Register

Forgot Password

Site FAQ

Home > IT Answers > Networking > Configuring VLAN's on two HP procurve switche...

Pandub

115 pts.

Configuring VLAN's on two HP procurve switches

Switches, HP, VLAN configuration, VLAN, HP ProCurve

Hi all,

Trying to route a new ISP(Microwave link) from one of my out building to my computer room and hence my firewall. Old ISP came direct into firewall. In the outbuilding the Microwave modem connects with cat5 to HP Procurve 2524 switch. Because this ISP is coming through my internal network, I plan on using a new vlan called "airspeed" only for this ISP traffic.
Up until now I've just been using the "Default_vlan" on both HP switches (4108 + 2524).

So far I've been unable to ping from my laptop to the ISP modem both of which are on the new vlan 2 ("Airspeed"). No traffic needs to cross from vlan 2 to vlan 1 so I've left the ports as untagged. I've used the subnet provide from my ISP as the new vlan 2 subnet.
Can anybody see what I'm doing wrong here? I've added the configuration of both switch below.

Thanks in advance,

Rough diagram:

Microwave modem (Gateway IP 77.75.00.49)
|
HP 2524 switch (port 24)
|
HP 2524 switch fibre link
|
HP 4108GL switch fibre link
|
HP 4108GL switch (port D1)
|
Laptop configured with IP 77.75.00.50 (for testing but will be connected to firewall)

; J4865A Configuration Editor; Created on release #G.07.21

hostname "HP ProCurve Switch 4108GL"
cdp run
module 1 type J4864A
module 2 type J4862B
module 3 type J4862B
module 4 type J4862B
ip default-gateway 128.1.146.50
snmp-server community "public" Unrestricted
snmp-server host 128.1.146.51 "public" Not-INFO
snmp-server host 128.1.146.38 "public"
vlan 1
name "DEFAULT_VLAN"
untagged A1-A3,B1-B24,C1-C24,D2-D24
ip address 128.1.146.203 255.255.0.0
no untagged D1
exit
vlan 2
name "Airspeed"
untagged D1
ip address 77.75.00.51 255.255.255.248
exit

; J4813A Configuration Editor; Created on release #F.04.08

hostname "HP ProCurve Switch 2524"
cdp run
ip default-gateway 0.0.0.0
snmp-server community "public" Unrestricted
snmp-server host 128.1.146.51 "public" Not-INFO
snmp-server host 128.1.146.51 "public"
snmp-server host 128.1.146.38 "public"
vlan 1
name "DEFAULT_VLAN"
untagged 1-23,25-26
no untagged 24
ip address 128.1.146.204 255.255.0.0
exit
vlan 2
name "Airspeed"
untagged 24
ip address 77.75.00.51 255.255.255.248
exit
no aaa port-access authenticator active

ASKED: Jul 30 2009 4:25 PM GMT

_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _

RELATED QUESTIONS

BlankReg

11280 pts.

RATE THIS ANSWER

+1
Click to Vote:

You do not need to put any IP addresses on the vlan 2 interfaces on either switch, that actually does what you don't want and allows traffic to pass from vlan1 to vlan2, if you don't put an IP address on vlan2 this can not happen.

What you also need to do is add the fibre ports to vlan 2 as tagged, on both switches.

This then carries vlan 1 as the untagged vlan, and vlan 2 as tagged, that effectively joins the vlan 2 ports on the 2524 to the vlan 2 ports on the 4108GL.

So you need to do the following

on the 2524

vlan 2
no ip address
tagged 25-26

On the 4108GL

vlan 2
no ip address
tagged A1-A3

I assume A1-A3 are the fibre ports, if you only want the Internet to go to the 2524, only tag on the fibre port that goes to that switch.

You should also really put the firewall directly on the modem, and carry the internal Internet subnet on this vlan. that will give you the maximum security.

Let us know if this works :-)

Last Answered: Jul 30 2009 10:26 PM GMT by BlankReg

11280 pts.

View History

RSS - Discussions Help

Discuss This Answer:

_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _

Pandub 115 pts. | Jul 31 2009 11:52AM GMT

Thanks Blankreg,

That worked a treat
If I move the firewall beside the modem, then their would be no need to for vlan 2, I could continue to use the default vlan for my internal network, right?

This is how my config looks now;

on the 2524

vlan 2
name “Airspeed”
untagged 24
tagged 25-26
no ip address
exit

On the 4108GL

vlan 2
name “Airspeed”
untagged D1
no ip address
tagged A1-A3
exit

BlankReg 11280 pts. | Jul 31 2009 1:16PM GMT

Glad to be of help

Keeping everything on vlan 1 will be fine, and it will allow any of the hosts to have Internet access. The general rule is to firewall as close to the untrusted network as possible, as this reduces the possible vulnerability.

Regards,

Reg

Ask a Question

Browse IT Answers by Topic

Community Blog | About Us | Contact Us | FAQ | Terms of Use | DMCA Policy

TechTarget provides enterprise IT professionals with the information they need to perform their jobs - from developing strategy, to making cost-effective IT purchase decisions and managing their organization's IT projects - with its network of technology-specific Web sites, events and magazines.

All Rights Reserved, Copyright 1999-2009, TechTarget | Read our Privacy Policy | Site Map