HPE Community read-only access December 15, 2018
This is a maintenance upgrade. You will be able to read articles and posts, but not post or reply.
Hours:
Dec 15, 4:00 am to 10:00 am UTC
Dec 14, 10:00 pm CST to Dec 15, 4:00 am CST
Dec 14, 8:00 pm PST to Dec 15, 2:00 am PST
Web and Unmanaged
cancel
Showing results for 
Search instead for 
Did you mean: 

HPE 1920 vlan configuration

 
Lewis2412
Occasional Advisor

HPE 1920 vlan configuration

Hello, Thank you for your help. I am needing help programming my HPE switch to allow traffic from separate SSIDs to to exit my firewall on assigned ports so that I can keep the SSIDs separated on the network. For instance, I have assigned:

SSID1 to VLAN10
SSID2 to VLAN20
SSID3 to VLAN30

Only VLAN10 will have access to network resources such as printers.

All VLANs need access to the Internet via separate ports on the firewall so that appropriate filtering can take place. The APs have been configured to assign separate VLANs depending on the SSID they connect to.

In my scenario, how do I program the switch to enable a connection to SSID1 to access the network and the Internet through port 1 on the switch, while SSID2 only has access to the Internet through port 2 on the switch, and SSID3 to access the Internet through port 3? 

At this point I have the switch configured as follows:

Port 1 - PVID 1, VLAN10 to Firewall port 1 (192.168.0.x) 
Port 2 - PVID 1, VLAN20 to Firewall port 2 (192.168.2.x) 
Port 3 - PVID 1, VLAN30 to Firewall port 3 (192.168.4.x) 
Ports 4 - 16 - VLAN10 
Ports 17-14 VLAN10, VLAN20, and VLAN30

5 REPLIES
Dunky
Regular Advisor

Re: HPE 1920 vlan configuration

Sounds fairly simple to me.

Do you really need three pjhysically separate connecitons to the firewall?
If not, just make port 1 on the switch a trunk and allow VLANs 10,20 and 30.

Make the firewall the gateway for each VLAN (e.g. 192.168.0.1, 192.168.2.1, 192.168.4.1)
If you need three physically separate uplinks from the swtch, then put switchport 1 in VLAN 10, 2 in 20 and 3 in VLAN 30.

Use ACL's on the router to control what can access what (there maybe a setting depending on your firewall that you have to enable to force the ACL's to be apied to inter-VLAN or LAN-LAN traffic).

Ports 4-16 will be access ports in VLAN 10.

On switch ports 17-24(I assume u meant 24, not 14), make these trunks for the AP's permitting VLANs 10, 20 and 30.

Lewis2412
Occasional Advisor

Re: HPE 1920 vlan configuration

Thanks for your reply! Yes, we want three separate connections to the firewall so that we can apply Internet filtering to staff vs kids and guests. I'll check the firewall for any inter-vlan settings. 

Dunky
Regular Advisor

Re: HPE 1920 vlan configuration

They dont need to be physically separate, i would be inclined to trunk VLANs 10 and 20 on port 1 and keep VLAN 30 (guests) separate. What can see what you will control on the firewall so you would normally block everything between VLAN 30 and other VLANs.

btw, On the guest SSID I would implement station isolation.

Lewis2412
Occasional Advisor

Re: HPE 1920 vlan configuration

How do I force each VLAN to pick up its respective DHCP server?

I have set ports as follows:

Port 1 on the firewall to DHCP addresses 192.168.0.x
Port 2 on the firewall to DHCP addresses 192.168.2.x
Port 3 on the firewall to DHCP addresses 192.168.4.x

Currently when I configure any VLAN on the ports, the connections cannot reach the DHCP server. Of course, when I remove the VLAN there are 3 DHCP servers on the switch so you get a random network address from one of the three dhcp servers.

I have the VLANs on the ports set to tagged, should I set it up differently?

Dunky
Regular Advisor

Re: HPE 1920 vlan configuration

Apologies for not replying sooner but have been out of the office since last week.

You only need to tag traffic on trunk ports, i.e. if you are sending more thatn 1 VLAN over the port, which in your case it looks as though you are not, hence they should be access ports in the relevant VLANs.

The ports that have clients/servers attached should be configured as access ports in the required vlan.

 

Are you using three separate DHCP servers connected to the switch? If so, then provided the clients and the server switch ports are all configured as access ports in the correct VLAN then it will work correctly.

If however, you only have one DHCP server with scopes for each VLAN, then you will need to configure DHCP Relay and point to the DHCP servers Ip address.  I found the easiest way to configure DHCP server when you have lots of VLANs was to configure it for each scope on the firewall.