HPE Community
Comware Based
1752794 Members
7396 Online
108789 Solutions
New Discussion

How to setup Private VLAN on HP A5820?

 
SOLVED
Go to solution
Apachez-
Trusted Contributor

‎01-04-2014 11:26 AM

‎01-04-2014 11:26 AM

How to setup Private VLAN on HP A5820?

Digging through the manuals there are two candidates in the HP-world regarding Private VLAN functions:

 

- Super-VLAN

 

or

 

- Isolate-User-VLAN

 

However none of them brings me what I need (if I understand the manual correctly)...

 

Here is what I want to do and I hope somebody in here have some advice?

 

 

Switch A:

 

One client per interface. Each interface is on its own vlan which is then trunked to switch B like so:

 

int gi 1/0/1

port access vlan 101

 

...

 

int gi 1/0/48

port access vlan 148

 

int te 1/1/1

port trunk allowed vlan 101-148

 

 

Switch B:

 

Maps the incoming vlan 101-148 into vlan 100 who has an ip address set (this ip address is what each client will use as default gateway):

 

vlan 101 to 148

 

vlan 100

ip address 192.168.0.254 255.255.255.0

 

vlan 999

ip address 10.0.0.1 255.255.255.248

 

ip route 0.0.0.0 0.0.0.0 vlan-interface 999 10.0.0.2

 

 

So far pretty straight forward...

 

Isolate-User-VLAN cannot be used because I want the routing to happen at switch B (A5820) instead of switch A (A5120).

 

As I understand isolate-user-vlan doesnt support trunk-interfaces, am I correct (which gives that I cannot use isolate-user-vlan on the A5820 in this case)?

 

So Super-VLAN looks like the way to go...

 

Until I read that the secondary vlans arent allowed to have an ip address set on their own.

 

The problem here is that I wanted to setup a dhcp pool per vlan. A thought then was to setup an ip on each secondary vlan which holds the dhcp server, which then maps to the dhcp pool which will lease the correct ip to the client (this way the client can choose to use either dhcp OR static address - it will be the same in both cases and by that I can setup a static acl on each interface to filter which src/dstip is allowed).

 

Another point of using one vlan per customer is to better use IPv6 and yet separate customers from each other at Layer2 level.

 

 

 

So did I miss something regarding Private VLAN and HP A5820 or is there perhaps some other function that can bring me the layer2 security along with the wish of use dhcp/static at the same time along with dualstack between IPv4 and IPv6?

0 Kudos
3 REPLIES 3
Pete W
Valued Contributor

‎01-04-2014 03:45 PM

‎01-04-2014 03:45 PM

Re: How to setup Private VLAN on HP A5820?

My understanding of private-VLAN functionality is to restrict/control communications within a L2 domain. For example you could have 20 web-servers in the same subnet and switch, with no reason to speak to each other - so a private-VLAN fits the bill.

 

What you seem to require is 48 individual VLANs, each with its own DHCP scope, and restricted from having access to other customer VLANs. I would probably do this with plain-old vanilla routing, with an ACL on each SVI on switch B to prevent traffic moving between VLANs.

 

Please expand on the requirements if I have misunderstood.

 

Regards,

 

Pete

0 Kudos
Apachez-
Trusted Contributor

‎01-05-2014 03:39 PM - last edited on ‎04-11-2017 12:06 AM by

‎01-05-2014 03:39 PM - last edited on ‎04-11-2017 12:06 AM by

Solution

Re: How to setup Private VLAN on HP A5820?

Uhh scratch that... after some more reading I found out that "isolate-user-vlan" is what HP/H3C calls "Private VLAN".

The thing with 20 servers on the same vlan but not allowed to speak to each other is a subset of "Private VLAN" often referred to as "Protected VLAN".

 

Also "Protected VLAN" is only valid within a switch, not across switches like "Private VLAN" is.

 

That is if you have clients connected to Switch A and some other clients to Switch B and you have them all on the same vlan (lets say VLAN100) and then run "Protected VLAN" on each switch then clients connected to Switch A cannot reach other clients connected to Switch A, but they can connect to clients at Switch B (and vice versa).

 

Using "Private VLAN" instead will make you able to fully segment each client even across switches.

 

Anyway the current solution (in case somebody finds this thread in future) is this:

 

At A5120 (switch which the clients are connected to):

 

vlan 100

isolate-user-vlan enable

 

vlan 101 to 148

 

isolate-user-vlan 100 secondary 101 to 148

 

int te 1/1/1

port isolate-user-vlan 100 promiscious

port trunk permit vlan 100 to 148

port trunk pvid 100

 

int gi 1/0/1

port access vlan 101

port isolate-user-vlan host

 

...

 

int gi 1/0/48

port access vlan 148

port isolate-user-vlan host

 

Note however that the result (for the customer interfaces) will look something like:

port link-type hybrid

port hybrid vlan 100 148 untagged

port hybrid pvid 148

 

For some reason this isnt mentioned in HP docs but you can find this explanation in H3C docs:

 

Technical_Support___Documents/Technical_Documents/Switches/H3C_S7500_Series_Switches/Configuration/Operation_Manual/H3C_S7500_OM-%28Release_3100_Series%29-%28V1.04%29/200707/207818_1285_0.htm#_Toc172462478

 

products___solutions/technology/lan/technology_white_paper/200806/608752_57_0.htm

 

"

2.2.4  Adding Ports to Isolate-User-VLAN and Secondary VLAN

In order to transmit packets normally, all ports included in the isolate-user-VLAN and the secondary VLANs must be Hybrid ports, and all ports must perform untag operation on all VLAN packets.

"

 

And at the A5820 (which all A5120 connects to):

 

vlan 100 to 148

 

int vlan-interface100

# or whatever ip/range you might want to use as default gateway for the clients in vlan 101-148

ip address 10.0.0.254 255.255.255.0

local-proxy-arp enable

 

int te 1/0/1

port trunk permit vlan 100 to 148

port trunk pvid 100

 


local-proxy-arp is needed in case you wants clients to send data to each other through vlan 100 (this way each client has its own L2 broadcast domain and segmented away from each other but they can still reach each other through vlan 100 interface).

 

What happends is that when client at (as example) vlan 101 arps for "who has 10.0.0.2?" the vlan 100 interface will answer to all those requests. This way the client at vlan 101 will have the mac of int vlan 100 as which mac-address 10.0.0.2 has. Client sends its packets to the mac of int vlan 100 which then will bounce the packet down to the correct vlan (for example vlan 102 in this case). Thats why you need an additional ACL if you DONT want this to happen (not enabling local-proxy-arp is not enough in case the customer tries to bypass your security).

 

A more traditional setup of the above is to only send vlan 100 between the switches (and not exposing the secondary vlans for the uplink of the switch which the customers are connected to (A5120 in this case), however in my case I want to trunk also vlan 101-148 to the 5820 switch in order to be able to perform the "dhcp or static" magic (but thats another thread) ;-)

Apachez-
Trusted Contributor

‎01-05-2014 03:41 PM - edited ‎01-05-2014 03:42 PM

‎01-05-2014 03:41 PM - edited ‎01-05-2014 03:42 PM

Re: How to setup Private VLAN on HP A5820?

Here is that other thread I have mentioned in above posts regarding how to make a "static" dhcp-lease based on which vlan the request came from: http://h30499.www3.hp.com/t5/Comware-Based/Does-HP-5820-24XG-SFP-Switch-JC102A-support-DHCP-classes/m-p/6227591

0 Kudos
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.