Setting Up a WAN

[Larry22]

Here is what our network looks like now:

School A - A core switch (10.1.2.51 - Procurve 5412zl) which does all the routing
Sonicwall - 10.1.2.50 where the internet comes from (into X1)
Two subnets - 10.1.2.xxx (512 IPs) = wired LAN - VLAN1
10.2.1.xxx (512 IPs) = wireless LAN - VLAN30
Filter - 10.1.2.18 (filters all traffic, pretty much only adult content)
Other misc. servers, etc.

School B - A core switch (10.5.0.11 - Procurve 5304xl) which does all the routing
Sonicwall - 10.5.0.10 where the internet comes from (into X5 for some reason)
Two subnets - 10.5.0.xxx (512 IPs) = wired LAN - VLAN50
10.6.0.xxx (512 IPs) = wireless LAN - VLAN60
Other misc. servers, etc.

Now, we are going to have a Fiber WAN setup between these two schools. School A will be the Hub and School B will be the spoke. Our ISP says it should be setup like a PTP between the two.

Some questions:

I'm going to come out of School A right into the current School B core switch bypassing the current School B firewall completely, right? Because the Firewall at School A will takeover all of that.

What do I need to add to the School B core switch so that any non-School B packets (like the internet) will be passed back to School A (which the WAN will come from)?

The ISP engineer also said that I needed to make sure that what was coming from School B into the School A core switch port - I had to make sure THAT port included all the subnets (something about a "on a stick")?

Thanks!

 

[kevnich2]

First, nice job being detailed with your network description, IPs and such. Makes helping fairly easy

The easiest way is to simply change the default route in your site B switch to be the IP address of the inerface that switch A is assigned for the interface that the fire will connect to. Yes, you want to connect the fier handoff to interfaces on both core switches, not your firewall. I also assume by your post you will be eliminating Internet at site B? Or are you leaving it there for backup?

 

[kevnich2]

Your last question regarding the ISP engineer. I assume he actually meant to make sure the uplink port is a trunk port that contains all the vlan ID's. It really depends how you want it programmed. There's multiple ways of doing this since you have layer 3 routers at both sites. Routing at layer 3 is simpler than handling it at layer 2. But that is another option if at a later time, you wanted to swap your layer 3 router at site B for a layer 2 switch.

 

[Larry22]

kevnich2,

So, on the site B switch, I want to go into config and do ip route 0.0.0.0 0.0.0.0 10.1.2.51 Is that right? Does it matter its a different subnet?

To your 2nd response: So on the uplink from Site B back to Site A, I have to make sure that THAT port has all VLANs on it from Site B? How do I do that on an HP switch?

I think eventually what I want is what you describe - having Layer 2 at all the sites and have Layer 3 at the core at Site A. But for now...

Yes, I will be eliminating the firewall and the internet from Site B (since they'll be getting the internet via fiber from Site A). I will keep a low-cost cable modem in the closet ready to be plugged in just in case.

Thanks for your info! I think I'm close.

 

[kevnich2]

The ip you use for the default route will depend on what interface the fiber handoff is connected to at site A and how the switch is configured for that interface. If you configure the interface to be on vlan1 as an access port and connect your fiber handoff to this interface the on site B switch, configure that interface also as an access port and test it to make sure you can ping site B switch at 10.1.2.51. This the simplest but not necessarily the best way depending on your future plans.

At site B switch, do you have any over lapping subnets or matching vlan ID's thatnarenthe same as in site A switch? Does site B switch have a vlan 1 in its config or are 50 and 60 the only ones in its database?

 

[Larry22]

The core at Site B has Vlan1 but all ports are tagged no.

Only ports tagged are Vlan50 and 60.

 

[kevnich2]

Do you have an ip assigned to vlan1 at site B

 

[Larry22]

No, its currently set to DHCP, not manual.

 

[kevnich2]

No i meant in the HP switch, do you have an IP assigned to the interface on vlan1?

 

[Larry22]

On Site A, yes. On Site B, no.

 

[kevnich2]

Ask the ISP supplying the fiber link to make sure dot1q tunneling is enabled and to make sure the handoff interfaces at both sites are trunk ports. Then on the interfaces on both of your switches, have the configured as trunk ports as well. Also make sure you match up whatever speed and duplex settings the ISP hand off is configured for. In each switch, make sure you have the vlan's and subnets of both switches configured so each switch is aware.

Once you have this done, the trunk ports should be passing all vlan traffic between them and you just need to change your default route in site B switch to be 10.1.2.51 Obviously you want to test that first by pinging from site B to 10.1.2.51 to make sure it's accessible.

 

[Larry22]

Okay, so I need to add Vlan1 and Vlan 30 to Site's B switch and Vlan50 and 60 to Site A's core, right? I don't need to do that to all switches, right just the two that will be going back and forth?

How do I configure the uplink ports as trunk ports? Is there a command inside config to do that?

 

[Larry22]

Also, with an HP trunking means to aggregate links or ports, different than Cisco. That's what I've found out.

 

[alkemyst]

Okay, so I need to add Vlan1 and Vlan 30 to Site's B switch and Vlan50 and 60 to Site A's core, right? I don't need to do that to all switches, right just the two that will be going back and forth?

How do I configure the uplink ports as trunk ports? Is there a command inside config to do that?

The vlans should exist on all switches that will be moving them. The vlan interfaces only need to be on the switches where those vlans reside.

The layer 3 routing will get the layer 2 traffic to the switch to be 'switched'.

 

[kevnich2]

The vlans should exist on all switches that will be moving them. The vlan interfaces only need to be on the switches where those vlans reside.

The layer 3 routing will get the layer 2 traffic to the switch to be 'switched'.

Since you have layer 3 routing at both sites, as long as the switch at site B can communicate with the switch at site A, if you set your default route in the switch at site B, all foreign routes that the site B switch doesn't recognize will be sent to site A anyway. Setting up the vlan's and what not in each switch is more of a prepping step in case in the future you want to put in a strictly layer 2 switch instead of the current layer 3 device you have now. Granted, having layer 3 routing at both sites does give an obvious advantage so I'd say just keep it there.

 

[alkemyst]

Since you have layer 3 routing at both sites, as long as the switch at site B can communicate with the switch at site A, if you set your default route in the switch at site B, all foreign routes that the site B switch doesn't recognize will be sent to site A anyway. Setting up the vlan's and what not in each switch is more of a prepping step in case in the future you want to put in a strictly layer 2 switch instead of the current layer 3 device you have now. Granted, having layer 3 routing at both sites does give an obvious advantage so I'd say just keep it there.

True, however; once it's on the switch itself it's not 'routed' to the hosts on that switch. It's going to be layer 2. It's going to see the mac addresses in it's table and just send the traffic out on whatever interface that is.