Consolidate switches/VLANs

bnpmediait · ‎10-12-2009

I have a 2824 and a 2848 switch. I'd like to consolidate the two but am unsure how to keep the subnets separate.

The 2848 has the 50, 51, 52, 53, 55 and 59 subnets which all can communicate between each other. It connects to a firewall interface at 192.168.50.2.

The 2824 has the 61 and 16 subnets which can communicate between each other. It connects to a firewall interface at 192.168.61.2.

Is it possible add the subnets from the 61 and 16 subnets to the 2848 switch and still allow them to communicate between each other but not the subnets already on the 2848? In addition, I'd like them to continue connecting via the 192.168.61.2 firewall interface for those two subnets. In essence I just want the switches combined in terms of ports but keep the same segregation I'm getting by using two switches.

See configs below:

HP ProCurve Switch 2848# sh run

Running configuration:

; J4904A Configuration Editor; Created on release #I.08.71

hostname "HP ProCurve Switch 2848"

max-vlans 32
time timezone -300
time daylight-time-rule Continental-US-and-Canada
mirror-port 16
interface 1
speed-duplex auto-1000
exit
interface 12
speed-duplex auto-1000
exit
interface 18
speed-duplex auto-1000
exit
interface 21
speed-duplex auto-1000
exit
interface 22
speed-duplex auto-1000
exit
interface 23
speed-duplex auto-1000
exit
interface 24
speed-duplex auto-1000
exit
interface 28
speed-duplex 100-full
exit
ip default-gateway 192.168.50.2
sntp server 192.168.50.11
ip routing
timesync sntp
sntp unicast
snmp-server community "****"
vlan 1
name "DEFAULT_VLAN"
untagged 5-6,8-9,11,13,15-18,20,25-39,42-44,47-48
ip address 192.168.50.1 255.255.255.0
no untagged 1-4,7,10,12,14,19,21-24,40-41,45-46
exit
vlan 55
name "Net55"
untagged 40-41
ip address 192.168.55.1 255.255.255.0
exit
vlan 53
name "Net53"
untagged 45-46
ip address 192.168.53.1 255.255.255.0
exit
vlan 52
name "Net52"
untagged 12,14,21-24
ip address 192.168.52.1 255.255.255.0
exit
vlan 51
name "Net51"
untagged 19
ip address 192.168.51.1 255.255.255.0
exit
vlan 59
name "Net59"
untagged 1,7,10
ip address 192.168.59.1 255.255.255.0
exit
vlan 60
name "Inside"
untagged 2-4
exit
interface 8
monitor
exit
ip route 0.0.0.0 0.0.0.0 192.168.50.2

HP ProCurve Switch 2824# sh run

Running configuration:

; J4903A Configuration Editor; Created on release #I.08.58

hostname "HP ProCurve Switch 2824"

interface 1
speed-duplex auto-1000
exit
interface 3
speed-duplex 100-full
exit
interface 4
speed-duplex 100-full
exit
interface 18
speed-duplex auto-1000
exit
interface 19
speed-duplex auto-1000
exit
interface 20
speed-duplex auto-1000
exit
interface 21
speed-duplex auto-1000
exit
interface 22
speed-duplex auto-1000
exit
interface 23
speed-duplex auto-1000
exit
interface 24
speed-duplex auto-1000
exit
ip default-gateway 192.168.60.2
ip routing
snmp-server community "****"
vlan 1
name "AWH_HP_Switc"
untagged 1-14,16-24
ip address 192.168.61.1 255.255.255.0
no untagged 15
exit
vlan 16
name "SHO VPN"
untagged 15
ip address 192.168.16.1 255.255.255.0
exit
ip route 0.0.0.0 0.0.0.0 192.168.61.2
ip route 10.0.0.0 255.0.0.0 192.168.61.5
ip route 192.168.15.0 255.255.255.0 192.168.61.5

Pieter 't Hart · ‎10-12-2009

basically you can keep the same config.
but you need to change vlan-1 config on switch-2 to a new vlan (lets' say vlan-61)
switch-1 services routing between vlans 50, 51, 52, 53, 55 and 59
switch-2 does the same for 61 and 16.

In the same run you may want to change switch-1 config to "evacuate" the default-vlan (vlan-1) to something like vlan-50

When you changed all vlan-1 ports on switch-2 to the new vlan, you need to configure the link between switch-1 and -2 (lets' say port-24) to carry all vlans (same on both switches)
vlan 50
tagged 24
exit
vlan 51
tagged 24
exit
vlan 52
tagged 24
exit
vlan 53
tagged 24
exit
vlan 55
tagged 24
exit
vlan 59
tagged 24
exit
vlan 61
tagged 24
exit
vlan 16
tagged 24
exit

With this config you have :
- communication within a single vlan on both switches :
a port on switch-1 untagged vlan-16 can communicate with a port on switch-2 untagged vlan-16
- same goes for the other vlans
- communication between vlan 61 and 16 :
a port on switch-1 untagged vlan-16 can communicate with a port on switch-2 untagged vlan-61 using switch-2 as a router
- communication between vlan 50 etc using switch-1 as a router
- ports on vlan61 and -16 can communicate with the external router (ports on both switches)
- vlan50 etc cannot communicate with vlan61/16
- vlan50 etc cannot connect to the external router.

bnpmediait · ‎10-13-2009

I don't think I was clear in my inquiry.

I need to get rid of the second switch (2824). That means I need to have these subnets communicate with each other: 50, 51, 52, 53, 55 and 59 and use 50.2 as their default route.

I need to have these subnets communicate with each other: 16, 61 and use 192.168.61.2 as their default route.

All while being on the same switch.

Pieter 't Hart · ‎10-13-2009

If you only keep a single switch it will route between all vlans known on this switch.
You won't have the two separate "sets" of vlans.

The 2800 series can only handle port-based access-control, no ACL's and no vlan-based ACL's.

So on a single 2800 series switch you may not get what you want.

bnpmediait · ‎10-13-2009

Thanks for the fast follow-up. That was my thought but figured I'd open this one up to anyone else out there more familiar with the HP feature set than myself.

Thanks.

Consolidate switches/VLANs

Consolidate switches/VLANs

Re: Consolidate switches/VLANs

Re: Consolidate switches/VLANs

Re: Consolidate switches/VLANs

Re: Consolidate switches/VLANs

Hewlett Packard Enterprise International