HP Procurve 2810 Switch Setup
Using VLANs for Failover/Disaster Recovery
A recent project at work required me to implement a couple of switches with VLANs. I decided that I would be able to include a failover/disaster recovery setup with two VLANs and two switches. Just to refresh anyone about my project; it is a Microsoft Windows 2003 Server (R2) webfarm with Microsoft SQL Server 2005 back-end (click here). The switches I chose were HP procurve 2810-24G for the following reasons:
1. Procurve switches have a lifetime warranty.
2. Procurve switches are one of the top 3 in the switch manufacturer business.
3. The ease in which they can be setup.
4. My personal familiarity and experience working with Procurves.
Some background about these switches.
HP Procurve switches are data center class switches that have a choice of three different interfaces and two forms of accessing them. The three interfaces are; CLI (command line interface), web based and text based. I have never used the CLI but I would imagine that it is similar to Cisco's switch CLI. The text based interface is what I use. This interface can be extremely fast once you get used to navigating the menus. I am able to logon change a port to a different VLAN and logoff within about 10-15 seconds. The web GUI takes that long just to logon. I do like the web GUI to get a "feel" for the switch and the traffic patterns, but the full feature set when configuring these is not available. Creating VLANs for example cannot be done with the web based GUI. The text based or CLI are needed for such configurations. The two way of accessing these switches is either with the console port or by the IP address. The console port is the "first time" way to access the switch. It doesn't have an IP address with the factory default settings.
Initial switch setup
Once you have connected to the switch with the console cable you are presented with a CLI prompt. At this point type "setup" without quotes. This will bring up the Switch Setup menu. You have several options at this point. You can give the switch a name, set up SNMP, change the logon default (CLI or text) and give it an IP address among other options. I filled out all of the needed IP information and chose text for the logon default. I saved the settings then connected by IP address.
How I setup my switches
Once again to review. I am connecting to the switches by IP address through Ethernet and utilizing the text menu to configure them. My webfarm is similar to the majority of webfarms out there. There is a front-end network for handling the Internet traffic and a back-end network for intra-system communication. This is pretty standard stuff, I may write a post about it or you can email me and I can explain it to you (bradATitnetworkguruDOTcom). Back to how I setup my switches. I have two switches, one for each network. But since I only need to use about 8 ports, I setup half of the ports in one VLAN and the other half in another one (photo of my firewall and switch setup is here). The front-end switch currently has the webservers and the uplinks to the firewalls as the only ports used. So, with my two webservers and failover firewalls attached to the switch only 4 ports are used. The photo shows the other ports on the right being used also but this is for firewall external ports and are only used temporarily. The back-end switch (bottom one in the photo) has teamed NICs using LACP (802.3ad). This means that I am using two physical cables per logical network connection. This also means that I am using twice the amount of switch ports.
In order to configure the VLANs with the text menu do the following;
1. Logon to the switch with telnet in manager mode
2. press number 2 "Switch Configuration"
3. press number 7 "VLAN Menu..."
4. press number 1 "VLAN Names"
5. press "Add"
VLANs can be added at this point. The 802.1Q VLAN ID can be any unique number from 1 - 4096. The name can be anything you want also (up to 12 characters). I call it something descriptive like BackEnd for the back-end network.
6. press "save"
Repeat this procedure for adding as many VLANs as you need. We should now have at least 2 VLANs, one of the front-end traffic and one of the back-end traffic. None of our switch ports are in the new VLANs yet but I will go over this in a moment. But first let's create the switch trunks.
I would recommend at this point to create the trunks. We are creating the trunks for the teamed NICs in the back-end, one trunk per teamed NIC. After this step we can go back and add the necessary ports to the VLANs. If we add the ports now and then create the trunks we will have to go back and add the trunks. It seems like double the amount of work.
To create the trunks make sure you are still logged on in manager mode with telnet in text menu mode.
1. press number 2 "Switch Configuration"
2. press number 2 "Port/Trunk Settings"
3. scroll to Edit option with the arrow keys and press enter.
4. scroll to the ports that you are using for your teamed NICs. I always put these NICs in sequential order. So for example port 13 and 14 will be for Trk1
5. scroll over to "Group" and press the space bar to change the trunk number. If this is the first truck then I would recommend "Trk1"
6. scroll to the right to the "Type" column and press the space bar until you see "LACP".
7. scroll to the port of second NIC in the team and follow the same procedure as the first NIC
8. Repeat steps 5 -7 until you have all of the teamed NICs in separate trunks.
9. Once finished press enter and save.
We are now ready to add all of the ports necessary to the proper VLAN. Since I only have 2 VLANs and I want half of the ports in one and the other half in the other it is pretty simple. First we need to get back into the VLAN Menu. We do this by doing the same VLAN steps that we did to create the VLAN.
1. Logon to the switch with telnet in manager mode
2. press number 2 "Switch Configuration"
3. press number 7 "VLAN Menu..."
