Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

DHCP VLANs and a newbie just trying to make it all work


  • Please log in to reply
17 replies to this topic

#1 aouate3

aouate3

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Fresno, California
  • Local time:06:40 AM

Posted 09 February 2015 - 07:47 PM

For the past year now I have been in charge of a business network, spanning 3 buildings on a single campus. We started out, a few years back, with just one AP per building (its a moderately sized church). As we have been growing we have been adding more APs.

 

Our current setup for our access points is 7 Aerohive AP121s, and 3 HP Procurve J8130A APs, and for our switches we have a HP J4903A, HP J4904A, 2 HP V1910-24G-PoE, and a linksys PoE switch that I dont recall the model of.

 

Our gateway is a watchguard firebox

 

Our server is running Server 2012

 

The issue i am having is running out of DHCP leases, after researching i have found that separating the buildings out on Vlans and assigning a DHCP scope to each Vlan can fix it.

 

My question is, is their another way? and if this is the best way, how do i pull it off? I have attempted several times using guides i have found (for cisco equipment) and i have broken the network several times in my attempts.

 

I can handle setting up equipment, fixing problems, running cabling, even starting a simple enterprise network from scratch, but even in my networking class, I did not learn this..

 

I have everything running right now, but not well. I am currently budgeting more APs for some expansion of our network (Our network has about 150 clients that consist of just employees and volunteers, but then throughout the week we see about 3000 people on our network. our typical sunday network load is about 1000 clients. Im currently using the aerohives captive web portal that has its own DHCP server to take the load, but its a pain

 

 

 

 



BC AdBot (Login to Remove)

 


#2 Wand3r3r

Wand3r3r

  • Members
  • 2,027 posts
  • OFFLINE
  •  
  • Local time:07:40 AM

Posted 10 February 2015 - 11:04 AM

Welcome to TSF!

 

Those are some pretty staggering loads for wifi.  What we need is a network diagram containing what equipment is where and what the bandwidth down/up is for your internet connection.



#3 aouate3

aouate3
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Fresno, California
  • Local time:06:40 AM

Posted 10 February 2015 - 11:27 AM

I sketched this up really quick in Draw.io. everything that isnt labeled fiber is cat 6. the fiber connects the other 2 buildings to the main building 

 

 

Internet leads in from our demarcation point through our watchguard firebox and then to our main switch in the server room.

 

 Our internet is currently a T1 line and its pathetically slow. We are working on a contract right now to get a 20mbps connection and then we will grow from there. Our main thing right now is getting DHCP to be able to handle the load, or at least to be separated so if one gets full it doesnt kill everything.

Attached Files


Edited by aouate3, 10 February 2015 - 11:29 AM.


#4 Wand3r3r

Wand3r3r

  • Members
  • 2,027 posts
  • OFFLINE
  •  
  • Local time:07:40 AM

Posted 10 February 2015 - 03:45 PM

Thanks for the diagram. 

You would only need to do vlans on the core swtich HP 2848 so as to break up the broadcast domains. Following the KISS principle I would go to a Class B subnet range with one dhcp server.   

 

I assume your 2012 server is doing the dhcp serving.

 

You have 9 connections to the HP switch of which one is the internet.  Vlans would look like so

 

Vlan1 = management vlan which is usually default

Vlan2 = server

Vlan3 = fiber to auditorium switch/APs

Vlan4 = Office network

Vlan5 = Venue netseg

Vlan6 = admin switch3

Vlan7 = Resource room netseg

Vlan8 = admin switch2

Vlan9 = Children's switch

Vlan10 = internet connection

 

You may wish to consolidate the NetSeg's into just one vlan

 

Vlan2 would exist on all ports so they could get to the dhcp server/server

Vlan10 would exist on all ports so they would have internet access

 

Otherwise all the rest of the vlans would be separate from each other. If the server is only being used by the Office network you may want to consider having dhcp done elsewhere and only put the office and server on the same vlan with internet access.



