop. 

    Finally, with the five switches connected together by looping one to the next, and that to the next one,  while it works with computers in all switches able to talk to each other and shared printers, etc., is this the best way to do this or should the ports be trunked ports or some other configuration? 

    I greatly appreciate any advice & help on connecting these 2 VLANs 

    Thank you. πŸ™



    ------------------------------
    Ken Crook
    Ch. Engineer Broadcast/IT
    kcrook@rawlco.com
    ------------------------------


  • 2.  RE: Connecting vlans on 2 switchs to make 1 larger vlan

    Posted Nov 01, 2024 05:13 AM
    Hello Ken, long story short your first issue is that, given the IP addresses and related Subnet Masks you posted (note: both 192.168.167.1 and 192.168.167.254 own thew 24 bit Mask), you are associating two identical network segments to different VLAN Id(s): those are - de-facto - the same network (indeed both IPs belongs to the 192.168.167.0 /24 network segment) and your very first assumption (you refer to .1 and .254 - both are the fourth octect of the same net IP address - as two different "gateways" for those networks) is wrong because those IP addresses belong (exactly given the 24 bit masks) to the same Net.

    So, even if you're dealing with two VLAN Id(s), you shouldn't be able to assign - exactly at Switch level - overlapping IP addresses (the .1 and .254) - to different VLAN Id(s).

    So, first, you need to solve the above.

    For the part of connecting your VLANs to Internet and blocking/permetting inter-VLANs routing, since the 2530 isn't a routing switch (it defines VLAN Id(s) and can assign non overlapping IP addresses to each VLAN but the IP routing needs to be carried over by a interconnected and reacheable routing device like a Routing Switch or, typically, a Fitewall) that part needs to be evaluated where IP routing happens.

    Considering the latter part, the port of your 2530 toward that routing device needs to carry all VLAN Id(s), generally as tagged member of all VLANs...but this needs to cope with the situation you have at routing device.





  • 3.  RE: Connecting vlans on 2 switchs to make 1 larger vlan

    Posted Nov 01, 2024 05:50 PM

    On the second switch with same vlan, if I don't assign an IP to the subnet and no gateway, can I use the same vLan ID as is on the first switch, then just connect to two vlans together with a patch, will that just make is one larger vlan, that is physically across two switch, simply to make it a larger vlan?

     



    ------------------------------
    Ken Crook
    Ch. Engineer Broadcast/IT
    kcrook@rawlco.com
    ------------------------------



  • 4.  RE: Connecting vlans on 2 switchs to make 1 larger vlan

    Posted Nov 01, 2024 08:34 PM
    Yes, I mean...a VLAN Id can be "transported" where you need it more (a VLAN is a Layer 2 item)...to simplify, from switch to switch, from switch to peer device and/or from switch to upstream router/firewall.

    The reality is that any (physical/logical) interface needs to be a member of a VLAN Id at least (or, better, to be member of more of them, if you need that).

    Generally switches that are interconnected (you say with a patch), require various VLAN Id(s) to be allowed across (exactly on the peering interfaces, on each side) the interfaces forming the interlink that is connecting them. These interfaces are known as those operating in "trunk mode" (which is not like Port Trunking = Links Aggregation)...in HP ProCurve jargon this mode of operation can be achieved by tagging those interfaces with (all) required VLAN Id(s).

    Example: Switch A has VLAN Id x,y and z defined with some ports untagged members of, say, VLAN x, y and z (those ports are operating im Access Mode, connecting with devices)...then if you need to extend those VLAN Id(s) to peer Switch B because other devices elsewhere require to access the network on those VLAN Id(s) from Switch B...you can do that by just transport those VLAN Id(s) on the interconnecting interfaces...so, say, you configure Switch A Port 24 to be a tagged member of VLAN x,y and z...and the same should be done on, say, Switch B Port 24...then on Switch B, configured access ports on those VLAN Id(s) will be able to communicate with matching ports of Switch A (in terms of VLAN Id), each access port with/within its VLAN Id.

