Hi

What is the best way to route VLANs through TMG?

We are a school and are provided with a range of IP addresses by the local authority. The range we are provided with is 10.165.0.1-10.165.x.x. We have configured multiple VLANs to use 172.16.x.x on our HP switches to allow for future growth. Our current gateway is set to our core switch with an address of 10.165.0.2 and we would then like to point this core switch to our TMG server and then out to the internet. Can TMG be configured with an external and internal NIC on the 10.165.x.x range?

Is this actually possible and what would be the best way around this?

Thanks in advance.

Shane

Hi,

TMG itself cannot create VLANs but if you have a server-grade network card you might can create VLANs if the card vendor provides that capability.

Second option is to use multiple network cards, one for each VLAN and then the core switch tags the traffic accordingly.

In a virtual environment you can add multiple virtual network adapters and configure the VLAN in the virtual network card settings.

http://blogs.msdn.com/b/adamfazio/archive/2008/11/14/understanding-hyper-v-vlans.aspx

http://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=1004252

In all three case TMG will just see some more interfaces and IP ranges and then you can create your rules as desired.

Regards,

Lutz

Hi 

Thanks for the reply.

It is running on VMWare in a virtual environment so I will give this a go.

Our DHCP server is currently in the 10.165.x.x range and leases addresses in that range. Would you know how i can configure DHCP to lease 172.16.x.x address to the other VLANs as well?

Thanks

Shane

Typically the network switch would be configured as a DHCP relay and will forward the DHCP requests from each VLAN to the DHCP server. In the DHCP server you just configure a IP subnet for each VLAN. Their is no specific configuration for VLAN, it is all done automatically.

What is the exact model of your switch?

Hi

So i would just need a scope configured for each VLAN? The core switch is a HP 5406zl.

Thanks

Shane

Yes, one scope for each VLAN.

This article shows you the DHCP relay agent config for the switch. http://h20565.www2.hp.com/portal/site/hpsc/template.PAGE/public/kb/docDisplay/?sp4ts.oid=329892&spf_p.tpst=kbDocDisplay&spf_p.prp_kbDocDisplay=wsrp-navigationalState%3DdocId%253Demr_na-c02597329-1%257CdocLocale%253D%257CcalledBy%253D&javax.portlet.begCacheTok=com.vignette.cachetoken&javax.portlet.endCacheTok=com.vignette.cachetoken

Hope that helps,

Lutz 

Yes, one scope for each VLAN.

This article shows you the DHCP relay agent config for the switch. http://h20565.www2.hp.com/portal/site/hpsc/template.PAGE/public/kb/docDisplay/?sp4ts.oid=329892&spf_p.tpst=kbDocDisplay&spf_p.prp_kbDocDisplay=wsrp-navigationalState%3DdocId%253Demr_na-c02597329-1%257CdocLocale%253D%257CcalledBy%253D&javax.portlet.begCacheTok=com.vignette.cachetoken&javax.portlet.endCacheTok=com.vignette.cachetoken

Hope that helps,

Lutz 

• Marked as answer by Shane Walford 2 hours 24 minutes ago

Yes, one scope for each VLAN.

This article shows you the DHCP relay agent config for the switch. http://h20565.www2.hp.com/portal/site/hpsc/template.PAGE/public/kb/docDisplay/?sp4ts.oid=329892&spf_p.tpst=kbDocDisplay&spf_p.prp_kbDocDisplay=wsrp-navigationalState%3DdocId%253Demr_na-c02597329-1%257CdocLocale%253D%257CcalledBy%253D&javax.portlet.begCacheTok=com.vignette.cachetoken&javax.portlet.endCacheTok=com.vignette.cachetoken

Hope that helps,

Lutz 

• Marked as answer by Shane Walford Tuesday, November 26, 2013 9:26 AM

Yes, one scope for each VLAN.

This article shows you the DHCP relay agent config for the switch. http://h20565.www2.hp.com/portal/site/hpsc/template.PAGE/public/kb/docDisplay/?sp4ts.oid=329892&spf_p.tpst=kbDocDisplay&spf_p.prp_kbDocDisplay=wsrp-navigationalState%3DdocId%253Demr_na-c02597329-1%257CdocLocale%253D%257CcalledBy%253D&javax.portlet.begCacheTok=com.vignette.cachetoken&javax.portlet.endCacheTok=com.vignette.cachetoken

Hope that helps,

Lutz 

• Marked as answer by Shane Walford Tuesday, November 26, 2013 9:26 AM

Hi,

Another way to this scenario is that you can still make your HP switch be your gateway and switch route your internal subnet to TMG. In another word, VLAN is configured on switch and is transparent for TMG.This way can reduce your workload and TMG can still control the traffic.

Best Regards

Quan Gu 

Hi Quan Gu

Thanks for the reply.

The VLANs are configured on the core and edge switches already. Below is a digram of our proposed setup. Would I not need to configure a network card for each VLAN if i configured it this way?

As for Natting, would the 172.16.x.x addresses be OK for internet access or could TMG do the Natting? Our range we currently use is 10.165.x.x but the VLANs are configured for 172.16.x.x.

Thanks

Shane

Hi,

As far as I know, you must declare each subnet as unique network in TMG, then set network rules ( route ) and add firewall rules allowing traffic you need to pass.

Best Regards

Quan Gu