+ Post New Thread
Results 1 to 9 of 9
Network and Classroom Management Thread, HP VLANs in Technical; Ok, ive had a play about with VLANs before but this was about 2 years ago and i have kinda ...
  1. #1
    timbo343's Avatar
    Join Date
    Dec 2005
    Location
    Leeds/York area, North Yorkshire
    Posts
    3,051
    Thank Post
    308
    Thanked 293 Times in 203 Posts
    Rep Power
    120

    HP VLANs

    Ok, ive had a play about with VLANs before but this was about 2 years ago and i have kinda forgotten bits of what i need to do.

    I have a 4204vl switch and im just wanting to see what i can do with VLANs with it.

    Here is the config:

    Code:
    ; J8770A Configuration Editor; Created on release #L.11.20
    
    hostname "ProCurve Switch 4204vl" 
    snmp-server contact "IT Dept" 
    snmp-server location "Server Room" 
    module 1 type J8768A 
    module 2 type J9033A 
    module 3 type J9033A 
    module 4 type J9033A 
    snmp-server community "public" Unrestricted 
    vlan 1 
       name "DEFAULT_VLAN" 
       untagged A1,A3-A24,B1-B24,C1-C24,D1-D24 
       ip address 172.16.24.24 255.255.248.0 
       ip helper-address 172.16.24.4 
       no untagged A2 
       ip igmp 
       exit 
    vlan 2 
       name "VLAN2" 
       untagged A2 
       ip address 192.168.12.1 255.255.252.0 
       ip helper-address 172.16.24.4 
       tagged A1 
       exit 
    spanning-tree
    The DHCP server is 172.16.24.4 255.255.248.0 running Server 2008 R2 on port B20 and i have configured it to give out 192.168.12.20 -192.168.15.254 255.255.252.0.
    The test laptop in VLAN 2 is connected to the switch on port A2 and with a static IP of 192.168.12.20 can ping 192.168.12.1 but cannot ping the DHCP server.

    Can someone help me out as im wanting to set up a BYOD for staff, students and Guests and dont want them touching the network, but only want them to access the net.

    If i'm using the wrong kinda switch, then fair enough, i may need to get a L3 switch as my core.

    Thanks
    Last edited by timbo343; 11th December 2012 at 01:34 PM.

  2. #2
    IanT's Avatar
    Join Date
    Aug 2008
    Location
    @ the back of my server racks farting.....
    Posts
    1,891
    Thank Post
    2
    Thanked 118 Times in 109 Posts
    Rep Power
    60
    That switch is good enough and its up to the job! - http://h18000.www1.hp.com/products/q.../12435_div.PDF

    Enable ip-routing and wr mem - so vlans can talk to each other etc

    Set the laptop to pick up an ip via DHCP (not static)

    Make sure the DHCP Scope is activated and has all the correct info (default gateway etc etc)

    Typical LITE-Core config (not perfect but basic core)

    Startup configuration:

