HPE Community
Switches, Hubs, and Modems
1752724 Members
5533 Online
108789 Solutions
New Discussion юеВ

Re: Procurve 2650 - VLAN routing

 
Wingnut_2
New Member

тАО08-20-2007 12:48 AM

тАО08-20-2007 12:48 AM

Procurve 2650 - VLAN routing

VLAN Newbie alert!

I've setup 2 VLAN's (one for office users-192.168.0.0/24 and one for guests-10.0.0.0/24). I've setup the guest network to get DHCP addresses from the Office DHCP server and I am routing between the two. My router out to the internet is currently on 192.168.0.1.

Everything is working as it should except i dont want to route traffic between the office and guest VLAN's but I do want the guest VLAN to be able to access the internet. I realise that I should probably change the internet router ip onto another VLAN, but when I did that I screwed up the VLAN routing totally. (The router does not respond to TAGGED VLAN requests).

Attached is my current config if it helps.

==================================

Running configuration:

; J4899B Configuration Editor; Created on release #H.08.98

hostname "ProCurve-1"
max-vlans 3
ip default-gateway 192.168.0.1
ip routing
snmp-server community "public" Unrestricted
vlan 1
name "OFFICE"
ip address 192.168.0.251 255.255.255.0
tagged 50
no untagged 1-49
exit
vlan 2
name "GUEST"
untagged 1-50
ip address 10.0.0.251 255.255.255.0
exit
vlan 3
name "INTERNET"
no ip address
exit
ip route 0.0.0.0 0.0.0.0 192.168.0.1
stack join 0019bb7d1f00

==================================

Help.. I'm stuck.

PS. If i put in "no ip routing" and just put a default gateway on the switch it doesn't send the traffic out?


Thanks
0 Kudos
7 REPLIES 7
Andrew_291
Frequent Advisor

тАО08-20-2007 01:37 AM

тАО08-20-2007 01:37 AM

Re: Procurve 2650 - VLAN routing

You must to assign some IP address to vlan3, if You want that inet will be able for vlan3 users.There is not another way .But You may to cut some traffic between VLAN using source-port filtering mechanism.
0 Kudos
Thomas Joebstl
Frequent Advisor

тАО08-20-2007 04:05 AM

тАО08-20-2007 04:05 AM

Re: Procurve 2650 - VLAN routing

The 26xx series is a layer3 capable switch (a very poor one at that) and not a firewall. IIRC source-port filtering doesnt work properly when ip routing is enabled.
I suggest you get a proper firewall which either supports VLANs or has more than just one internal interface. Or use a few more of those 20$ soho routers and put each network behind its own NAT gateway.
0 Kudos
Wingnut_2
New Member

тАО08-20-2007 05:24 AM

тАО08-20-2007 05:24 AM

Re: Procurve 2650 - VLAN routing

I'm not looking for theses switches to act as a firewall as I already have a seperate firewall device protecting the network from the internet.

I have 2 of these ProCurve switches. One must be used for the office VLAN (can see all office PC's, printers etc. and access the internet) and one must be used for the guest PC's (no access to office PC's but can access the internet). In the config posted above I am only using the Office and Guest VLANs. Like I said it's working fine except that the guest vlan can route to the office vlan. Do I need to completely redo my config or is there a quick way to block it.

Thanks
0 Kudos
Thomas Joebstl
Frequent Advisor

тАО08-20-2007 06:51 AM

тАО08-20-2007 06:51 AM

Re: Procurve 2650 - VLAN routing

Sorry, no quick fix - not with the 26xx and your 'firewall device'.
There is no way to isolate traffic on the 26xx when ip routing is activated for a particular VLAN (at least I dont know of one), you'd need a more powerfull/capable/expensive switch.

Maybe if your firewall supports at least a DMZ (network, not just a single host) you could (ab)use that for either the office or guest network and disable ip routing on the 2650.
Failing that the cheapest/easiest solution would be to add a soho router inbetween those 2 nets and configure it to block stuff like netbios, maybe the device even allows for more fine grained ip filters.
0 Kudos
Mohieddin Kharnoub
Honored Contributor

тАО08-20-2007 04:50 PM

тАО08-20-2007 04:50 PM

Re: Procurve 2650 - VLAN routing

Hi

I'm sure about your Firewall capabilities, but most of the firewalls support ACLs.

So your solution is to disable the IP Routing on the 2600 switches, and make both 2600 default gateway is the Firewall.

And on the firewall, you can implement ACLs that allow Guest traffic to Internet only, and whatever you need ....

One more thing, i guess you should delete the Internet Vlan unless you need it for other purpose.

Good Luck !!!
Science for Everyone
0 Kudos
Andrew_291
Frequent Advisor

тАО08-20-2007 05:31 PM

тАО08-20-2007 05:31 PM

Re: Procurve 2650 - VLAN routing

Yes, that right.I was tried get on my labs 2650 such config with SPF and it works VERY strange.
Wingnut, you may use firewall connected to both VLANs,and no IP routing on switch.Sounds badly, but there is no another way.
0 Kudos
Wingnut_2
New Member

тАО09-04-2007 07:59 PM

тАО09-04-2007 07:59 PM

Re: Procurve 2650 - VLAN routing

My firewall device does have a DMZ port so I think I'll use that and disable the routing on the switches like suggested.

Thanks for the tips!
0 Kudos
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.