XP Workstations & VLANs

Hello all! I am the desktop administrator for a school district. Our
network admin had some Cisco consultants come in last week and
implement VLANs. They segmented off the following:
1. Servers (mostly W2k3)
2. Elementary
3. Middle school
4. High school
5. District offices

I've never worked in a VLAN environment before (but I have worked in a
WAN environment, so I'm hoping that it's going to turn out to be
similar). I have had a lot of trouble getting Ghost to work since they
did this, but I've been able to work around that issue. However, I'm
in quite a pickle now with some XP workstations, and this is VERY
bizarre. Unfortunately, neither the network admin nor the consultants
have a clue about this issue. After I ghosted the workstations (in the
Elementary vlan), they came up with the Windows setup as normal. I was
able to join them all to the domain during setup, except for one where
sloppy typing led to an incorrectly-entered password, and it wasn't
joined. All of the machines rebooted at the end of their setup.

The 5 computers I ghosted are mobile carts, so for the ones that
joined, I unplugged them and wheeled them away. The last I logged onto
locally and tried to manually join it to the domain.. it said that it
couldn't find the domain controller. It could release/renew a DHCP
address, but could only ping within its own subnet; it could not ping
past its gateway. And because the DNS server is in a different vlan,
it couldn't do any resolutions. I pulled back one of the finished
workstations, thinking perhaps it was a cable or jack issue. I plugged
it back into the next jack, and it too could no longer ping outside of
its gateway. I went into the hub room and plugged the second
workstation into a different switch. Still no resolution.

My workstation is in the District office vlan, and I could ping the two
workstations, and control them through VNC. I gave the workstations
static IP addresses and manually entered the Gateway & DNS info, but
again.. no dice. It's as if the firewall is turned on, but it is not.

At this point, this is Day 3 of a project that should've taken me one.
Because of these VLANs, I can't seem to get any work done anymore. So
I passed the buck onto the network admin, and he called the
consultants. They worked on it for another hour, mostly trying all of
the things I already have.

It's been a while since I pulled out of the networking side and moved
over to my home in desktops & training, but since no one else has an
answer it's up to me to find it. The only thing left that I can think
of is the fact that I don't think there's a master browser in each
vlan. Is that a necessity with an NT5-based network? Fortunately the
teachers and students are all out on vacation, but we have about 2/3 of
our elementary clients still using W98. I dread to turn those on.

So... if anyone out there can offer me a few pearls of wisdom, I'm all
ears!! Thanks!

--Melissa

If the VLANs were set up as different routed logical numbered IP networks,
the DHCP requests from a workstation will only be able to reach a DHCP server
on the same numbered network as the workstation. You probably need your
workstations to get their DHCP stuff from a centralized domain controller, so
you need to get your cisco admins to add an "ip helper" config entry to each
VLAN's psuedo interface to point back to your domain controller's ip address
since DHCP requests will not usually just simply automatically cross over
from one routed VLAN to another.

"Melissa" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed) oups.com...
> At this point, this is Day 3 of a project that should've taken me one.
> Because of these VLANs, I can't seem to get any work done anymore. So
> I passed the buck onto the network admin, and he called the
> consultants. They worked on it for another hour, mostly trying all of
> the things I already have.

I hate to state the obvious, but if the consultants were smart enough to
create the VLAN how come they aren't smart enought to figure this
out,...they are really the *only* ones who know how they configured the
VLANs,...and the VLAN configuration is really the *key* to all of this.
Maybe you need to buy some new consultants that are better than the first
ones who can figure out what the first ones did.

VLANs work identically to regular multi-subnet LANs but their "topology" is
just "logical" instead of physical. But there is no way that I or anyone
here could possibly know what the topology consist of and there is no way to
know if they configured both the LAN Router(s) and the Switches
correctly,...especially considering that such configuration can range from
very simple to becoming *extremely* complex.

Even if you gave the "IPConfig /All" of the machines, there is no way to
know what is "correct" and what isn't. But if you give the output of
"IPConfig /All" of some of the involved equipment, I guess that is a place
to start.

--
Phillip Windell [MCP, MVP, CCNA]
www.wandtv.com
-----------------------------------------------------
Understanding the ISA 2004 Access Rule Processing
http://www.isaserver.org/articles/IS...cessRules.html

Microsoft Internet Security & Acceleration Server: Guidance
http://www.microsoft.com/isaserver/t...dance/2004.asp
http://www.microsoft.com/isaserver/t...dance/2000.asp

Microsoft Internet Security & Acceleration Server: Partners
http://www.microsoft.com/isaserver/partners/default.asp

Deployment Guidelines for ISA Server 2004 Enterprise Edition
http://www.microsoft.com/technet/pro...isaserver.mspx
-----------------------------------------------------

I believe it is set up that way since I can successfully pull down a
DHCP address. The strange bit is that the workstations were able to
join the domain and have an account created in AD while they were in
setup, but once out of setup, they won't go beyond their gateway.
Other than for DHCP, that is.


