HPE Community
LAN Routing
1848690 Members
7029 Online
104036 Solutions
New Discussion

HP 1950 Vlan's and Routing

 
rogerp_1
Frequent Advisor

‎10-12-2021 06:26 AM - last edited on ‎10-12-2021 07:03 AM by

‎10-12-2021 06:26 AM - last edited on ‎10-12-2021 07:03 AM by

HP 1950 Vlan's and Routing

Hi Guys,

Looking for some help on 10 new HP Office Connect 1950 JG963A switches we are  configuring.  We are trying to configure this network in the simplist of designs.   We need 5 Vlans, (Data, AV, Guest, Voice, SPARE) all vlan traffic is to be seperate from each other.  One of the JG963A is the main Routing switch.

Wh have got the mian routing switch setup and ready with all 5 vlans working and internet via port 1 using a draytek internet router. 

Port 2 has a windows Server on Vlan 1 which provides DHCP to all VLANS. we have tested this by conecting 5 laptops on differernt vlans of which all receive the currect subnet/vlan.

Currently each laptop which are on seperate vlans can ping each other, so to me this is bad as we are trying to ensure for security purpose someone on the guest vlan cannot ping/access the data vlan?  Not to sure why this is on by default too?  i think this is because Inte vlan routing is enabled by defaul but could be wrong.

Can someone explain to me why this is left on? and how to it restrict vlans from talking to each other.

If it make any difference the router on port one is a very basic unit with only a route added so it knows about all the vlans.  Nothing else is configured here.

One final question, as i have anotehr nine of these switches to configure is there in way i can copy the config from the main unit and push to the other 9?  I understand i cannot stack these which is a dam shame?

Thanks

Roger

0 Kudos
3 REPLIES 3
akg7
HPE Pro

‎10-12-2021 07:00 AM

‎10-12-2021 07:00 AM

Re: HP 1950 Vlan's and Routing

Hello @rogerp_1 ,

Intervlan routing is enabled by default in comware based.

You need to configure acl to filter intervlan routing.

There is a limitationt hat you can not put 10 switches in IRF.

I believe you can put 4 in IRF statck.

 

Thanks!

Note: While I am an HPE Employee, all of my comments (whether noted or not), are my own and are not any official representation of the companyAccept or Kudo
0 Kudos
-Alex-
HPE Pro

‎10-12-2021 07:04 AM

‎10-12-2021 07:04 AM

Re: HP 1950 Vlan's and Routing

Hello rogerp_1,

In order to isolate traffic to only local vlan you need to use ACL for the vlans:

e.g.

For Vlan1 in inbond

deny vlan1 subnet to vlan2

deny vlan 1 subnet to vlan 3

deny vlan 1 subnet to vlan 4

deny vlan 1 subnet to vlan 5

permit any any

The above should be done for each vlan.

Hope this helps!

 

I am an HPE Employee

Accept or Kudo

0 Kudos
rogerp_1
Frequent Advisor

‎10-12-2021 07:20 AM - edited ‎10-12-2021 07:36 AM

‎10-12-2021 07:20 AM - edited ‎10-12-2021 07:36 AM

Re: HP 1950 Vlan's and Routing

right i think i'm now starting to understand it.

However i presume if i add all the deny's and setup acl's to deny traffic between each other and i need for whatever reason  to allow a pc to access all vlans i can do this by untagging taggin the port to all the required vlans?  is that correct?

Also to add, can we do this from the GUI interface?

0 Kudos
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.