#5 Orecomm

Orecomm

  • Members
  • 266 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Roseburg, Oregon
  • Local time:07:40 AM

Posted 10 February 2015 - 09:31 PM

There are several ways to solve your problems, once you know what your problems are. You mention DHCP exhaustion, but you could fix that with a bigger subnet mask and adding a few hundred allocatable addresses to your DHCP server config. I doubt that is the only issue. I believe you've seen the need to partition a large and growing network. There are several methods, each with advantages and disadvantages. Simplicity is one that comes to mind. Performance. Security. Fault Isolation. Application isolation. It seems that in your case simplicity has been pushed to it's limits. You are going to have to partition your network one way or another. That means you will have different subnets, and to get between subnets you need a router.

 

VLANs are very useful, but they are effectively extension cords for router ports. Get the routing right first, then the VLANs will come somewhat naturally. FIgure out who your user communities are: Your auditorium WiFi users probably need Internet but not access to your main server, and from a security standpoint should probably be treated as "outside the firewall". Your Admin users are probably closely tied to your server and are mostly trusted. Other user groups in the building probably fall in between those two. Since much of your network is WiFi based and at least the Aerohive AP's don't seem to support multiple SSID's with different VLANs you can't really separate those users into groups - all WiFi is going to end up in one "security bucket", although you can partition for performance. In your case, the simplest partition may be physical first, each building on it's own, then split WiFI from LAN for security and performance reasons if needed, then split key user groups, like admin, into a protected area of their own. 

 

Building splits are easy. Just get a router with enough ports, assign each building an IP address range, and plug the feed to the building into it's own router port. You can do at least some of the partitioning within the building housing the router the same way - physically patch your admin users to one switch and give it's uplink a port on the router. Your AP's go to another switch, and another port. Router ACL's provide a lot of control and security, and you will need them regardless of whether you have VLANs in play or not. If, on the other hand, you have groups that span multiple buildings, or multiple comm closets, VLANs are your friends. You still need the router (or a routing switch) doing the same things. VLANs just allow you to choose the members of each group wherever they may be on your campus. Decide which switch-to-switch connections need to be "trunks" passing multiple VLANs and make sure all of the switches involved use the same VLAN trunking protocols. 802.1Q is pretty standard on most modern switches, but don't take it for granted. Most of your client device connections will be "Port" VLANs where a physical switch port is defined as belonging to a specific VLAN and adds and deletes tags as traffic enters and leaves the switch. This way the device itself needs no knowledge of the VLAN structure, or even that it is a member of one. A special case may be your server. It may well "Live" on multiple VLANs and be connected using it's own 802.1Q "trunk", a single physical link with multiple logical subnets. If you use older, port limited routers they are usually connected the same way, one physical port with multiple subnets represented in VLANs. I would avoid using your server to serve DHCP to any subnets other than those that need to access the server itself for business purposes, though. Use your router or even an old PC dedicated to the task for the "riskier" subnets (or the Aerohive for it's WiFi clients). 

 

Only you can tell how many segments are needed, but the low hanging fruit would be to separate the 3 buildings, then Admin, then WiFi, then possibly other groups. Get a router with at least 6 Gigabit ports (I like Mikrotik bang for the buck, but they are "different" to configure, not hard, but different.) Start out by physically isolating your groups, one group per port on the router, and assign a subnet of appropriate size to each group. DHCP can be handled by the router, a device on each subnet, or forwarded and scoped on another device. The big gotcha here will be printers. Figure out where you are going to (logically) connect them before you start. Most devices can't "find" printers across subnet bounds without help, so if you expect wifi users to hit a printer it's best to put it on the "wifi" set of connections. Desktop users, or those in the buildings all the time, can easily be configured to access printers across subnets, it's the "transient" users that will be effected. 

 

One more thing, if you haven't already, decrease your DHCP lease time, particularly on your WiFI, to 2 hours or less. That should help keep leases for folks that have gone home from blocking newly arrived users. 



#6 aouate3

aouate3
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Fresno, California
  • Local time:06:40 AM

Posted 10 February 2015 - 09:50 PM

Orecomm, You bring up a rather interesting point, and actually I don't really need to partition off the network, My main thing is getting DHCP leases to everyone. I have my lease time set to about 5 minutes right now anyway. you mentioned "but you could fix that with a bigger subnet mask and adding a few hundred allocatable addresses to your DHCP server config." which is possibly a viable option! and im willing to try it! 