W2K3Newbie wrote:
> If the VLANs were set up as different routed logical numbered IP networks,
> the DHCP requests from a workstation will only be able to reach a DHCP server
> on the same numbered network as the workstation. You probably need your
> workstations to get their DHCP stuff from a centralized domain controller, so
> you need to get your cisco admins to add an "ip helper" config entry to each
> VLAN's psuedo interface to point back to your domain controller's ip address
> since DHCP requests will not usually just simply automatically cross over
> from one routed VLAN to another.

Thanks Phil,
To be frank, my impression of the consultants is that they've only
implemented VLANs in smaller, less-complex networks. And they're
sympathetic, but very hesitant to return to help us troubleshoot these
issues (red flag! red flag!). I would assume anyone experienced in
implementing VLANs would have encountered some of these issues at some
point. You make some good points about the setup.. sadly they -are-
the only ones who really know how the switches are set up, and if
that's where the problem lies then I'm not able to fix it myself. But
if y'all think that's where the issue is, then I can take that back to
them (or I can take that to a -different- consultant). Most are
Catalyst 2950s.

>From what I can gather, most of the clients that I've looked at have
been able to work normally, so that would seem to indicate that the
switches have been set up properly. As far as I can tell, the problem
lies in the OS (XPSP2), but I don't know enough about programming
managed switches to be able to say that there isn't some setting in
there that is incorrect that these particular clients are keying on.

The settings that I pulled down from DHCP are correct; I verified them
with the network admin and with another working workstation. .. and it
looks like the admin disconnected that room whilst reorganizing the
patch panel (arrgh!) so I can't VNC over to grab it for you.

The IP of the DHCP & DNS server is 10.10.10.1. The ISA server is
10.10.1.1. Fileserver1 is 10.10.9.1, Fileserver2 is 10.10.9.2, and the
switch that the client's VLAN is connected to is 10.10.39.254. The
client pulls 10.10.36.100something, and they all have a subnet of
255.255.252.0. Pings outside of the client's gateway end in a timeout,
not a 'destination unreachable'.

Any suggestions on things to try are greatly appreciated, but if anyone
can give me a hint whether to suspect the switch vs. the OS that's a
start too..

"Melissa" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed) oups.com...
> I believe it is set up that way since I can successfully pull down a
> DHCP address. The strange bit is that the workstations were able to
> join the domain and have an account created in AD while they were in
> setup, but once out of setup, they won't go beyond their gateway.

You are going to have to layout the toplogy:
1. IP subnets (Full specs of each subnet), Net ID, IP Range, Mask, router
Nics that "face" it.
2. Number of Routers and IP# of the Routers.
3. See if there are Router ACLs blocking traffic
4. See if host-based firewalls are getting in the way on the clients
5. ....I suppose I am pretty much shooting blind,...don't entirely know what
to ask for, ..just looking for a likely trail to sniff..

--
Phillip Windell [MCP, MVP, CCNA]
www.wandtv.com

In news:(E-Mail Removed),
Phillip Windell <@.> stated, which I commented on below:
> "Melissa" <(E-Mail Removed)> wrote in message
> news:(E-Mail Removed) oups.com...
>> I believe it is set up that way since I can successfully pull down a
>> DHCP address. The strange bit is that the workstations were able to
>> join the domain and have an account created in AD while they were in
>> setup, but once out of setup, they won't go beyond their gateway.
>
> You are going to have to layout the toplogy:
> 1. IP subnets (Full specs of each subnet), Net ID, IP Range, Mask,
> router Nics that "face" it.
> 2. Number of Routers and IP# of the Routers.
> 3. See if there are Router ACLs blocking traffic
> 4. See if host-based firewalls are getting in the way on the clients
> 5. ....I suppose I am pretty much shooting blind,...don't entirely
> know what to ask for, ..just looking for a likely trail to sniff..

Phillip,

Hope you had a nice holiday!

Or maybe a nice clean Visio of the logical connections (and I hate to use
the term 'logical' when it comes to describing subnets), with each device's
IPs and gateways, etc, and post it to a website. I am in the midst of trying
to help someone else out where he created a confusing Visio of it and I
posted a clean example to give him an idea of how to draw it up. As for the
VLANs, they are just logical subnets part of either an existing subnet or
it;s own subnet with one of the ports being the gateway.

