CHI-LTD
asked on
Enable DHCP on vlan20 (ports 3-48) on HP 2910al Switch
IP address of switch is 172.19.4.5
I have vlan01 (default) on port 1
I currently am unable to manage the device on any other ports.
The management is only enabled on vlan01, don't seem to be able to change it?
Can vlan20 be configured to router out of the switch ip?
Can i configure dhcp server on the switch on vlan20 for 172.19.106.*?
thanks
I have vlan01 (default) on port 1
I currently am unable to manage the device on any other ports.
The management is only enabled on vlan01, don't seem to be able to change it?
Can vlan20 be configured to router out of the switch ip?
Can i configure dhcp server on the switch on vlan20 for 172.19.106.*?
thanks
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Can i have 2 management lans?
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
so i can untick the management option enabling me to manage the device from anywhere?
yes you can.
But if security is important, there are also other options:
http://www.hp.com/rnd/pdfs/Hardening_ProCurve_Switches_White_Paper.pdf
But if security is important, there are also other options:
http://www.hp.com/rnd/pdfs/Hardening_ProCurve_Switches_White_Paper.pdf
ASKER
ok, ill try it, but have a feeling i already have then couldn't manage it at all?
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
isnt the 2910al capable of this?
Yes it is.
I asume you have
vlan 1
ip address 172.19.4.5 255.255.255.0
exit
then asign fx 172.19.106.1 to vlan 20:
vlan 20
ip address 172.19.106.1 255.255.255.0
exit
enable routing:
IP ROUTING
set a default gateway to fx 172.19.4.1(your next hop)
IP ROUTE 0.0.0.0 0.0.0.0 172.19.4.1
on your router there should be routes back to networks on the L3-switch fx
network 172.19.106.0 255.255.255.0 via 172.19.4.5
HTH
I asume you have
vlan 1
ip address 172.19.4.5 255.255.255.0
exit
then asign fx 172.19.106.1 to vlan 20:
vlan 20
ip address 172.19.106.1 255.255.255.0
exit
enable routing:
IP ROUTING
set a default gateway to fx 172.19.4.1(your next hop)
IP ROUTE 0.0.0.0 0.0.0.0 172.19.4.1
on your router there should be routes back to networks on the L3-switch fx
network 172.19.106.0 255.255.255.0 via 172.19.4.5
HTH
ASKER
No i currently have:
vlan01 on all switches. the 2910 has a vlan01 and a vlan20 setup.
vlan01 172.19.4.5/24 (255.255.0.0) - ports 1-6, port 1 connected to vlan01 on another switch (no trunks).
vlan20 172.16.4.5/24 - ports 7-48, port 48 going to a windows machine.
dhcp configured on 172.19.10.17 wioth 172.16.0.0 and ip helper added to the vlan20.
Current Setup (with no voice yet):
Firewall vlan01 - to hp 1910 switch on vlan01 - to hp2910al vlan01 - to client machine test
Planned setup (with new voip system and new firewall):
firewall vlan01 - to hp1910 switch vlan01 only - client machines and server only
firewall vlan20 - to hp2910 switch vlan20 only - voice kit/phones/switches only
vlan01 on all switches. the 2910 has a vlan01 and a vlan20 setup.
vlan01 172.19.4.5/24 (255.255.0.0) - ports 1-6, port 1 connected to vlan01 on another switch (no trunks).
vlan20 172.16.4.5/24 - ports 7-48, port 48 going to a windows machine.
dhcp configured on 172.19.10.17 wioth 172.16.0.0 and ip helper added to the vlan20.
Current Setup (with no voice yet):
Firewall vlan01 - to hp 1910 switch on vlan01 - to hp2910al vlan01 - to client machine test
Planned setup (with new voip system and new firewall):
firewall vlan01 - to hp1910 switch vlan01 only - client machines and server only
firewall vlan20 - to hp2910 switch vlan20 only - voice kit/phones/switches only
ASKER
sorry /16 not /24
ASKER
current switch config:
unning configuration:
; J9148A Configuration Editor; Created on release #W.15.08.0012
; Ver #02:11.05:16
hostname "HP-E2910al-48G-PoE"
module 1 type j9148a
power-over-ethernet pre-std-detect
ip default-gateway 172.19.10.15
interface 1
name "HP1910"
no power-over-ethernet
exit
interface 2
no power-over-ethernet
exit
interface 3
no power-over-ethernet
exit
interface 4
no power-over-ethernet
exit
interface 5
no power-over-ethernet
exit
interface 6
no power-over-ethernet
exit
interface 7
name "Shoretel E1k"
exit
interface 8
name "Shoretel SG90"
exit
interface 9
name "Shoretel SG90Bri"
exit
interface 48
name "vlan20 to Firewall"
exit
snmp-server community "public" unrestricted
snmp-server contact "IT" location ""
vlan 1
name "DEFAULT_VLAN"
no untagged 7-48
untagged 1-6
ip address 172.19.4.5 255.255.0.0
exit
vlan 20
name "Voice"
untagged 7-19,23-48
ip address 172.16.4.5 255.255.0.0
ip helper-address 172.19.10.17
exit
vlan 30
name "Voice "
untagged 20-22
ip address 10.0.0.1 255.255.255.0
ip helper-address 172.19.10.18
exit
no autorun
password manager
I have added a second voice vlan30 as a test, this isnt working either...
