Switches, Hubs, and Modems
cancel
Showing results for 
Search instead for 
Did you mean: 

2510-24

SOLVED
Go to solution
Alessandro_78
Regular Advisor

2510-24

Hi all.
I have a 2510-24 and I need to configure it this way:

port1 vlan1 + vlan2
port2 vlan1 + vlan2
port3 vlan1 + vlan2

port10 vlan2

port 25 vlan1
port 26 vlan1


port25 and port25 are uplink to another switch and Internet.

I need to connect one database server (port10) without Internet access, so without vlan1, and three servers with Internet access and with database access, so with vlan 1 and vlan2

How can I do this?

Actually I've done it in this way:

port1 vlan1 tagged vlan2 tagged
port2 vlan1 tagged vlan2 tagged
port3 vlan1 tagged vlan2 tagged

port10 vlan1 NO, vlan2 tagged

port25 vlan1 tagged, vlan2 NO
port26 vlan1 tagged, vlan2 NO

But it doesn't work.
I can't access the switch at all.

Any idea?
15 REPLIES
cenk sasmaztin
Honored Contributor

Re: 2510-24

hi Alessandro

this configuration not working very normal...

you can make learn vlan config and tag ,untag port status.

1-very important vlan rule;one port only one vlan member :never one port happen two vlan member.

you config port 1 vlan 1 tag and vlan 2 tag
this port not member any vlan only vlan 1 and 2 carry information
you one port make member one vlan this port
for this vlan untag member

so please you think
untag state for vlan member
tag state cary vlan information

one port have state also vlan 1 untag also vlan 2 tag

your switch 2510 full L2 proparites switch not routing skill there for I think your network design.
I hope we not use vlan skill your system

you request:
I need to connect one database server (port10) without Internet access, so without vlan1, and three servers with Internet access and with database access, so with vlan 1 and vlan2

okeyyy please listen to me

2510 swith on very successfull working one protocol (source port filtering )

this protocol whit one or more ports between other ports trafic permit and deny

for example :

sw(config)# filter source-port 1,2,3 drop 10-20 forward 5-7

this command make port 1.2.3.with 10.11.12...20 not connection but port 5.6.7 connection

I hope understand ;)
good luck



cenk

cenk sasmaztin
Honored Contributor
Solution

Re: 2510-24

hi Alessandro
SORRY...
not working on 2510 source port filtering

its instead you make port protected port
please you read

Protected Ports: To provide internet access to users but prevent them from accessing each
other, use the protected-ports command. The command applies per-port and filters the
outbound traffic from the port. See â Configuring Protected Portsâ in the â Configuring and
Monitoring Port Securityâ chapter of the Access Security Guide for more information.
cenk

Alessandro_78
Regular Advisor

Re: 2510-24

Hi, I don't understand you very well.
Can you post me an example configuration for doing what I'm trying to do?

I'll repeat:

I need to make two vlan inside a switch.

VLAN 1 with Internet connected servers
VLAN 2 with Database server.

How can I connect servers and database without connect database to internet?
Alessandro_78
Regular Advisor

Re: 2510-24

Can I do the following:

port1 default_vlan untag, vlan2 tag
port2 default_vlan untag, vlan2 tag
port3 default_vlan untag, vlan2 tag
port4 default_vlan untag, vlan2 tag

port 10 default_vlan untag, vlan2 NO

port 25 default_vlan NO, vlan2 untag


If vlan2 is connected to internet (via port25) and if port 10 is connected to the database server, doing so I can connect port1,port2,port3,port4 to internet and to database server, database server only to default_vlan and NOT to the internet, and port 25 to the Internet and not to the database.

Is true?

After that, i must assign an IP to default_vlan to access the switch.
cenk sasmaztin
Honored Contributor

Re: 2510-24

no Alessandro not rue

tag port only carry vlan information not possible working your config
I again say one port only one vlan member

not working your config

I hope for server connection port-protect command
cenk

cenk sasmaztin
Honored Contributor

Re: 2510-24

1.2.3.4 ports vlan 1 member port how goto internet (vlan2 tag command only for vlan 2 carry information )pc nic default vlan 1 untag member soo nic contain 802.1q protocol in this case you want select whic vlan member vlan this pc because only one vlan

good luck
cenk

Alessandro_78
Regular Advisor

Re: 2510-24

I've read in the handbook that one port can belong to multiple vlan.

There is also an example very smiliar to mine that say that!
Matt Hobbs
Honored Contributor

Re: 2510-24

You can do what you would like to do by configuring the port to be members of multiple VLANs, but you will need to configure those other 3 servers to also be VLAN aware and to set the correct VLAN ID in the NIC driver.

To make things easier though, I would do as Cenk suggests and to use the Protected Port feature instead. This will simply stop the database server from going out the uplink port. All devices will remain in the one VLAN which will keep things simple.
Alessandro_78
Regular Advisor

Re: 2510-24

Could you post an example configuration?
I'm not an expert and with a configuration I'll understand much better.

In short: you are saying to protect the port connected to database server and NON protect all other ports?
cenk sasmaztin
Honored Contributor

Re: 2510-24

Configuring Protected Ports
There are situations where you want to provide internet access to users but
prevent them from accessing each other. To achieve this control, you can use
the protected-ports command. The command applies per-port, and filters the
outbound traffic from a port. This allows the configuration of two port groups
on a switchâ protected ports and unprotected ports. The ports have these
characteristics:
â   Traffic from protected ports is not forwarded to other protected ports.
â   Protected ports can communicate with unprotected ports, but not
with each other.
â   Unprotected ports can communicate with all ports.
â   The protected-ports command applies to logical ports (trunks as well
as untrunked ports)
Figure 9-15. Example of Protected Ports Command for Ports 4 and 5
To display information about which ports have been configured as protected
ports, enter this command:
ProCurve(config)# show protected-ports
Syntax: [no] protected-ports
Prevents the selected ports from communicating with each
other.
Default: All ports unprotected.
no protected-ports all
Clears the protection from all ports; all ports can now communicate
with each other
---------------------------------------------
ProCurve(config)# protected-ports 4-5
---------------------------------------------
cenk

Alessandro_78
Regular Advisor

Re: 2510-24

Ok.
So, if port 25 is connected to internet (uplink), port 10 is database server, port1,port2,port3 are web servers I can do the following:

port 1 unprotected
port 2 unprotected
port 3 unprotected

port 10 protected

port 25 protected

Doing so, port 1,2,3 can comunicate with all ports, port 10 can't comunicate with port 25 and the it will not have internet access.

Port 25 can't comunicate with port 10 so from Internet I can't access database server

Is true?
cenk sasmaztin
Honored Contributor

Re: 2510-24

yess Alessandro

your server protect port

(config)#protect-port 10

all other port unprotect

good luck....
cenk

cenk sasmaztin
Honored Contributor

Re: 2510-24

nooo port 25 unprotect if port 25 connection internet router

please only port 10 protect command


cenk
cenk

Alessandro_78
Regular Advisor

Re: 2510-24

Thanks for the reply.
Any security issue with this setup?
Vlans are more secure than protected ports?