    The fact you assign an IP address to a VLAN Id (it's the SVI) is relevant for routing and VLAN Id reachability.







  • 5.  RE: Connecting vlans on 2 switchs to make 1 larger vlan

    Posted Nov 01, 2024 09:38 PM
    This is exactly what I was struggling with. 
    Just to be clear, I use the same
    vLan ID on both boxes, for simplicity sake, use port 45 on both boxes with each having untagged
    Ports added to that one port, so for example 31-44. 
    Does port 45 on both boxes need to be a truck port or just a standard untagged port? 

    Any suggestions where to find good learning articles on vlans? I find HPE while detailed, doesn't dummy it down too much and sometimes a little more detail, such as what you passed on, makes is so much easier to understand. Thank you very much for being patient and helping to clear this up for me. I appreciate you! 

    KC


    Cheers,


    Ken Crook

    Chief Engineer β€“ C97.7 90s & NOW

    Director of Technology - Rawlco Capital Ltd.

    Suites 110/140, 6807 Railway Street SE

    Calgary, AB  T2H 2V6

     

    direct:      403.385.4020

    cell:           403.990.2868

    email:       Kcrook@rawlco.com

    URL:         c977.ca


    "Live everyday as if it's your last ... because one day you'll be right!






  • 6.  RE: Connecting vlans on 2 switchs to make 1 larger vlan

    Posted Nov 04, 2024 04:19 AM
    Edited by parnassus Nov 04, 2024 06:53 AM

    Hello Ken, have a look to this old document (it was published - its purpose was - to help understanding the differences between the CISCO IOS and HPE Aruba ArubaOS-Switches implementations of the same VLAN concepts: VLAN membership on interfaces operating in Access mode or operating in Trunk mode and also the jargon differences between how CISCO and HPE ArubaOS-Switch based switches manage the "aggregated links" and its logical interfaces construct...not to be confused with the "Trunk Mode" of operation of physical/logical interface): please focus only on the Aruba side (forgetting the CISCO side) when VLAN tagging/untagging is described associated with port types (Access port for end-nodes/devices, Trunk port for switch-to-switch or switch-to-device), see page 3 and 4.

    Port Trunking is also described: remember that - with regards to VLAN membership (tagging/untagging a port) - a single physical interface (operating in Access or Trunk mode) and some interfaces aggregated together to form a LAG (Links AGgregation or Links Aggregation Group, forming a logical interface = a Port Trunk(ing) logical interface in Aruba "jargon" <- a thing that is confusing a lot of people dealing with HP ProCurve or ArubaOS-Switch based switches coming from CISCO, Comware or ArubaOS-CX based switches) - behave the same.

    In your case you're simply dealing with a single link interlink switch-to-switch (Switch A port 45 to port 45 Switch B)...and a best practice always valid is to trying to keep all allowed VLANs that need to be transported along that switch-to-switch interlink as tagged on those peer ports, whenever possible.

    Check the VLAN membership of port 45 with this command on both sides:

    show vlan ports ethernet 45 detail

    and you will discover the VLAN membership pattern of port 45 (it should match on both ends).

    Then remember that a port can't be VLAN orphaned, it means that a port must be member of a VLAN: untagged or tagged, but it must be member of a VLAN. A port can be also made concurrent member of more VLANs (so it starts operating in "Trunk mode of operation" allowing more VLANs = permitting ingress/egress traffic tagged with allowed VLAN Ids - to be "transported" <- pardon me for the non-technical terminology) and generally one finds that a port which is natively assigned to VLAN 1 (default VLAN assigned as the Port VLAN ID or PVID, also known as the Native VLAN Id) could become tagged with others VLAN Ids or can, alternatively, be removed from VLAN 1 (best practice) to being made member of another VLAN Id (at least one, tagged or again untagged)...since a switch-to-switch port is intended not to "speak with" end-user devices (like a PC) it's a best practice to let it to pass only required VLANs tagged (eventually including the infamous VLAN 1 if really necessary).