Adam Listek
I am attempting to setup a 2 VLAN configuration for a public wireless network and an internal wireless/wired network. I have a Procurve 2650 Switch and a Procurve 7102dl router with two Procurve 420 Access Points. The router is setup for eth0/1 to connect to the DSL modem and eth0/2.1 for and eth0/2.2 for Tagging is enabled for VLAN 1 is equal to VID of 1 (Default_VLAN) and VLAN 2 has a VID of 2 (WLAN_PUBLIC). The switch is setup with an IP of and Port 50 (uplink) is tagged for VLAN 1 and 2. Port 48 is tagged for the VLAN 2 access point and Port 47 is tagged for VLAN 1 access point. Now DHCP is working correctly on the router depending on what network a client connects to it serves the correct address. I can still pin between the VLAN's and I do not want them to be able to see each other as to isolate the public wireless from our internal network.

To recap:

Router - 7102dl
eth0/1 = Public IP Address
eth0/2.1 =
eth0/2.2 =
DHCP is enabled on router to serve to either network depending on which connected.

Switch - 2650
Port 50 - Tagged (VID 1 & 2)
Port 48 - Tagged (VID 2)
Port 47 - Tagged (VID 1)
Port 1-46 - Untagged (Default_VLAN) - No (WLAN_Public)
VLAN 1 has a switch IP address of
VLAN 2 has a switch IP Address of

IP Routing is enabled on both the Router and the Switch but even when I disable that on both, the two networks can still see each other.

Do I need to have IP Routing enabled or disabled?
Is my tagging scheme correct?
Do I need IP addresses assigned to the VLAN's or is that purely management oriented?

Thank you all in advance for help!!!

Jeff Carrell
1) you don't need nor want 'ip routing' on the 2650...

2) on the 2650 you don't really need the vlan 2 ip addr, as you say it is only for mgmt, as you'll probably manage the switch on the vlan 1 addr...

3) since you probably want access from both the public WLAN and private LAN/WLAN to go out you'll need ip routing enabled on the 7102...and then probably a static route pointing the eth0/1 interface so everyone can get "out"...

4) you can apply an ACL to the eth0/2.1 interface to block all traffic to the net...

5) you can then apply an ACL to the eth0/2.2 interface to block all traffic to the net

that way, vlan 2 users get their dhcp addr, get access out, but don't get access to the internal net...and vice-versa for vlan 1 (not getting to vlan 2)...

6) tagging scheme ok...i wouldn't have tagged the 420's on the 2650, since it is single vlan (for now)...if you did it for futures, then by all means - way to go...

i won't say this the only way, but its probably the way i'd do it :-)

Adam Listek
That is perfect, thank you very much. I don't know why it didn't occur to me to use ACL's. I just assumed that creating seperate VLAN's would disable communication between them. Everything works perfectly now. Thanks again!