Simple VLAN Setup

December 23, 2007 at 13:26:51
Specs: HP, N/A

Hello,

I am attempting to setup a 2 VLAN configuration for a public wireless network and an internal wireless/wired network. I have a Procurve 2650 Switch and a Procurve 7102dl router with two Procurve 420 Access Points. The router is setup for eth0/1 to connect to the DSL modem and eth0/2.1 for 192.168.1.1 255.255.255.0 and eth0/2.2 for 10.100.100.1 255.255.255.128. Tagging is enabled for VLAN 1 is equal to VID of 1 (Default_VLAN) and VLAN 2 has a VID of 2 (WLAN_PUBLIC). The switch is setup with an IP of 192.168.1.3 and Port 50 (uplink) is tagged for VLAN 1 and 2. Port 48 is tagged for the VLAN 2 access point and Port 47 is tagged for VLAN 1 access point. Now DHCP is working correctly on the router depending on what network a client connects to it serves the correct address. I can still pin between the VLAN's and I do not want them to be able to see each other as to isolate the public wireless from our internal network.

To recap:

Router - 7102dl
eth0/1 = Public IP Address
eth0/2.1 = 192.168.1.1
eth0/2.2 = 10.100.100.1
DHCP is enabled on router to serve to either network depending on which connected.

Switch - 2650
Port 50 - Tagged (VID 1 & 2)
Port 48 - Tagged (VID 2)
Port 47 - Tagged (VID 1)
Port 1-46 - Untagged (Default_VLAN) - No (WLAN_Public)
VLAN 1 has a switch IP address of 192.168.1.3
VLAN 2 has a switch IP Address of 10.100.100.3

IP Routing is enabled on both the Router and the Switch but even when I disable that on both, the two networks can still see each other.

Do I need to have IP Routing enabled or disabled?
Is my tagging scheme correct?
Do I need IP addresses assigned to the VLAN's or is that purely management oriented?

Thank you all in advance for help!!!

-Adam


See More: Simple VLAN Setup

Report •


#1
December 24, 2007 at 07:44:58

Hi Adam,

you're on the right track:

I would:

1.) disable IP routing on the switch but not the router (no need for the switch to be able to route unless you want to route inbetween the VLANs at the switch and not the router - in which case you would then want to set the subinterface on the router 0.2 to be one interface (you wouldn't need to subinterface anymore becaue the switch would do the VLAN routing)).

Long story short use one or the other to route between the VLANs but not both.

2.) set up a simple ACL (access control list) in the router (or switch) to deny any 192.168.1.0 to 10.100.100.0 (this is of course assuming your are subnetting both with 255.255.255.0),
and deny any 10.100.100.0 to 192.168.1.0.

You use ACLs for control so that even if you didn't want to block all services you could permit a few ports to be open. I.e. lets say you want the public WLAN to be able to access an email server in the internal network - rather than send them through the internet and back in, you could simply set up an ACL for SMTP permit, and deny all other ports. Then your public WLAN would be able to access emails locally but nothing else (not even ping).

As for why you were able to see the network when you disabled IP routing on both the switch and router was because at that instance you made it a simple layer 2 switch and they probably got all the same IP addressing scheme from the DHCP when you did.

D


Report •

#2
December 24, 2007 at 11:11:58

Thank you very much, that was perfect. I don't know why I didn't think of ACL's, I just assumed that creating two VLAN's would seperate the networks from seeing each other. Now it works perfectly! Thanks again!

-Adam


Report •

Related Solutions


Ask Question