Aruba & ProVision-based
cancel
Showing results for 
Search instead for 
Did you mean: 

HP 5406R ZL2 Layer 3 VLAN allowing all IP subnets

 
Highlighted
Occasional Contributor

HP 5406R ZL2 Layer 3 VLAN allowing all IP subnets

Current Setup:

We have HP 5406R zl2 (Part No. J9850A) with HP 24 SFP (Part No. J9988A) and HP 24 Gig-T (J9987A). Firmware Version: KB.16.01.0006.

We have created 3 VLAN and untagged port number B1-B2 (24 Port Gig-T) to VLAN 2 and B9-B10 (24 Port Gig-T) to VLAN 3. Assigned IP 10.119.100.1/24 to VLAN1, 10.119.110.1/24 to VLAN2 & 10.119.120.1/24 to VLAN3

Problem:

No matter the IP subnet assigned to the computers, if they are on the same VLAN ports they are communicating each other. For example if we connect 2 computers on port B9 and B10, assigning IP address 10.119.120.2/24 and 10.119.120.3/24 the computers will communicate each other. If we change the IP to 10.119.110.2/24 and 10.119.110.3/24 and connected to the same port B9 and B10 then also the computers are communicating each other. B9 & B10 are untagged to only VALN3, so it should not allow the communication when we use 10.119.110.2/24 (VLAN2) IP.

As we assigned interface IP to VLANs, it will be Layer 3 VLAN and should not allow other subnets to communicate. We have disabled the inter VLAN routing. still same problem.

Please support us to solve this issue.

1 REPLY 1
Highlighted
Honored Contributor

Re: HP 5406R ZL2 Layer 3 VLAN allowing all IP subnets

There are two concepts you need to be clear on:

1. VLAN tagging.
If a switchport is assigned one tagged VLAN, and then receives frames that are tagged in a different VLAN, then it will drop those frames instead of accepting them on the switch.
If a switchport is assigned an untagged VLAN, then any frames it receives untagged will be assumed to belong to whichever VLAN you have assigned to the switchport. It doesn't matter what IP addressing is in the packet header, because the switchport only looks at the frame header.

2. Routing.
If you have two hosts  10.119.110.2/24 and 10.119.110.3/24 on the same VLAN, then these hosts do not use routing to communicate with each other. They use each others' MAC addresses to communicate. The VLAN assigned to their frames by the switch is irrelevant. So long as the two hosts are on the same broadcast segment (same VLAN) they will find each other via broadcast and then communicate using MAC addresses.