Melissa,
Check this out and see if it helps as a starter:
http://www.fekay.com/SupportBlogs/St...uteExample.htm

--
Ace

This posting is provided "AS-IS" with no warranties or guarantees and
confers no rights.

If you are having difficulty in reading or finding responses to your post,
instead of the website you are using, if I may suggest to use OEx (Outlook
Express or any other newsreader of your choosing), and configure a newsgroup
account, pointing to news.microsoft.com. This is a direct link into the
Microsoft Public Newsgroups, and it is FREE and DOES NOT require a Usenet
account with your ISP. With OEx, you can easily find your post, track
threads, cross-post, and sort by date, poster's name, watched threads or
subject.

Not sure how? It's easy:
How to Configure OEx for Internet News
http://support.microsoft.com/?id=171164

Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSE+I, MCT, MVP
Microsoft MVP - Windows Server Directory Services
Microsoft Certified Trainer
Assimilation Imminent. Resistance is Futile.
Infinite Diversities in Infinite Combinations.
=================================

Hi Ace & Phillip,

This is about as good as I can give you right now (no Visio, sorry..)..
the network admin is on vacation for the rest of the week, so he can't
fill in some of the holes for me. Since I only typically deal with
machines from the wall outward, I wasn't involved really in the
creation of the vlans or scopes (grumble) and I don't know any deeper
specifics than this off the top of my head. Most of the clients work
okay, it's just this one handful in the Elementary school that I'm
having the trouble with (though everyone's on vacation right now, so
we've only turned on & tested a random sample of about 5-10% of the
workstations).

<a
href="http://i28.photobucket.com/albums/c238/mekissa/network.gif"><img
src="http://i28.photobucket.com/albums/c238/mekissa/network.gif"></a>

"Ace Fekay [MVP]"
<PleaseSubstituteMyActualFirstName&LastNameHere@ho tmail.com> wrote in
message news:OKHW%(E-Mail Removed)...
> In news:(E-Mail Removed),

> Hope you had a nice holiday!

It was fine I suppose. Any holiday I can hide from is a good one ;-)

> Or maybe a nice clean Visio of the logical connections (and I hate to use
> the term 'logical' when it comes to describing subnets), with each
device's
> IPs and gateways, etc, and post it to a website.

Yes a good diagram would help,...as long as it was accuarte. If it is
inaccuarte it could make things worse though.

--
Phillip Windell [MCP, MVP, CCNA]
www.wandtv.com
-----------------------------------------------------
Understanding the ISA 2004 Access Rule Processing
http://www.isaserver.org/articles/IS...cessRules.html

Microsoft Internet Security & Acceleration Server: Guidance
http://www.microsoft.com/isaserver/t...dance/2004.asp
http://www.microsoft.com/isaserver/t...dance/2000.asp

Microsoft Internet Security & Acceleration Server: Partners
http://www.microsoft.com/isaserver/partners/default.asp

Deployment Guidelines for ISA Server 2004 Enterprise Edition
http://www.microsoft.com/technet/pro...isaserver.mspx
-----------------------------------------------------

Looks like a very good drawing to me. I don't see anything that stands out
as a problem. As a preference I would not use a mask with 252 in the third
octect, it creates too many host on a single segment, it should be kept
below 250-300 hosts (255.255.255.0). But that isn't the problem here, it is
just something to keep in mind.

If the machine 10.10.10.1 is the DNS/WINS then do all the machines on the
LAN everywhere use them in the TCP/IP config for the DNS and WINS?...they
should. You didn't indicate anything other than IP,SN, & GW,...but the DNS
and WINS settings are equally important.

--
Phillip Windell [MCP, MVP, CCNA]
www.wandtv.com

"Melissa" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed) oups.com...
> Hi Ace & Phillip,
>
> This is about as good as I can give you right now (no Visio, sorry..)..
> the network admin is on vacation for the rest of the week, so he can't
> fill in some of the holes for me. Since I only typically deal with
> machines from the wall outward, I wasn't involved really in the
> creation of the vlans or scopes (grumble) and I don't know any deeper
> specifics than this off the top of my head. Most of the clients work
> okay, it's just this one handful in the Elementary school that I'm
> having the trouble with (though everyone's on vacation right now, so
> we've only turned on & tested a random sample of about 5-10% of the
> workstations).
>
> <a
> href="http://i28.photobucket.com/albums/c238/mekissa/network.gif"><img
> src="http://i28.photobucket.com/albums/c238/mekissa/network.gif"></a>
>