Unsolved
This post is more than 5 years old
9 Posts
0
23341
Powerconnect 2708 VLAN Setup Help
I have a rather basic need which I seem to be missing a key step in order to get this working. I have two subnets connected to a single 2708 switch. Within those subnets certain IP's or Ports must be able to talk while blocking traffic on the others. There is a locally attached server with four NICs, teamed into 2 Teams, one on each subnet. There is also a locally attached PC that both subnets must see which has only a single NIC and IP. I had VLANS setup but this was blocking access to the locally attached PC (Scanner) so I blew that setup away in order to get things in production. We can't leave it this way as we do need to block the two subnets if for no other reason than to block DHCP request crossing subnets and screwing everything up.
Network 1 - 192.168.0.x/24
Network 2 - 192.168.1.x/24
Port 1: Server Team 1 – 192.168.0.20
Port 2: Server Team 1 – 192.168.0.20
Port 3: SCANNER – 192.168.0.21 (locally attached PC)
Port 4: Server Team 2 – 192.168.1.20
Port 5: Server Team 2 – 192.168.1.20
Port 6: Uplink – 192.168.0.x
Port 7: Uplink – 192.168.1.x
Port 8: Uplink – 192.168.1.x
Both networks MUST be able to see the server and the PC(SCANNER). The Scanner is the problem as this was tossed at me during deployment and we CANNOT make changes to this PC such as adding another NIC to it which would make this super simple.
So using VLANS can you step me through this. My thinking is to go back to my two VLAN setup then just put Port 3 (SCANNER PC) into both Subnets. Yes? Trunking by term isn't in this switch so is it automatically tunked by being in both VLANS? Tagging should be set as how? I have little to no control of subnet 192.168.0.x/24, this is a separate office. On my side, 192.168.1.1/24 is a Dell 2848.
Anonymous
5 Practitioner
5 Practitioner
•
274.2K Posts
0
September 28th, 2015 14:00
What brand NIC is being used on the scanner PC? Some model NICs support the tagging of VLANs. Check out page 13 of this Broadcom document.
http://bit.ly/1JyYCHE
On the switch you would set the interface to admit all frame types. This is listed under VLAN interface settings. Then set the interface to T for the additional VLAN. Leave the native VLAN 1 set to U. These setting are under VLAN membership.
TDSsupport
9 Posts
0
September 28th, 2015 17:00
It's an Intel NIC, I forget the model, however we can make no hardware level changes to that scanning PC. It is managed by a vendor as it is used to power a medical device, hands off other than changing the IP settings.
Seeing the local scanning PC is not the problem at this point as much as we must stop the DHCP broadcast traffic. With VLAN1 set to U across all ports the broadcast are passing one subnet to the other. So we need to see that Scanner but also stop broadcast traffic so leaving VLAN1 across all ports is not an option.
We did move around the connections today so please see the revised Table for reference:
Network 1 - 192.168.0.x/24 - DHCP Server
Network 2 - 192.168.1.x/24 - DHCP Server
Port 1: Uplink – 192.168.1.x Server Team 1 – 192.168.0.20
Port 2: Uplink – 192.168.1.x Server Team 1 – 192.168.0.20
Port 3: Server Team 1 – 192.168.0.20
Port 4: Server Team 1 – 192.168.0.20
Port 5: Server Team 2 – 192.168.1.20
Port 6: Server Team 2 – 192.168.1.20
Port 7: Uplink – 192.168.0.x
Port 8: SCANNER – 192.168.0.21
Anonymous
5 Practitioner
5 Practitioner
•
274.2K Posts
0
September 29th, 2015 06:00
The only other option I can think of is the add a L3 device that can route between the VLANs. You could setup the two VLANs which would isolate the broadcast messages. Then the L3 device would facilitate the connection from one VLAN to another. This will allow devices not in the same VLAN as the Scanner access to the Scanner.
TDSsupport
9 Posts
0
September 29th, 2015 10:00
I have no problems with communicating between the subnets, that's the problem. I need to stop this traffic.
Two VLANS. VLAN 101 would be ports 1, 2, 3, 4. VLAN 202 would be 5, 6, 7. Now I need to remove the default VLAN1 from the setup but as soon as I set the PVID to 202 on port 5, 6, 7 I tend to loose connectivity to the switch. Something is wrong with my basic settings here for the two VLANS.
You cannot Tag or Untag VLAN 1 so in order to remove VLAN 1 from any port you have to set that ports PVID, correct? So I set Ports 1, 2, 3, 4 to Untagged VLAN 101. I then ports 5, 6, 7 to Untagged VLAN 202, correct so far right? Now I would need to go into PVID and set those corresponding Ports to the 101 and 202, right? This is all I am trying to get to right now, two separate VLANS.
Anonymous
5 Practitioner
5 Practitioner
•
274.2K Posts
0
September 29th, 2015 11:00
VLAN 1 is the management VLAN for the switch and the management VLAN cannot be changed on this switch. This means that as soon as you no longer have access to VLAN 1, you will lose management access to the switch. One port on the switch will need to stay in VLAN 1 to be used as the management interface.
You are correct, setting the PVID will determine which VLAN untagged traffic is placed on. untagged traffic coming into ports 1,2,3,4 will be placed in VLAN 101 and untagged traffic coming in on ports 5,6,7 will be placed in VLAN 202. Your Scanner will still only be able to be placed into one VLAN, and will not be accessible by the other VLANs.