 

My current configuration is shown in the attachment. I was told by a school districts IT staff that VLANs was the only way, and thus I was unaware there was another way. 

 

How would I go about configuring it? My knowledge goes as far as setting up a basic DHCP server scope, this was originally set up (years ago) by a contracted IT company, and since then, i have copied the settings as we upgrade hardware.

 

 

Attached Files



#7 Orecomm

Orecomm

  • Members
  • 266 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Roseburg, Oregon
  • Local time:07:40 AM

Posted 11 February 2015 - 12:23 AM

Changing this could be a bigger project than you think, but here's basically what's involved.

 

Your router, and every device in your network with a static IP address, will have to be changed. It's not trivial by any means, but not impossible either. Plan first. 

 

It looks like you are set up to use the address block of 10.251.1.0/24 or a mask of 255.255.255.0.  This gives you 253 usable addresses (.0 and .255 are reserved for broadcast traffic.)

What we want to do is change the mask to a /23 or 255.255.254.0. This will give you 510 usable addresses, from 10.251.0.1 to 10.251.1.254. I will say up front that this is not always a good thing. You will have lots of broadcast traffic and there is potential that one misbehaving device can impact the entire network. That said, the local Jr College uses bigger subnets than this and gets away with it. Usually. Since your traffic probably has a rather sharp population peak on Sunday mornings you may be able to get away with it better than most. In fact, you could get away with going to /22 or 255.255.252.0 right now, but it would make the transition more difficult.

 

You will want to set the configuration in your router and DHCP servers first. This way at least you should be able to get connected and work your way through the other devices. Your router's (Watchguard) inside address is probably already set to 10.251.1.1 and mask to /24 or 255.255.255.0 as appropriate. Normally I would change the router address to the lowest address in the range, which with the new mask would be 10.251.0.1, but in this case we will leave it as it is to minimize changes. Change the mask in the router to /23 or 255.255.254.0 as appropriate. Change the mask on your server's network interface (it's IP can stay the same, it will be in the correct range) as well. Reboot. Now you can change the scope on your DHCP server to issue 10.251.0.1 to 10.251.0.254. The subnet mask should reflect the new mask entered on the Ethernet interface. If your server can handle multiple scopes give it a chunk of the 10.251.1.2 to 10.251.1.254 area as well, but avoid where you have static addresses assigned (you probably have several for your server, AP's, switches, and such). If those are all in the low addresses then 10.251.1.50 to 10.251.1.250 would be a reasonable additional scope. Some servers may not let you define multiple scopes on the same subnet.

 

While you are in the DHCP server set your lease time to something a bit longer. Every device with a DHCP address will begin requesting a DHCP update from the server at one half of the lease time, so every DHCP device in your net is placing requests to your server every 2 1/2 minutes. That adds up to a lot of relatively useless traffic. Two hours is probably about optimal for your environment.

 

At this point anyone getting a new DHCP update should be working with Internet and server connectivity. Now it's just locating and updating the mask in every device that has a static address. Most will still be working - all 1's subnet broadcasts are way more common that all 0's, and all 1's will still be recognized with either mask. 10.251.1.0 is now a valid IP address in your range, as is 10.251.0.255, but I wouldn't use those two just to avoid any confusion, particularly for misconfigured (wrong mask) devices.

 

If we changed to a larger mask, /22 or 255.255.255.252, it would have given you the range from 10.251.0.0 to 10.251.3.255, for 1022 usable addresses, but that would have moved the all 1's broadcast and broken every statically defined device until it could be updated.

 

Does this make sense to you ? 



#8 aouate3

aouate3
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Fresno, California
  • Local time:06:40 AM

Posted 11 February 2015 - 11:10 AM

It does make sense. Today I will go through our network and reconfigure all devices to be dynamically assigned. I don't think I have many that are static other then a few switch's management IPs and our HVAC controller. I'm going to plan this out, and consult with our previous IT solution as to how to access our firebox (It's pretty locked down, I believe it has its web ui disabled, and SSH/Telnet don't pop back anything) I will need to get the log in credentials for console.