unning configuration:
; J9148A Configuration Editor; Created on release #W.15.08.0012
; Ver #02:11.05:16
hostname "HP-E2910al-48G-PoE"
module 1 type j9148a
power-over-ethernet pre-std-detect
ip default-gateway 172.19.10.15
interface 1
name "HP1910"
no power-over-ethernet
exit
interface 2
no power-over-ethernet
exit
interface 3
no power-over-ethernet
exit
interface 4
no power-over-ethernet
exit
interface 5
no power-over-ethernet
exit
interface 6
no power-over-ethernet
exit
interface 7
name "Shoretel E1k"
exit
interface 8
name "Shoretel SG90"
exit
interface 9
name "Shoretel SG90Bri"
exit
interface 48
name "vlan20 to Firewall"
exit
snmp-server community "public" unrestricted
snmp-server contact "IT" location ""
vlan 1
name "DEFAULT_VLAN"
no untagged 7-48
untagged 1-6
ip address 172.19.4.5 255.255.0.0
exit
vlan 20
name "Voice"
untagged 7-19,23-48
ip address 172.16.4.5 255.255.0.0
ip helper-address 172.19.10.17
exit
vlan 30
name "Voice "
untagged 20-22
ip address 10.0.0.1 255.255.255.0
ip helper-address 172.19.10.18
exit
no autorun
password manager
I have added a second voice vlan30 as a test, this isnt working either...
I do not see a
IP ROUTING
statement in your 2910-config.
you have a L2 gateway, but no L3 DGW
dhcp configured on 172.19.10.17 should have clients point to 172.16.4.5 as dgw
I suppose vlan 30 would use same DHCP-server= 172.19.10.17?
IP ROUTING
statement in your 2910-config.
you have a L2 gateway, but no L3 DGW
dhcp configured on 172.19.10.17 should have clients point to 172.16.4.5 as dgw
I suppose vlan 30 would use same DHCP-server= 172.19.10.17?
ASKER
vlan30 was just a test and will be deleted soon.
config:
Running configuration:
; J9148A Configuration Editor; Created on release #W.15.08.0012
; Ver #02:11.05:16
hostname "HP-E2910al-48G-PoE"
module 1 type j9148a
power-over-ethernet pre-std-detect
ip default-gateway 172.19.10.15
ip routing
interface 1
name "HP1910"
no power-over-ethernet
exit
interface 2
no power-over-ethernet
exit
interface 3
no power-over-ethernet
exit
interface 4
no power-over-ethernet
exit
interface 5
no power-over-ethernet
exit
interface 6
no power-over-ethernet
exit
interface 7
name "Shoretel E1k"
speed-duplex 100-full
exit
interface 8
name "Shoretel SG90"
speed-duplex 100-full
exit
interface 9
name "Shoretel SG90Bri"
speed-duplex 100-full
exit
interface 48
name "vlan20 to Firewall"
exit
snmp-server community "public" unrestricted
snmp-server contact "IT"
vlan 1
name "DEFAULT_VLAN"
no untagged 7-48
untagged 1-6
ip address 172.19.4.5 255.255.0.0
exit
vlan 20
name "Voice"
untagged 7-19,23-48
ip address 172.16.4.5 255.255.0.0
ip helper-address 172.19.10.17
exit
vlan 30
name "Voice2"
untagged 20-22
ip address 10.0.0.1 255.255.255.0
ip helper-address 172.19.10.18
exit
no autorun
password manager
config:
Running configuration:
; J9148A Configuration Editor; Created on release #W.15.08.0012
; Ver #02:11.05:16
hostname "HP-E2910al-48G-PoE"
module 1 type j9148a
power-over-ethernet pre-std-detect
ip default-gateway 172.19.10.15
ip routing
interface 1
name "HP1910"
no power-over-ethernet
exit
interface 2
no power-over-ethernet
exit
interface 3
no power-over-ethernet
exit
interface 4
no power-over-ethernet
exit
interface 5
no power-over-ethernet
exit
interface 6
no power-over-ethernet
exit
interface 7
name "Shoretel E1k"
speed-duplex 100-full
exit
interface 8
name "Shoretel SG90"
speed-duplex 100-full
exit
interface 9
name "Shoretel SG90Bri"
speed-duplex 100-full
exit
interface 48
name "vlan20 to Firewall"
exit
snmp-server community "public" unrestricted
snmp-server contact "IT"
vlan 1
name "DEFAULT_VLAN"
no untagged 7-48
untagged 1-6
ip address 172.19.4.5 255.255.0.0
exit
vlan 20
name "Voice"
untagged 7-19,23-48
ip address 172.16.4.5 255.255.0.0
ip helper-address 172.19.10.17
exit
vlan 30
name "Voice2"
untagged 20-22
ip address 10.0.0.1 255.255.255.0
ip helper-address 172.19.10.18
exit
no autorun
password manager
I think you have to deal with IP-routing (DGW's)
what is dgw of 172.19.10.17?