    ; Configuration Editor; Created on release #R.11.72

    hostname "core-2560-01"
    max-vlans 50
    time daylight-time-rule Western-Europe
    console inactivity-timer 15
    trunk 27-28 Trk1 LACP
    ip default-gateway 10.52.5.254
    ip routing
    timesync sntp
    snmp-server community "public" Unrestricted
    vlan 1
    name "DEFAULT_VLAN"
    no ip address
    exit
    vlan 5
    name "bmi_mgmt"
    untagged 3-11,13,15-23
    ip address 10.52.5.254 255.255.255.0
    ip helper-address 10.52.10.1
    ip helper-address 10.52.10.2
    tagged 1,Trk1
    ip proxy-arp
    ip igmp
    exit
    vlan 12
    name "bmi_prt"
    ip address 10.52.12.254 255.255.255.0
    ip helper-address 10.52.10.1
    ip helper-address 10.52.10.2
    tagged Trk1
    ip proxy-arp
    ip igmp
    exit
    vlan 10
    name "bmi_svr"
    ip address 10.52.10.254 255.255.255.0
    ip helper-address 10.52.10.1
    ip helper-address 10.52.10.2
    tagged Trk1
    ip proxy-arp
    ip igmp
    exit
    vlan 16
    name "bmi_wired"
    untagged 2,14
    ip address 10.52.16.254 255.255.255.0
    ip helper-address 10.52.10.1
    ip helper-address 10.52.10.2
    tagged 1,Trk1
    ip proxy-arp
    ip igmp
    exit
    vlan 18
    name "bmi_ilo"
    ip address 10.52.18.254 255.255.255.0
    ip helper-address 10.52.10.1
    ip helper-address 10.52.10.2
    tagged Trk1
    ip proxy-arp
    ip igmp
    exit
    vlan 65
    name "bmi_mobdevs"
    ip address 10.52.65.254 255.255.255.0
    ip helper-address 10.52.10.1
    ip helper-address 10.52.10.2
    tagged 23,Trk1
    ip proxy-arp
    ip igmp
    exit
    vlan 66
    name "bmi_bmiwifi"
    ip address 10.52.66.254 255.255.255.0
    ip helper-address 10.52.10.1
    ip helper-address 10.52.10.2
    tagged 23,Trk1
    ip proxy-arp
    ip igmp
    exit
    vlan 67
    name "bmi_bmiguest"
    ip address 10.52.67.254 255.255.255.0
    ip helper-address 10.52.10.1
    ip helper-address 10.52.10.2
    tagged 23,Trk1
    ip proxy-arp
    ip igmp
    exit
    vlan 98
    name "bmi_bmicctv2"
    ip address 10.52.98.254 255.255.255.0
    ip helper-address 10.52.10.1
    ip helper-address 10.52.10.2
    tagged 23,Trk1
    ip proxy-arp
    ip igmp
    exit
    vlan 99
    name "bmi_bmicctv1"
    untagged 1
    ip address 10.52.99.254 255.255.255.0
    ip helper-address 10.52.10.1
    ip helper-address 10.52.10.2
    tagged 23,Trk1
    ip proxy-arp
    ip igmp
    exit
    vlan 100
    name "bmi_fwall"
    untagged 12,24
    ip address 10.52.100.254 255.255.255.0
    ip helper-address 10.52.10.1
    ip helper-address 10.52.10.2
    tagged Trk1
    ip proxy-arp
    ip igmp
    exit
    vlan 192
    name "bmi_leg1"
    ip address 192.168.1.254 255.255.255.0
    ip helper-address 10.52.10.1
    ip helper-address 10.52.10.2
    tagged Trk1
    ip proxy-arp
    ip igmp
    exit
    vlan 1920
    name "TEST VLAN"
    ip address 192.168.0.254 255.255.255.0
    tagged Trk1
    ip proxy-arp
    ip igmp
    exit
    ip route 0.0.0.0 0.0.0.0 10.52.100.123
    radius-server timeout 3
    radius-server retransmit 1
    radius-server host 10.52.10.1 key XXXXXX auth-port 1645 acct-port 1646
    aaa authentication console login radius local
    aaa authentication console enable radius local
    aaa authentication telnet login radius local
    aaa authentication telnet enable radius local
    aaa authentication web login radius local
    aaa authentication ssh login radius local
    aaa authentication ssh enable radius local
    sntp unicast
    spanning-tree
    spanning-tree Trk1 priority 4
    spanning-tree priority 0 force-version RSTP-operation
    password manager
    password operator
    Last edited by IanT; 17th December 2012 at 12:01 AM.

  3. Thanks to IanT from:

    timbo343 (17th December 2012)

  4. #3
    timbo343's Avatar
    Join Date
    Dec 2005
    Location
    Leeds/York area, North Yorkshire
    Posts
    3,051
    Thank Post
    308
    Thanked 293 Times in 203 Posts
    Rep Power
    120
    Cheers @IanT

    Just one last question, am i right in thinking that for clients on the VLANs other than VLAN1 i would need the ip route 0.0.0.0 0.0.0.0 x.x.x.x for them to access the internet. Thats the last thing im struggling with now

  5. #4

    AngryTechnician's Avatar
    Join Date
    Oct 2008
    Posts
    3,730
    Thank Post
    698
    Thanked 1,212 Times in 761 Posts
    Rep Power
    395
    The problem you are going to have here is that once you enable ip-routing, all the VLANs can talk to each other, so you are only separating broadcast and multicast traffic. All other traffic will pass between VLANs just fine, so your BYOD network is not secured from the main network.