 

 

Other than that, I'm going to run this by facilities and administration, and my co-worker.

 

I have a lot to learn when it comes to networking, I know enough to make myself dangerous, and somewhat useful....

 

I have some research to do, some approvals to get. and I also have to figure out how to reconfigure our HVAC controller... don't know much about it at this moment.



#9 Wand3r3r

Wand3r3r

  • Members
  • 2,027 posts
  • OFFLINE
  •  
  • Local time:07:40 AM

Posted 11 February 2015 - 11:17 AM

"I have my lease time set to about 5 minutes right now anyway"

 

That is totally wrong as has been pointed out.   Minimum should be 4 hours imo if you have a lot of mobile devices.

 

"VLANs are very useful, but they are effectively extension cords for router ports"

and

"You are going to have to partition your network one way or another. That means you will have different subnets"

 

This is a commonly found on the internet misinterpretation of Cisco training.  It is applying enterprise networking to a comparatively tiny weeny network.  You don't have to do ANY subneting/routing when using vlans as I clearly displayed in post #4. The entire network is partitioned just using vlans on the core switch.  No replacement equipment required.

 

There is also no reason to think you need vlans at the edge devices.  Those APs are just onramps to your network. They do not need to support vlans between themselves.  That is rather pointless for an onramp.

 

You would not need to change the subnet mask on the presently statically assigned devices.  This is because 255.255.255.0 is contained within 255.255.254.0 which means you can still get to the 255.255.255.0 network from the 255.255.254.0

 

You can see this as follows

10.0.0.0 - 10.0.0.255 subnet 255.255.255.0

10.0.0.0 - 10.0.3.255 subnet 255.255.252.0


Edited by Wand3r3r, 11 February 2015 - 11:26 AM.


#10 Orecomm

Orecomm

  • Members
  • 266 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Roseburg, Oregon
  • Local time:07:40 AM

Posted 12 February 2015 - 01:18 PM

Wand3r3r, the only way to transit between VLANs is to through a router or explicit bridge. There are certainly routing switches that provide the routing function within the switch, but it's still routing.

 

Segmenting your wifi is a security decision. He has an open wifi for a transient, non-employee population sharing a network segment with his office and financial folks. You don't see a reason why this might not be a great idea, even for a church ? I will usually segment an open or guest network and feed it upstream of my edge router so "guests" approach from outside the firewall. It's best if you have a wifi system that can handle multiple VLANs and SSID's for guests and credentialed users, but he doesn't have that option with the AP's he has installed. 

 

Not changing the mask on existing static assignments means that the subnet "all 1's" and "all 0's" broadcast addresses used by IP will be wrong on those devices. The "all 0's" subnet broadcast is rarely used these days, but still reserved. The "all 1's" is widely used, particularly by DHCP and MS NBNS. If you change the mask and it changes the "all 1's" for the newly defined subnet compared to the old one you are going to have some serious issues. Changing to expand the low side, as suggested above, means things will generally work unless and until some device occupies the previously reserved and now entirely legal former "all 0's" address, but all traffic from unmodified mask devices to devices on the newly extended address range will have to bounce through your router. The unmodified devices think, based on their mask, that those devices are not local and will be routed through the default router. Replies will go direct, because the "new" address range device sees the "old' address as local, and that in itself is enough to cause great grief to many applications and in fact virtually all firewall software.

 

Yes, I am versed in Cisco and their way of doing things, but I'm no big fan. Basic networking still says that as you grow you are going to need to segment your network. I have a fair bit of experience with Big Flat Networks and while they have advantages in simplicity they also carry some rather huge liabilities particularly in the areas of performance, reliability, and security. It becomes a question of what is more important to you, as a network administrator. 

 

My aim here is to educate, not criticize. I've been doing this a long time and have already done it most of the wrong ways myself. 