4. press number 3 "VLAN Port Assignment"
5. Scroll to Edit and press enter.
6. Scroll with the arrow keys to the first port that you want to change.
Each port that you want in a VLAN must be "untagged" only for that VLAN. You can't untag a port in two VLANs. As you look at the GUI, all of the ports should be untagged in the Default_VLAN and a "No" in the second VLAN column. You can use the Default_VLAN as one of your VLANs, as I did. Iif we are adding ports to the back-end VLAN then we need to highlight the port in the default_VLAN column and do the following;
REMEMBER: Changing the port that you are using to connect to the switch will disconnect you!
7. press the space bar twice until it says "No".
8. scroll to the right and press the space bar twice again until it says, "No".
9. repeat this procedure until all of the ports are untagged in the proper port.
10. press enter and scroll to Save and press enter.
That's it, once you are ready to log off press 0 twice to exit the menu and confirm the logoff.
How the Failover/Disaster Recovery Works
The reason for setting up the switches in the manner is for failover. As I mentioned earlier the HP switches have a lifetime warranty. But the problem is what do you do after the switch fails and you are waiting for a replacement. With this setup any of the switches can fail and my total downtime will be dependent on how long it take me to drive to the data center or for the data center staff to change over all of the ports. The is an acceptable risk considering that only one HP switch has ever failed on me in my career.
Conclusion
This is how you create VLANs and use switches for disaster recovery. This is a very basic introduction to VLANs and I didn't get into the other options such as tagging and forbidding ports. I will save this for another post...
Labels: Hardware
posted by Brad Foutz @ 9:54 PM
8 Comments
Links to this post
8 Comments:
Thank you for this procurve 2810 "crash course"! Really helpful. The only question i'd have now is: if I just create vlans and don't assign networks/ip to them (IP adress section of the configuration), then will it work ok and will I be able to connect to the switch's own ip from any of the ports, or do I need to assign an IP+netmask for each vlans (and then need to connect using the appropriate vlan)?... (in other words: will just assigning vlans without putting ip adress+netmasks on them make the switch limit the broadcast to the vlan's port range (and probably would work whatever the broadcaster's network is?))
That's quite a lot of questions, but any answer would be much appreciated!
And thanks again for this helpful bit of summarising.
Let's see if I understand correctly and can help you a bit. The IP address for the switch is really only for monitoring or TCP/IP access to it. You could still use the console port (which doesn't use TCP/IP at all) to access the switch. Once you create an IP address for the switch you will still be bound by the IP rules. The switch interface will require you to associate an IP address to a specific VLAN. So from any other VLAN you will not be able to access the switch. Just think of the switch as another computer in your LAN. If you set the IP address of the switch to an IP in your LAN you will be able to access it. Once you connect to the switch you will be able to see all of the ports and control whatever you need from there. So you don't need to assign an IP for each of the different VLANs. The VLANs do limit the broadcast traffic and actually they will limit all traffic be the VLANs. (If you need to transfer traffic for all VLANs then this is where tagging a port is used)
I hope this helps a little.
thatnks alot for your help.. but i find out that i can manage (create/delete) VLANs from web interface. and one more.. i needed to add more than 10 VLANs (they are already present in my local are) so on my 9th attemp to add the 9th VLAN switch said that it can have only 8 VLANs max!!! i can't believe that. my 100Mbit switches (3Com) can operate with 250 as far as i remember... what's the mistake?
valik - the default number of vlan's in procurves in 8 - you can increase this manually.
That was some information! I have a similar situation that I need some advice on and perhaps you can help me. I have a 2848 in my computer room and a 2650 for my workstations. A couple of jacks go into public places like my conference room. Can I setup a separate VLAN so that they can get a separate internet and not go through our internal network for internet? How do I setup the two switches to be able to see each others VLANs and traffic?
Yes you can, create a new VLAN on both switches, call them the same name and give them the same VLAN ID. Once the VLANs are created untag the ports that you wish to use for conference rooms. Then tag the uplink ports on both switches (not changing the VLAN of any existing connected ports). This will pass the traffic from your internal switch to the computer room switch (I am also assuming that the computer room switch is there the firewall is connected). If your firewall has VLANS then you will be able to protect this traffic also. If your firewall/router can’t handle VLANs then you may need to put a switch in front of your firewall. But you may need network services like DHCP, DNS in order for these computers (I assume these computers will be changing depending on who is in the meeting) to work. The VLANs will be able to separate out the network traffic totally and you won't be able to see these infrastructure servers at all. There is a way to have access to these servers but it would defeat the security of the VLAN that you want. Good luck!
@ Valik
This is why I use the menu based UI instead of the GUI. All of the advanced options are not available in the GUI.
Thanks for sharing detailed information... very nice post...
Post a Comment
Links to this post:
Create a Link
<< Home