Network Management

Hi,

please excuse what is likely to be a pretty basic question for anyone that knows what they're doing, but I would really appreciate some help please . . . . .

I want to create a LAN that is segregated from the rest of the network which I guess is the whole point of VLANs but I am really struggling with the configuration to get it to work. At the moment, everything is on a single LAN. Apologies for the long post, but hopefully, the information below will describe the situation.

The basic hardware layout is  . . . . 

WAN Router, DrayTek 2865ax (1 WAN, 5 LAN ports)

Office Switch 4 ProCurve 1800-24G  J9028B
Multiple PCs, port 24 connects to WAN Router Port 2

Office Switch 3 ProCurve 1800-24G  J9028B
Multiple PCs, port 24 connects to WAN Router Port 3

Server Switch 2 HP 2910al-48G Switch (J9147A)
Multiple servers, Port 23 connects to Switch 1
Port 24 connects to WAN Router Port 5

Office Switch 1 ProCurve 1800-24G  J9028B
Multiple PCs, Port 24 connects to upstream switch (2)

(It would be impractical to connect these switches using other than the current cables)

I want to segregate the traffic on switch 1 from the rest of the network. My thoughts are that I need to configure a dedicated VLAN where traffic passes through switches 1 and 2 and into WAN router port 5. Port 5 would have two LANs configured, the default for the rest of the network (LAN1) and a dedicated LAN for the VLAN traffic through the router (LAN2). LAN1 has rest of the network, including DHCP and DNS servers. LAN 2 will have a new IP subnet, with the router doing DHCP for the new LAN (though most of the devices will have fixed IPs anywway).

I am struggling to work out where I apply VLAN tags and the correct port configuration for the HP switches. I don't think that any configuration is required on switches 4 and 3, only on Switch 2 and possibly (?) switch 1.

Can anyone help me muddle my way through this please? 

[Ideally, (and disregarding any security issues for the moment), I would allow the DrayTek router to pass traffic between the two LANs, i.e., inter LAN routing, so that I can access the Switch 1 and its devices when logged into the main network, but that is configuration in the DrayTek router than I think I understand.)

regards
Dave

OK, answering my own question . . . .(but I would still welcome comments)

It seems that I had been overcomplicating things and the required configuration is quite straightforward (assuming that I have done it right of course) . . . . . .

Switch 1 (which connects to the devices to be segregated) doesn't need any VLAN configuration at all.

Switch 2 (the intermediate switch between switch 1 and the WAN router) has the port to which switch 1 is connected configured as a tagged VLAN with a unique VLAN ID

(All traffic coming from Switch 2 is tagged as it hits this switch port)

The upstream connection port to the WAN router is configured to pass the VLAN Tag
The WAN router has the port connected to switch 2 configured with the same VLAN tag

The WAN router has separate LANs enabled for the main traffic and the new VLAN on the same port

The WAN router has inter LAN routing enabled between LAN1 and LAN2

Hi Parnassus

Thanks very much for taking the time to reply and the explanation.

Unfortunately, due to cable constraints, I can't dedicate a LAN port on the WAN router to the VLAN - there is only a single cable between the router and the intermediate switch (2). (I will look to see if I can add a cable, but the route is between two buildings, so this wouldn't be a quick job). So, at the moment, the WAN router port will have VLAN and non-VLAN traffic. However, this "non-ideal" configuration is working at the moment which has met the current need.

Thanks again for your input

regards

Dave