That's a fine mechanism. I use it quite a bit myself. Based on my (admittedly weak) memory, depending on the rest of your entire infrastructure, Cisco would refer to that as an "edge switch" or "distribution switch".
Regards, Michael B. Smith Consultant and Exchange MVP http://TheEssentialExchange.com -----Original Message----- From: Kurt Buff [mailto:[email protected]] Sent: Monday, August 15, 2011 7:49 PM To: NT System Admin Issues Subject: Re: DHCP Server and multiple subnets One thing I did long ago is to put up a VLAN and a layer2 switch (which I called a 'transit' switch - I don't know if that's a correct term, but it seemed descriptive to me, and still does) between the firewall and the core switch. When it came time to put up our Barracuda web filter, I in-lined the Barracuda between switch for that subnet and the core switch. The in-line configuration was required because the new manager wanted to require zero configuration for clients. It got complicated because the firewall is actually two units in Active/Passive HA configuration, and there were multiple VLANs running through that physical subnet by that time, and the Barracuda required some special configuration, but that arrangement has served me very well. But, when I put up a guest network, I just had to put in one more L2 VLAN on the core switch, the WAPs and their associated PoE switches, and the transit switch (and a small FreeBSD box on the guest network with a DHCP server) and that was it. I'm sure someone with more/better knowledge could come up with a better arrangement, but this does work... Kurt On Fri, Aug 12, 2011 at 16:01, Matthew W. Ross <[email protected]> wrote: >> Or do you mean that you have other routing issues? > > I have other routing issues. > > More detail for the interested: I have a ProCurve 5308xl standing as the core > swtich in our district. All of the schools connect to it over gigabit fiber, > save one 100mbit school. I am trying to get a guest vlan working so I can put > visitors and non-work related wifi devices on a separate network, but I want > them to be forced to use our content filter. > > Our content filter can't support multiple networks/vlans, but it can support > multiple routed subnets. (Note I've complained to the manufacturer about > this, but I don't seem to be getting anywhere on this front.) So, I need to > route all of this "Guest" network through our normal network, while applying > an ACL that prevents any traffic to/from this network except to/from our > gateway/content filter. > > I've got it working... sorta. I can get on the network, I get an IP from our > DHCP server (Thanks guys!) and I can ping the other subnet and even the > gateway. I just can't ping past the gateway. > > I have a few theories I'm working through: Is my gateway/content filter > somehow blocking the traffic? (Possibly) Is the gateway/content filter not > setup to route traffic that originates in a subnet? (Also possibly) > > The only odd thing I can see is that I can ping another subnet's interface on > the 5308xl... and my route should not allow that. Thus, I'm looking at that > as well... Does the default route take over even if I specify a route for a > VLAN? > > > --Matt Ross > Ephrata School District > > > ----- Original Message ----- > From: Kurt Buff > [mailto:[email protected]] > To: NT System Admin Issues > [mailto:[email protected]] > Sent: Fri, 12 Aug 2011 > 11:53:01 -0700 > Subject: Re: DHCP Server and multiple subnets > > >> Are you meaning that you need to forward a DHCP request over more than >> 1 router? That is, requestor is on subnet1, makes a request, router2 >> forwards it over subnet2 to router2, which then forwards it to the >> DHCP server on subnet3. I haven't done that, nor heard of anyone who >> does, but it might be possible. That would be interesting. If that's >> the situation, however, I'd use it to make a case to collapse those >> two routers into one, if circumstances permitted. >> >> Or do you mean that you have other routing issues? >> >> Kurt >> >> On Fri, Aug 12, 2011 at 11:38, Matthew W. Ross <[email protected]> >> wrote: >> > Thanks all. I tried it, and it worked perfectly... except I can't get it >> to route beyond the first router. But to my original question, DHCP passes >> along as prescribed and I can ping between subnets. >> > >> > Thanks for the help. >> > >> > >> > --Matt Ross >> > Ephrata School District >> > >> > >> > ----- Original Message ----- >> > From: Kurt Buff >> > [mailto:[email protected]] >> > To: NT System Admin Issues >> > [mailto:[email protected]] >> > Sent: Fri, 12 Aug 2011 >> > 11:28:50 -0700 >> > Subject: Re: DHCP Server and multiple subnets >> > >> > >> >> Not trickery. >> >> >> >> Assuming that there's a router in your environment, you need to put a >> >> helper address on the router for each subnet for which the DHCP server >> >> will be serving addresses. (You can run multiple subnets without a >> >> router, but it's really a bad idea.) >> >> >> >> For instance, on my HP 3400cl core switch, two of my vlans are set up >> >> as follows: >> >> >> >> vlan 111 >> >> name "VLAN111" >> >> ip address 192.168.xx.xx 255.255.255.0 >> >> ip helper-address 192.168.xx.xx >> >> tagged 25-47 >> >> exit >> >> vlan 112 >> >> name "VLAN112" >> >> ip address 192.168.xx.xx 255.255.255.0 >> >> ip helper-address 192.168.xx.xx >> >> tagged 25-47 >> >> exit >> >> >> >> It'll be very similar syntax on a Cisco switch for the helper address. >> >> >> >> The router then forwards the broadcast packet with to the DHCP server. >> >> >> >> Kurt >> >> >> >> On Fri, Aug 12, 2011 at 08:44, Matthew W. Ross <[email protected]> >> >> wrote: >> >> > Hey list, quick question for ya as my googlefu is not coming up with >> >> concrete answers: >> >> > >> >> > Can a single DHCP server serve up two separate subnets? How does the >> DHCP >> >> server decide which subnet to place the client (besides reservations)? >> Does >> >> it just auto-magically figure it out based on where the broadcast is >> coming >> >> from, or is there other trickery involved? >> >> > >> >> > >> >> > --Matt Ross >> >> > Ephrata School District >> >> > >> >> > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ >> >> > ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ >> >> > >> >> > --- >> >> > To manage subscriptions click here: >> >> http://lyris.sunbelt-software.com/read/my_forums/ >> >> > or send an email to [email protected] >> >> > with the body: unsubscribe ntsysadmin >> >> > >> >> > >> >> >> >> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ >> >> ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ >> >> >> >> --- >> >> To manage subscriptions click here: >> >> http://lyris.sunbelt-software.com/read/my_forums/ >> >> or send an email to [email protected] >> >> with the body: unsubscribe ntsysadmin >> >> >> >> >> > >> > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ >> > ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ >> > >> > --- >> > To manage subscriptions click here: >> http://lyris.sunbelt-software.com/read/my_forums/ >> > or send an email to [email protected] >> > with the body: unsubscribe ntsysadmin >> > >> > >> >> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ >> ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ >> >> --- >> To manage subscriptions click here: >> http://lyris.sunbelt-software.com/read/my_forums/ >> or send an email to [email protected] >> with the body: unsubscribe ntsysadmin >> >> > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ > ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > > --- > To manage subscriptions click here: > http://lyris.sunbelt-software.com/read/my_forums/ > or send an email to [email protected] > with the body: unsubscribe ntsysadmin > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected] with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected] with the body: unsubscribe ntsysadmin