    In order to secure the traffic, you need to define ACLs to stop traffic from passing unhindered - and the HP 4200 series does not support VLAN ACLs.

  6. Thanks to AngryTechnician from:

    timbo343 (17th December 2012)

  7. #5
    IanT's Avatar
    Join Date
    Aug 2008
    Location
    @ the back of my server racks farting.....
    Posts
    1,891
    Thank Post
    2
    Thanked 118 Times in 109 Posts
    Rep Power
    60
    ip route 0.0.0.0 0.0.0.0 x.x.x.x - this will be your router or firewall

  8. #6
    gshaw's Avatar
    Join Date
    Sep 2007
    Location
    Essex
    Posts
    2,667
    Thank Post
    167
    Thanked 221 Times in 204 Posts
    Rep Power
    67
    Quote Originally Posted by AngryTechnician View Post
    The problem you are going to have here is that once you enable ip-routing, all the VLANs can talk to each other, so you are only separating broadcast and multicast traffic. All other traffic will pass between VLANs just fine, so your BYOD network is not secured from the main network.

    In order to secure the traffic, you need to define ACLs to stop traffic from passing unhindered - and the HP 4200 series does not support VLAN ACLs.
    This ^^^

    Ours aren't routed at the moment so the BYOD VLAN is isolated but as soon as routing is on without ACLs everything might as well be on the same network

  9. #7
    Ergo's Avatar
    Join Date
    Sep 2012
    Location
    Nottingham
    Posts
    111
    Thank Post
    16
    Thanked 26 Times in 25 Posts
    Rep Power
    9
    We have dealt with a number of schools who are looking at this, and in most cases the best solution we have used is to NOT enable VLAN Routing, but instead ask you Broadband supplier to enable a second port on your router for the Guest network with a separate IP range, and then simply connect that as the default gateway for the BYOD/Guest VLAN.

    Regards,

    Dave

  10. #8

    john's Avatar
    Join Date
    Sep 2005
    Location
    London
    Posts
    10,362
    Thank Post
    1,499
    Thanked 1,053 Times in 922 Posts
    Rep Power
    303
    @timbo343 if you have got your nice shiny UTM you could let that do DHCP for the BYOD and just have the VLAN dump traffic to that to get out and then do Zone Bridging in that to allow the BYOD access back to set servers such as HAP, OWA etc....

  11. #9
    timbo343's Avatar
    Join Date
    Dec 2005
    Location
    Leeds/York area, North Yorkshire
    Posts
    3,051
    Thank Post
    308
    Thanked 293 Times in 203 Posts
    Rep Power
    120
    @john, someone mentioned that, though said utm doesnt arrive until feb and was trying to be one step ahead of the game before it arrived, turns out its kinda back fired on me.

    At the moment we can use a second port on the cisco router or even the cisco firewall but like i said might as well wait for the utm and see what that will enable us to do.

    Possibly looking at setting up a webdav server for when students and some staff want to bring in their own device. Thats another headache ive go on the go at the moment. Ok, ive got a HAP setup but i would rather that just be used for staff at home.

    Will have to see what the future brings

SHARE:
+ Post New Thread

Similar Threads

  1. hp vlan setup
    By sted in forum Wired Networks
    Replies: 7
    Last Post: 15th May 2012, 11:58 AM
  2. HP Vlan Question
    By jwc1972 in forum Wireless Networks
    Replies: 0
    Last Post: 1st March 2011, 03:07 PM
  3. HP VLAN ACL Examples Needed please
    By ChrisH in forum Wireless Networks
    Replies: 1
    Last Post: 1st September 2010, 09:25 PM
  4. Changing port vLANs on an HP ProCurve switch
    By MrDylan in forum Hardware
    Replies: 6
    Last Post: 9th March 2006, 03:13 PM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •