Networky vlanny things.

[Kryten]

Ok, I have a network that is growing exponentially thanks to our manager's ever growing demands and insistence that people need to be able to access stuff via their iDevices/smartphones.

We've just invested in a couple of new switches (HP Procurve 5406zl 44G+POE+4SFP) and layout would physically look something like this once done:

Two physical sites on a 1Gbit fibre connection. That is non negotiable, we can't afford to add to that (it's half a mile long)
Previously we've just had about 50 switches and 3 on each side were acting as the core, trunked (link aggregation context) to eachother, serving the edge devices. With the pure amount of systems, the switches (all layer 2) started to throw a paddy, as MAC address tables went over 500 entries exceeding the limit of 8k entries (thats about 512 addresses). So they all started acting as glorified hubs. They worked, but being painfully slow at the best of times. There's about 600 network entities currently. 480 are workstations, around 40 printers, 50 switches, 10 wireless APs and the rest is just drive-by gubbins like phones, ipads etc.

So, enter the new switches. They're sat on the side waiting to go in pending decent testing.
The intention is to keep it VERY simple for now - it just needs to last until next summer when I am re-working the entire network and infrastructure. My hope is to use 2 VLANs to cut broadcast traffic right down, effectively halving the above problem. However it's just the nitty gritty. Setting up a vlan or 5 is a piece of cake. Doing it so all stations on both sites can still speak to the servers and printers seems to be a sticking point. I know you can tag the connections between switches so the right data goes to the right place but don't know if I need to have the servers/printers on their own VLANS too to achieve this. All the information available on Google is either IOS specific (thats proper IOS, none of your apple twattiness thank you!) or goes from "A network is where one or more computers or devices can connect together" to a load of jargon and gobbledegook that is far beyond even my skills to decipher.

Can anyone shed some light? There's no point telling me I'm too shit - I know this, and until we get the training budget through sometime in 2018 this will probably remain whilst I wing it. The plan is to make a proper job of it next summer when we have the run of the network (vlans for printers, wifi, servers, each site, separating DHCP for each site, transparent proxy for SITE1 etc) but until then we just need to keep it ticking over without falling over. Much.

 

[old.Osy]

How sure are you the issue is with the switches not having sufficient table space?

How many _new_ switches do you have, and what make/model are they - and how do you intend to use them in said topology.

In your drawing, you mention edge switches - what are they?

Is it possible at any point that you might have a spanning tree issue which could cause the slow downs?

 

[Ch3tan]

How sure are you the issue is with the switches not having sufficient table space?

How many _new_ switches do you have, and what make/model are they - and how do you intend to use them in said topology.

In your drawing, you mention edge switches - what are they?

Is it possible at any point that you might have a spanning tree issue which could cause the slow downs?

Learn to read Osy

We've just invested in a couple of new switches (HP Procurve 5406zl 44G+POE+4SFP) and layout would physically look something like this once done:

 

[Kryten]

As above, they will be core. One for each site. 48 ports in total each side.

Edge/near edge switches are all either: Dlink 1210-24G, Dlink 1224T or Procurve 1800-24G. Noone need preach about Dlink being shit - they've been a mile better than the cheap shit Procurves (which are still 6 times the price).
STP/RSTP was enabled as one of the troubleshooting steps and helped us narrow down one problem: naturally they need to nominate a root bridge and they all nominated the oldest shittest switch on the network (a netgear thing I use for testing). It was that alone that alerted us to them not working as switches.
It was confirmed by checking the mac tables themselves and seeing that they were filling to the brim within 5 minutes of being turned on/connected. Disabling STP/RSTP has no effect on this and trust me, whatever effect STP may have to detriment the network you DO NOT EVER WANT TO RUN A SCHOOL NETWORK WITHOUT IT.

All other devices are L2. A one minute cap with Wireshark gives us a "What the FUCK" reaction every time we study it. Broadcast traffic goes out to each and every port on each and every device so they are working only as hubs - this is entirely down to the mac tables being chock.

 

[Genedril]

Vlan for the Servers and then the data\printers? Possibly another Vlan for VOIP if you use it? I (used to) know how to do it in Cisco and I'm assuming that your switches should be up to the task but you'll need to add a couple of bridging switches to your setup (well you used to, might now be able to bridge on the fly). You've also confuzzled me because I thought that Edge devices sat at the edge of the network so why are they grouped with your workstations / printers? Is that because it's a school and you're thinking that the students will be on them? In which case I'd have a different VLAN for the student pc's and the ones that are used by the teachers \ admin staff.

Stick some sort of DMZ between your core switches and Internet Router. Also as I personally hate wireless that's where any WAP's would sit; as would any student pc's.

I'm assuming you're using DHCP scopes atm to direct and control traffic?

I've not done proper network design for a bit so may thinking may be out of date.

 

[Deebs]

Kryten,

VLANs are a good thing but unless you have central core routers it will never work.

 

[Kryten]

Deebs: why not? The new switches are fully layer 3 and are fully capable of routing between vlans. We do have a "core router" but we're not allowed to touch it.

We're pretty much there we think, simulated setup shows no broadcast traffic going between the two switches other than what's necessary and machines on both side of the network can communicate with the servers and internet without problem.

We are just trying to "perfect" what we've done now, which is basically:

2 vlans on each (Site 1, Site 2) - the trunk is tagged for both and the rest of the ports on each site switch untagged for the relevant vlan.
Still seems to be a little too much "crosstalk" but we're just narrowing down what that is - i.e. the dlink switches. Two switches in identical setups, one a Procurve 1800 and the other one of the Dlinks. The procurve after 5 minutes sat with 350 addresses in it's forwarding table. The dlink had 580. Thankfully 1. Dlink devs are looking into this and 2. we're relegating all dlinks to pure edge switches as HP have replaced 5 of the faulty procurves we had laying around without question, leaving us enough to use them for all near-edge. Better still our site super has allowed us to run a few more cables to get rid of a couple of daisy chains

 

[Deebs]

Just reread your original question and notice that the switches support layer 3. To solve the puzzle is simple. Create different subnets on each switch and then set static routes to route.

eg.

Site A: 10.0.0.0/255, 10.0.1.0/255, 10.0.2.0.255 (vlan A)
Site B: 10.0.128.0/255, 10.0.129.0/255, 10.0.130.0/255 (vlan B)

Switch A (on Site A): 10.0.0.1
Switch B (on Site B) 10.0.128.1

Switch A routing (cisco syntax):
ip route 10.0.128.0 255.255.255.0 10.0.0.1
ip route 10.0.129.0 255.255.255.0 10.0.0.1
ip route 10.0.130.0 255.255.255.0 10.0.0.1

Switch B routing (cisco syntax):
ip route 10.0.0.0 255.255.255.0 10.0.128.1
ip route 10.0.1.0 255.255.255.0 10.0.128.1
ip route 10.0.2.0 255.255.255.0 10.0.128.1

on both switches (assuming both have internet connections, again cisco syntax)
ip route 0.0.0.0 ISP_GATEWAY_ADDRESS

 

[Deebs]

Deebs: why not? The new switches are fully layer 3 and are fully capable of routing between vlans. We do have a "core router" but we're not allowed to touch it.

We're pretty much there we think, simulated setup shows no broadcast traffic going between the two switches other than what's necessary and machines on both side of the network can communicate with the servers and internet without problem.

We are just trying to "perfect" what we've done now, which is basically:

2 vlans on each (Site 1, Site 2) - the trunk is tagged for both and the rest of the ports on each site switch untagged for the relevant vlan.
Still seems to be a little too much "crosstalk" but we're just narrowing down what that is - i.e. the dlink switches. Two switches in identical setups, one a Procurve 1800 and the other one of the Dlinks. The procurve after 5 minutes sat with 350 addresses in it's forwarding table. The dlink had 580. Thankfully 1. Dlink devs are looking into this and 2. we're relegating all dlinks to pure edge switches as HP have replaced 5 of the faulty procurves we had laying around without question, leaving us enough to use them for all near-edge. Better still our site super has allowed us to run a few more cables to get rid of a couple of daisy chains

You cannot move traffic between VLANs without a router. That is the point of a VLAN, they are broadcast networks and know NOTHING of other networks.

 

[Kryten]

I'm aware of that, just got that you didn't realise they were L3.

Cheers on the subnet thing though - real helpful, especially as cisco is easily translatable to procurve

 

[Deebs]

Shout or ring me if you need help.