HPE Community
Switches, Hubs, and Modems
1752592 Members
3159 Online
108788 Solutions
New Discussion юеВ

Re: VLANs on ProCurve 2848

 
john_1114
Advisor

тАО10-18-2005 01:24 AM

тАО10-18-2005 01:24 AM

VLANs on ProCurve 2848

I am trying to setup a DMZ using a PIX 506e and my ProCurve 2848. I want to create a VLAN with ID 2 called LAN, and a VLAN with ID 3 called DMZ, on the switch.
After reading the documentation on VLANs on the 2848, I want to know if I am correct in assumptions.

Can I take each port of off the default_vlan (i.e. set each port to 'no' in the webmanager)

Put each relevant LAN port on to my LAN_VLAN (i.e. marking each with 'tagged' in the webmanager)

Put each relevant DMZ port on to my DMZ_VLAN (i.e. marking each with 'tagged' in the webmanager)

Where the 506e connects to the switch have both VLANS 'tagged' on that port (i.e. LAN_VLAN and DMZ_VLAN)

Some additional questions I have are:

Does there need to be a untagged VLAN on a port in order for the port to function?

My PIX will have to be setup to support VLANs, does the PIX need to be setup with appropriate VLAN settings prior to this working?
(i.e. should I setup the switch first or second?) (i'd like to get the switch working using VLANs prior to changing the PIX config, is this posible?)

Thanks in advance for your help
John



0 Kudos
12 REPLIES 12
Manfred Arndt
Valued Contributor

тАО10-19-2005 01:28 PM

тАО10-19-2005 01:28 PM

Re: VLANs on ProCurve 2848

John,

ProCurve switches do not require a port to be a member of an untagged VLAN.

Just make sure to add the tagged VLANs before removing the default vlan, otherwise the operation will fail (port orphaned, not member of any VLAN).

You can set the switch up first if you want, as long as you don't expect to be able to talk to the PIX via the switch.
0 Kudos
john_1114
Advisor

тАО10-19-2005 10:07 PM

тАО10-19-2005 10:07 PM

Re: VLANs on ProCurve 2848

Thanks for your reply Manfred,

The PIX inside interface is the default gateway for all network traffic, so does that mean I do need to have the PIX setup on that VLAN too?

As an experiment I tried setting up 2 PCs (with each other as default gateways), put them both on the same VLAN on the switch (tagged) and then took them off the DEFAULT_VLAN..... and they could not communicate, THEN, i made the VLAN tagged on both ports, and they communicated OK.

I don't understand why they needed to be tagged, then again, I don't suppose it matters too much as long as then are communicating on the same VLAN, what do you think folks?

Thanks in advance
John
0 Kudos
Stuart Teo
Trusted Contributor

тАО10-23-2005 04:13 PM

тАО10-23-2005 04:13 PM

Re: VLANs on ProCurve 2848

john,

the rules are as follow:-

1) if a port is a member of only 1 vlan, the port can be tagged or untagged

2) if the port is a member of multiple vlans, then the port can be untagged only on 1 vlan.

consider these valid configurations:-

1) port1 - tagged on vlan1
2) port2 - untagged on vlan1
3) port3 - tagged on vlan1 and vlan2
4) port4 - tagged on vlan1 but untagged on vlan2

the switch will reject your configuration if you attempt to put a port untagged on more than 1 vlan.
If a problem can be fixed, there's nothing to worry. If a problem can't be fixed, worrying ain't gonna help. Bottom line: don't worry.
0 Kudos
Stuart Teo
Trusted Contributor

тАО10-23-2005 04:18 PM

тАО10-23-2005 04:18 PM

Re: VLANs on ProCurve 2848

john,

i don't work with PIXes but cisco language is different from HP. it sounds like to me that you're trying to trunk the "inside interface" of the 506e and make it carry 2 vlans.

on the cisco side, remember to use dot1q and define a native vlan. the native vlan will be untagged, the other will be tagged.

make sure that your procurve (which supports only dot1q) is configured identical.
If a problem can be fixed, there's nothing to worry. If a problem can't be fixed, worrying ain't gonna help. Bottom line: don't worry.
0 Kudos
john_1114
Advisor

тАО10-23-2005 10:10 PM

тАО10-23-2005 10:10 PM

Re: VLANs on ProCurve 2848

Thanks for your comments Stuart, you have helped to make things clearer.

You are right in your assumption that I am creating a trunk on the inside interface of the Cisco PIX 506e, and make it carry 2 VLANs.

One thing I am still not sure of is,
do I need to have a native vlan set on the PIX? and do I need a native vlan on the ProCurve 2848.

I was planning to have both VLANs tagged on the port the PIX connects to,
then have all the LAN-VLAN (ID=2)ports as 'untagged'
and, have all the DMZ-VLAN (ID=3) ports as 'untagged' aswell.

Would this still be okay?

As a seperate question, I also want traffic to be able to flow from the DMZ-VLAN and the LAN-VLAN. I have heard the PIX does not make a brilliant router, and it may be possible to do some routing on the Procurve 2848, do you know if this is possible? a good idea?

Many thanks!
John
0 Kudos
Stuart Teo
Trusted Contributor

тАО10-24-2005 07:44 AM

тАО10-24-2005 07:44 AM

Re: VLANs on ProCurve 2848

no, you do not need to run your traffic over the native vlan of the cisco dot1q trunk if you don't want to. you can go fully tagged if you wish.

on the procurve side, having a port untagged on 2 vlans is unacceptable configuration. the switch will reject that configuration.

if you use your procurve as the vlan router, then the traffic wouldn't be inspected by the pix. is that what you want?
If a problem can be fixed, there's nothing to worry. If a problem can't be fixed, worrying ain't gonna help. Bottom line: don't worry.
0 Kudos
john_1114
Advisor

тАО10-24-2005 09:32 PM

тАО10-24-2005 09:32 PM

Re: VLANs on ProCurve 2848

let me explain a bit further, I plan to have

port 1-4 VLAN3 'untagged' (this is the DMZ)

port 5 VLAN2 'tagged' and VLAN3 'tagged' (this is the trunk connection to the PIX 506e)

port 6-48 VLAN2 'untagged' (this is the LAN)

Would this work ? (assuming the PIX is setup with 2 VLANS with ID 2 & 3 on it's inside interface)

Do I need to stipulate a native VLAN on the PIX?

As for routing the traffic between VLAN's I am just investigating my options. How much control do you have on routing between VLANs when using the switch?
0 Kudos
Stuart Teo
Trusted Contributor

тАО10-25-2005 04:49 AM

тАО10-25-2005 04:49 AM

Re: VLANs on ProCurve 2848

if port 5 is tagged for both vlan 2 and vlan 3 on the procurve side, then on the cisco side make sure that neither vlan 2 or vlan 3 is native.

i'm not sure if the cisco side requires a native to be defined but if it does, you can say vlan 1 is native and then both vlan 2 and vlan 3 will get tagged.

for your servers in the dmz, you'll need to point to your pix as your router because you want to enforce policies for sessions originating from your dmz going into your lan
If a problem can be fixed, there's nothing to worry. If a problem can't be fixed, worrying ain't gonna help. Bottom line: don't worry.
0 Kudos
john_1114
Advisor

тАО10-31-2005 03:56 AM

тАО10-31-2005 03:56 AM

Re: VLANs on ProCurve 2848

First up, thanks for the response, is was very clear.

When you say

'on the cisco side make sure that neither vlan 2 or vlan 3 is native'

what do you mean by native?

thanks again
John
0 Kudos
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.