fx. is it fw or 172.19.4.5
this switch does not know of fw (or next hop router)
-guess 172.19.10.15?, if so add to your config:
IP ROUTE 0.0.0.0 0.0.0.0 172.19.10.15
routes back on fw configured?
what is dgw of 172.19.10.17?
fx. is it fw or 172.19.4.5
this switch does not know of fw (or next hop router)
-guess 172.19.10.15?, if so add to your config:
IP ROUTE 0.0.0.0 0.0.0.0 172.19.10.15
routes back on fw configured?
ASKER
DGW of .17 is 172.19.10.15
fx. is it fw or 172.19.4.5 - not sure what you mean here?...
fx. is it fw or 172.19.4.5 - not sure what you mean here?...
If you do not want vlan 20 clients to reach internet
either set up some ACL's
or
on DHCP server add a static route to 172.16.0.0 255.255.0.0 via gateway 172.19.4.5
but anyway vlan 20 clients should have 172.16.4.5 as dgw
HTH
either set up some ACL's
or
on DHCP server add a static route to 172.16.0.0 255.255.0.0 via gateway 172.19.4.5
but anyway vlan 20 clients should have 172.16.4.5 as dgw
HTH
"DGW of .17 is 172.19.10.15
fx. is it fw or 172.19.4.5 - not sure what you mean here?..."
Normaly you would have routing along these lines:
For the inter-vlan-routig:
all dgw's of clients should point to their vlan-IP as set up on L3-switch
on L3-switch (so dgw of 172.19.10.17 fx should be 172.19.4.5)
For access outside of vlans known on L3-switch, there should be a
default-gateway for the switch's routing-engine
and
on this (=Firewall, I asume) there should be routes back to the networks, not directly connected to firewall, so packets destined to networks on L3 not to go out the FW's dgw (=disapear in the cloud)
But as mentioned there also is the possibility with the dgw=fw to reach the vlan20,
provided you on every server and pc ment do do that, isue a
ROUTE ADD statement
fx. is it fw or 172.19.4.5 - not sure what you mean here?..."
Normaly you would have routing along these lines:
For the inter-vlan-routig:
all dgw's of clients should point to their vlan-IP as set up on L3-switch
on L3-switch (so dgw of 172.19.10.17 fx should be 172.19.4.5)
For access outside of vlans known on L3-switch, there should be a
default-gateway for the switch's routing-engine
and
on this (=Firewall, I asume) there should be routes back to the networks, not directly connected to firewall, so packets destined to networks on L3 not to go out the FW's dgw (=disapear in the cloud)
But as mentioned there also is the possibility with the dgw=fw to reach the vlan20,
provided you on every server and pc ment do do that, isue a
ROUTE ADD statement
ASKER
ok.
Would the proposed work without setting up static routes?
thanks
Current--test--vs-New-Setups.jpg
Would the proposed work without setting up static routes?
thanks
Current--test--vs-New-Setups.jpg
"Would the proposed work without setting up static routes?"
yes,
If all client dgw's match the IP's of respective vlan's (here on ASA) .
I am not an expert on setting up the ASA's ACL's however.
yes,
If all client dgw's match the IP's of respective vlan's (here on ASA) .
I am not an expert on setting up the ASA's ACL's however.
ASKER
Apparently our asa come with only 1x licence so cant set up multiple vlans on it for this test....
ASKER
A tracert from Client01 (using dhcp) is failing to 172.16.4.5.
Resolves to our external WAN ip of the Cisco router..
Resolves to our external WAN ip of the Cisco router..
Then we are back to around https://www.experts-exchange.com/questions/28229435/Enable-DHCP-on-vlan20-ports-3-48-on-HP-2910al-Switch.html?anchorAnswerId=39487605#a39487605, I guess
ASKER
Sure...
ASKER
the voice ports 2-48 will be voice only but need to talk to the data lan..