Switching and Routing

Overlap VLAN in 1920S

 
SOLVED
Go to solution
lee_sa2
Occasional Contributor

Overlap VLAN in 1920S

Hi,

I've 4 port-based VLANs (planning to do in 1920s) as follows: 

port 1-6 with VLAN 2, port 7-12 with VLAN3,  port 13-18 with VLAN4, and port 19-24 VLAN1 (default).  I'd like each VLAN can't communicate each other except for VLAN1.. Thus, VLAN1 can communicate among VLAN 2, 3, and 4.   VLAN1 will be connected to Internet. I'm not sure the 1920s can do these features or not. If not, would you please give some solution.

Thanks.

3 REPLIES 3
Ivan_B
HPE Pro

Re: Overlap VLAN in 1920S

Hi @lee_sa2 !

It depends whether you plan to route those VLANs - on 1920S or you will have a dedicated router (so called 'router-on-stick').

For routing on 1920S you need to create Vlan-interface for each VLAN, set IP addresses of those Vlan-interfaces as default gateways for hosts in respective VLANs, create ACLs to filter the inter-VLAN traffic and then apply ACLs to VLANs. For more details about each step check the guide - https://internal.support.hpe.com/hpesc/public/docDisplay?docLocale=en_US&docId=a00003478en_us

In case router-on-stick you don't need to do anything on switches, all the configuration should be done on the router, but in overal it will look like in previous example - use filtering ACLs on Vlan-interfaces.

 

I am an HPE employee

Accept or Kudo

lee_sa2
Occasional Contributor

Re: Overlap VLAN in 1920S

Thank for the solutions. But my environment requires only 1 subnet for routing(will use VLAN1, route to Internet) and would like to apply port-based VLAN.  VLAN2, 3, or 4 is the same subnet of VLAN1.  Is this possible?

Ivan_B
HPE Pro
Solution

Re: Overlap VLAN in 1920S

Oh, I see now. What you need is a host separation inside one single VLAN. This feature is called Private VLANs, but as far as I know 1920S doesn't support this. Maximum what you can do is to try to consider Protected Ports feature:

A port that is a member of a protected ports group is a protected port. A port that is not a member ofany protected ports group is an unprotected port. Each port can be a member of only one protectedports group. Ports in the same protected ports group cannot forward traffic to other protected portswithin the group, even if they are members of the same VLAN. However, a port in a protected portsgroup can forward traffic to ports that are in a different protected ports group. A protected port can alsoforward traffic to unprotected ports. Unprotected ports can forward traffic to both protected and unpro-tected ports.

However, as you can see this feature requires you to re-group your hosts and the logic for grouping is inverse - hosts in one protected port group cannot communicate between themselves, but can communicate with ports in other protected port groups and with unprotected ports. So you need to make VLAN1 ports as unprotected, so they communicate with all hosts and then think how to group your hosts into protected port groups in order to achieve desired separation.

 

I am an HPE employee

Accept or Kudo