Aruba Instant On 1930 VLAN Configuration
xGunner
Posted messages
30
Status
Membre
-
Roswell -
Roswell -
Hello,
My goal is for the machines on VLAN 2 to only see the IPs I authorize in order to isolate them from the rest of the network. However, I want to have internet access on these machines as well as access to a PC via 192.168.1.250
I have tried various configurations, but I can't get two VLANs to work on a 24+4 Aruba Instant On 1930 Switch
By default, in the network section, I have my main network (VLAN 1) which is connected to the Wi-Fi (AP22)
I created a second network VLAN 2
Here is the configuration for VLAN 1:
And for VLAN 2: (ports 12 and 18)
The option that I was thinking of using to allow certain IPs:
Here, I am not familiar with Instant On or VLANs, so maybe it is impossible
I also do not quite understand the functioning of "Unmarked" (U), "Tagged" (T), or when the choice is empty (like ports 12 and 18 in the VLAN 1 config)
Thank you in advance for your help
EDIT:
I am not sure if this is what I was supposed to do, but I enabled routing:
Once again, I do not know if this is what I was supposed to do.
My goal is for the machines on VLAN 2 to only see the IPs I authorize in order to isolate them from the rest of the network. However, I want to have internet access on these machines as well as access to a PC via 192.168.1.250
I have tried various configurations, but I can't get two VLANs to work on a 24+4 Aruba Instant On 1930 Switch
By default, in the network section, I have my main network (VLAN 1) which is connected to the Wi-Fi (AP22)
I created a second network VLAN 2
Here is the configuration for VLAN 1:
And for VLAN 2: (ports 12 and 18)
The option that I was thinking of using to allow certain IPs:
Here, I am not familiar with Instant On or VLANs, so maybe it is impossible
I also do not quite understand the functioning of "Unmarked" (U), "Tagged" (T), or when the choice is empty (like ports 12 and 18 in the VLAN 1 config)
Thank you in advance for your help
EDIT:
I am not sure if this is what I was supposed to do, but I enabled routing:
Once again, I do not know if this is what I was supposed to do.
2 réponses
Hi,
Is Aruba HP, right?
Well, first of all, the U/T VLANs on the ports are untagged (U) or tagged (T) in the sense of 802.1Q tags. Tags allow the propagation of VLAN membership information from one switch to another or even to a router or server (if they support it).
Only one untagged VLAN is allowed on a port and will be the default VLAN where all untagged frames received will go.
Your VLAN 2 is present on all ports, either tagged or untagged.
Then, regarding IP, if you enable routing, you need different IP networks on each VLAN and the switch's IP address as the default gateway; otherwise, the two VLANs will be unable to communicate.
For the filtering you want to do, I'm not familiar with Aruba, but I assume that like on other switches/routers, you can configure access lists to filter at layer 2 (MAC addresses) or layer 3 (IP addresses).
https://www.arubanetworks.com/techdocs/Instant_40_Mobile/Advanced/Content/UG_files/Roles_and_policies/ACL_section.htm?TocPath=Roles+and+Policies%7CAccess+Controll+List+Rules%7C%24%24%24%24%240, that's what it's for, provided that you go through routing, of course.
Is Aruba HP, right?
Well, first of all, the U/T VLANs on the ports are untagged (U) or tagged (T) in the sense of 802.1Q tags. Tags allow the propagation of VLAN membership information from one switch to another or even to a router or server (if they support it).
Only one untagged VLAN is allowed on a port and will be the default VLAN where all untagged frames received will go.
Your VLAN 2 is present on all ports, either tagged or untagged.
Then, regarding IP, if you enable routing, you need different IP networks on each VLAN and the switch's IP address as the default gateway; otherwise, the two VLANs will be unable to communicate.
For the filtering you want to do, I'm not familiar with Aruba, but I assume that like on other switches/routers, you can configure access lists to filter at layer 2 (MAC addresses) or layer 3 (IP addresses).
https://www.arubanetworks.com/techdocs/Instant_40_Mobile/Advanced/Content/UG_files/Roles_and_policies/ACL_section.htm?TocPath=Roles+and+Policies%7CAccess+Controll+List+Rules%7C%24%24%24%24%240, that's what it's for, provided that you go through routing, of course.
Look at your VLAN interface:
- You can create your VLAN
- You can tag or untag the ports on the VLAN (VLAN Membership interface)
But there is also a "VLAN Interface configuration" interface, which allows you to define the VLAN ID (even though you have already configured it)... well, you will see the ID with the default VLAN and a field with the VLAN you have configured. Change the VLAN ID of the ports so that it matches the untagged VLAN...
That should be OK.
- You can create your VLAN
- You can tag or untag the ports on the VLAN (VLAN Membership interface)
But there is also a "VLAN Interface configuration" interface, which allows you to define the VLAN ID (even though you have already configured it)... well, you will see the ID with the default VLAN and a field with the VLAN you have configured. Change the VLAN ID of the ports so that it matches the untagged VLAN...
That should be OK.
The configuration of VLAN 2 during creation is "tagged" for all ports by default; I only modified ports 12 and 18 to "Untagged" thinking to assign them to VLAN 2, surely I am mistaken on this point.
I will try to explain better what I want to do (sorry it was poorly explained in my first post):
VLAN 1 ports 1 to 10 + 21 to 24 (Port 23 connected to the internet box which is on IP 192.168.1.254)
VLAN 2 ports 11 to 20
On the PC side, I would like them to be on the same IP range, e.g.:
PC 1 - 192.168.1.11 - VLAN 2
PC 2 - 192.168.1.12 - VLAN 2
PC 3 - 192.168.1.13 - VLAN 1
PC 4 - 192.168.1.14 - VLAN 1
PC 5 - 192.168.1.250 - VLAN 1
PC 1 sees PC 5
PC 2 sees PC 5
PC 3 sees PCs 4 and 5
PC 5 sees PCs 1, 2, 3, and 4
Today, if I connect a PC to port 12, it takes IP 169.254.201.121 (I understand that this is due to the lack of an active DHCP server on the VLAN)
Concretely, what should I change on my VLANs? I specify that I am completely new to the subject.
one untagged VLAN per port, the others must be tagged, since you already have the 1 untagged, the 2 goes directly to tagged, and when you set it to untagged, you remove the 1.
I checked, this switch is an L2, it normally doesn’t do routing, your box would need to perform routing between VLANs, otherwise machines from VLAN2 cannot communicate with VLAN 1, moreover, there need to be 2 different IP networks on two different VLANs, the same IP network cannot exist on multiple VLANs.
It's clear that you are a beginner here...
But PC1 and PC2 speaking with PC5 is abnormal, or there is something else connecting them otherwise.
Always remember that VLANs are used for isolation.