#11 Wand3r3r

Wand3r3r

  • Members
  • 2,027 posts
  • OFFLINE
  •  
  • Local time:07:40 AM

Posted 12 February 2015 - 03:19 PM

"only way to transit between VLANs is to go through a router or explicit bridge"

 

True but routing between vlans is not a requirement nor was it a recommendation. The vlan config I recommended requires no routing if fact that is just the point.  With no routing  [doesn't have a vlan routing capable switch anyway] each segment created by the vlans have no contact with each other but they have the dhcp server and internet in common.  Not only do we have limited broadcast domains due to the vlans but we also have security segmentation due to the vlans.

 

Point I was trying to make concerning the /22 is we found we could still get to our switches/devices on the /24 network from the /22  Given the size of this network changing everything really isn't a problem.

 

We have the same aim :-) 



#12 YeahBleeping

YeahBleeping

  • Members
  • 1,258 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:40 AM

Posted 12 February 2015 - 09:46 PM

I just wanted to say wow ... I really wish I understood all that more than I do.  Because I don't.  But I wish I did.. lol



#13 Orecomm

Orecomm

  • Members
  • 266 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Roseburg, Oregon
  • Local time:07:40 AM

Posted 13 February 2015 - 10:20 AM

Wand3r3r, your config has multiple VLANs defined per port, for the Server, Internet, and one of the other relevant VLANs. This means that each port must be an 802.1Q VLAN trunk, and every device would have to be configured with VLAN support and 3 VLAN configurations in 3 different subnets and 3 different IP addresses. While this is doable and even desirable on a server you aren't going to get a building full of client machines, much less consumer phones or tablets, talking on multiple VLANs without some really "interesting" configuration challenges. You can't send tagged frames to a non-vlan aware device (well, you can, but they go in the bit bucket). There is no way, with port based VLANs, to selectively "combine" multiple VLANs at the port level. You can only add or strip VLAN tags from a single VLAN at the port. This would have been possible (and I have done it) using Xylan VLAN gear back in the late 90's when they had MAC, IP Address Range, and Application specific VLAN membership filters, but Cisco decided that Port VLANs were all that was needed and that was good enough for the industry. Xylan got bought by Alcatel and their "crazy" concepts snuffed, and so the industry goes. Your design is entirely correct in theory, but impossible in fact.

 

"In Theory, theory and fact are the same, but in Fact, they're not."



#14 CaveDweller2

CaveDweller2

  • Members
  • 2,629 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:40 AM

Posted 13 February 2015 - 11:54 AM

And this brings into a light a problem a lot of networking people have starting out - lack of design training. Most people, including me, are focused on the routing and switching and less so on the designing of networks. The designing comes in later and at great personal expense, sometimes money but normally it's a lot time and stress.

 

I agree getting your IP addressing under better control is the best first step. I think spending some time walking around with a laptop checking the wireless coverage before plunking down more money for equipment would also be a good idea. And VLANs might play a part but I think when you get the addressing addressed you'll have a much better idea where to go from there.


Hope this helps thumbup.gif

Associate in Applied Science - Network Systems Management - Trident Technical College


#15 aouate3

aouate3
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Fresno, California
  • Local time:06:40 AM

Posted 13 February 2015 - 12:23 PM

 

" It's best if you have a wifi system that can handle multiple VLANs and SSID's for guests and credentialed users, but he doesn't have that option with the AP's he has installed. "

 

 

 

A bit off topic, But the Aerohive AP121's can handle multiple SSIDs and a seperate VLAN for each ssid, at least it seems so. Granted I am the newbie.

 

I am still digesting all this information that you all have posted, But i think what I will eventually want to do is expand the subnet to handle more IP leases and possibly also separate the public WiFi from the rest. Preferably sending the public wifi through a web filter (either enterprise level appliance or cheap server running a linux web filter distro) since 4 days of the week we have youth (13 to 17 years of age) on the campus.

 

 

And my understanding from reading this, is that if i change the subnet to 255.255.252.0 I will not have to reconfigure current devices with a static IP? our HVAC controller may be a pain to change settings on (really haven't taken a look at it yet)

 

 

We have a few areas around our complex that do not receive WiFi, so that is why we are going to eventually roll out new APs

 

I also agree that in networking classes they are more interested in telling you how to make a cable and how to install a server operating system then how to handle an actual enterprise network.

Attached Files

  • Attached File  net.png   35.83KB   1 downloads





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users