[VLAN] Inter-VLAN Routing HP Procurve 1700
hysteresis
Posted messages
2
Registration date
Status
Member
-
brupala Posted messages 111108 Registration date Status Member Last intervention -
brupala Posted messages 111108 Registration date Status Member Last intervention -
Hello everyone,
I have an HP Procurve 1700 - 24 ports.
I created 2 VLANs -
* VLAN 1: Ports 7 and 9
* VLAN 2: Ports 7 and 10
Ports config:
7 untagged, VLID 1
9 untagged, VLID 1
10 untagged, VLID 2
I can communicate with ports 7 and 9 when both ports have the same VLID, but ports 7 and 10 do not work, and I can only assign one VLID per port.
However, on the main page, I can see that ports 7 and 9 are members of VLAN 1 and ports 7 and 10 are members of VLAN 2.
In fact, I would like to connect my firewall/router to port 7, my Wi-Fi router to port 9, and my other network 200.200.1.X to port 10.
My goal is for the Wi-Fi and my 200.200.1.X network not to see each other.
Could you please let me know if it is possible to share a port on my switch across multiple VLANs?
Thank you
Laurent.
I have an HP Procurve 1700 - 24 ports.
I created 2 VLANs -
* VLAN 1: Ports 7 and 9
* VLAN 2: Ports 7 and 10
Ports config:
7 untagged, VLID 1
9 untagged, VLID 1
10 untagged, VLID 2
I can communicate with ports 7 and 9 when both ports have the same VLID, but ports 7 and 10 do not work, and I can only assign one VLID per port.
However, on the main page, I can see that ports 7 and 9 are members of VLAN 1 and ports 7 and 10 are members of VLAN 2.
In fact, I would like to connect my firewall/router to port 7, my Wi-Fi router to port 9, and my other network 200.200.1.X to port 10.
My goal is for the Wi-Fi and my 200.200.1.X network not to see each other.
Could you please let me know if it is possible to share a port on my switch across multiple VLANs?
Thank you
Laurent.
Configuration: Windows XP Internet Explorer 7.0
3 answers
Hi,
oh no, that's not how it works.
A port can be a member of several static VLANs (per port) only if it is tagged.
Otherwise, ports belonging to different VLANs are isolated from each other.
VLANs can only be connected by a router.
In your case, you would need a router with 2 different Ethernet interfaces (not a built-in switch) that could connect each VLAN independently.
These 2 interfaces can be on the same physical port if the router also handles 802.1q encapsulation to identify the VLANs, the switch port being in tagged mode on both VLANs at that moment, or 2 different physical ports if the router does not handle VLANs.
By the way,
what is VLID? Is it the same as PVID?
--
oh no, that's not how it works.
A port can be a member of several static VLANs (per port) only if it is tagged.
Otherwise, ports belonging to different VLANs are isolated from each other.
VLANs can only be connected by a router.
In your case, you would need a router with 2 different Ethernet interfaces (not a built-in switch) that could connect each VLAN independently.
These 2 interfaces can be on the same physical port if the router also handles 802.1q encapsulation to identify the VLANs, the switch port being in tagged mode on both VLANs at that moment, or 2 different physical ports if the router does not handle VLANs.
By the way,
what is VLID? Is it the same as PVID?
--
and ... Here you go!
Thank you for your response Brupala,
Indeed, it is not VLID but PVID!!
I thought it was still possible to assign a port to multiple VLANs!!
Let me explain my case again,
I have a firewall router (WatchGuard) with 3 network interfaces
- External (for the connection to the ADSL router)
- Trusted (to my network 10.101.X.X)
- Optional (to a D-Link Wi-Fi router 192.168.2.1)
I have another network in the company (200.200.1.X), which is physically connected to my network 10.101.X.X.
For now, people who want to use VPN on my network 200.200.1.X go through the 10.101.X.X (trusted) network.
I would like to eliminate the link between the 10.101.X.X and the 200.200.1.X networks.
So my goal is to route the VPN through the connection to the D-Link router, which should be connected to my 200.200.1.X switch.
And I wanted to place a switch with VLAN between the 200.200.1.X switch and my D-Link router because DHCP packets are passing on both.
Hoping I have been as clear as possible.....
Indeed, it is not VLID but PVID!!
I thought it was still possible to assign a port to multiple VLANs!!
Let me explain my case again,
I have a firewall router (WatchGuard) with 3 network interfaces
- External (for the connection to the ADSL router)
- Trusted (to my network 10.101.X.X)
- Optional (to a D-Link Wi-Fi router 192.168.2.1)
I have another network in the company (200.200.1.X), which is physically connected to my network 10.101.X.X.
For now, people who want to use VPN on my network 200.200.1.X go through the 10.101.X.X (trusted) network.
I would like to eliminate the link between the 10.101.X.X and the 200.200.1.X networks.
So my goal is to route the VPN through the connection to the D-Link router, which should be connected to my 200.200.1.X switch.
And I wanted to place a switch with VLAN between the 200.200.1.X switch and my D-Link router because DHCP packets are passing on both.
Hoping I have been as clear as possible.....
Hello,
For a port to be visible from multiple VLANs, it must be included in all the VLANs from which it is visible, and the VLAN Aware box should be unchecked on the 1700.
Example with port 2 as a common gateway to 1 and 3
port 1: VLAN 1 and 2 PVID 1
port 2: VLAN 1, 2, and 3 PVID 2
port 3: VLAN 2 and 3 PVID 3
It works, we can see it well from the other VLANs and the VLANs do not see each other.
You must pay attention to only uncheck this port and also to the PVID of the other ports which must be different from each other to avoid someone clever tagging on the right ID using a switch and getting through.
Always verify the separation with pings and remember that a hacker can force the PVID using a switch, so the return of tagged frames must properly prevent that.
That said, the operation of the 1700 does not seem obvious for VLANs.
Nounours
For a port to be visible from multiple VLANs, it must be included in all the VLANs from which it is visible, and the VLAN Aware box should be unchecked on the 1700.
Example with port 2 as a common gateway to 1 and 3
port 1: VLAN 1 and 2 PVID 1
port 2: VLAN 1, 2, and 3 PVID 2
port 3: VLAN 2 and 3 PVID 3
It works, we can see it well from the other VLANs and the VLANs do not see each other.
You must pay attention to only uncheck this port and also to the PVID of the other ports which must be different from each other to avoid someone clever tagging on the right ID using a switch and getting through.
Always verify the separation with pings and remember that a hacker can force the PVID using a switch, so the return of tagged frames must properly prevent that.
That said, the operation of the 1700 does not seem obvious for VLANs.
Nounours
A clarification, in my previous response, I forgot to mention that on VLAN 1 and VLAN 3 I only have servers directly connected to the ports; if there are switches and users, a clever one could potentially tag the frames however they want, and thus see 1 from 3 for example by tagging the frames with 1 using a switch (the PVID is only set by the 1700 in the absence of a tag on the frame)
So be cautious about that.
Teddy Bear
So be cautious about that.
Teddy Bear