Enable DHCP on vlan20 (ports 3-48) on HP 2910al Switch

IP address of switch is 172.19.4.5
I have vlan01 (default) on port 1

I currently am unable to manage the device on any other ports.
The management is only enabled on vlan01, don't seem to be able to change it?

Can vlan20 be configured to router out of the switch ip?

Can i configure dhcp server on the switch on vlan20 for 172.19.106.*?

thanks
LVL 1
CHI-LTDAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

CHI-LTDAuthor Commented:
just to add, i think the port1 will be connected into another data switch.
the voice ports 2-48 will be voice only but need to talk to the data lan..
0
jburgaardCommented:
Did you declare the vlan1 to be the management-vlan , then the switch cannot be managed from an other vlan.
Refer to http://bizsupport2.austin.hp.com/bc/docs/support/SupportManual/c02564347/c02564347.pdf page 2-47 for management vlan.
So I you do not want that security-setting :
config
NO management-vlan 1
AFAIK you cannot set up a 2910 as a DHCP-server, If however you have a DHCP-server you can set up IP-routing and helper address on switch.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
CHI-LTDAuthor Commented:
Can i have 2 management lans?
0
Redefining Cyber Security w/ AI & Machine Learning

The implications of AI and machine learning in cyber security are massive and constantly growing, creating both efficiencies and new challenges across the board. Join our webinar on Sept. 21st to learn more about leveraging AI and machine learning to protect your business.

jburgaardCommented:
You can only have one "management-vlan"
-but without the "management-vlan"-setting you can manage your switch from more lans.
0
CHI-LTDAuthor Commented:
so i can untick the management option enabling me to manage the device from anywhere?
0
jburgaardCommented:
yes you can.
But if security is important, there are also other options:
http://www.hp.com/rnd/pdfs/Hardening_ProCurve_Switches_White_Paper.pdf
0
CHI-LTDAuthor Commented:
ok, ill try it, but have a feeling i already have then couldn't manage it at all?
0
jburgaardCommented:
For communication to take place between vlans representing different IP-networks you must have routing taking place (eventualy a L3-enabled switch).
0
CHI-LTDAuthor Commented:
isnt the 2910al capable of this?
0
jburgaardCommented:
Yes it is.
I asume you have
vlan 1
ip address 172.19.4.5 255.255.255.0
exit

then asign fx 172.19.106.1 to vlan 20:
vlan 20
ip address 172.19.106.1 255.255.255.0
exit

enable routing:
IP ROUTING

set a default gateway to fx 172.19.4.1(your next hop)
IP ROUTE 0.0.0.0  0.0.0.0 172.19.4.1

on your router there should be routes back to networks on the L3-switch fx
network 172.19.106.0  255.255.255.0  via 172.19.4.5

HTH
0
CHI-LTDAuthor Commented:
No i currently have:

vlan01 on all switches.  the 2910 has a vlan01 and a vlan20 setup.
vlan01 172.19.4.5/24 (255.255.0.0) - ports 1-6, port 1 connected to vlan01 on another switch (no trunks).
vlan20 172.16.4.5/24 - ports 7-48, port 48 going to a windows machine.
dhcp configured on 172.19.10.17 wioth 172.16.0.0 and ip helper added to the vlan20.

Current Setup (with no voice yet):
Firewall vlan01 - to hp 1910 switch on vlan01 - to hp2910al vlan01 - to client machine test

Planned setup (with new voip system and new firewall):
firewall vlan01 - to hp1910 switch vlan01 only - client machines and server only
firewall vlan20 - to hp2910 switch vlan20 only - voice kit/phones/switches only
0
CHI-LTDAuthor Commented:
sorry /16 not /24
0
CHI-LTDAuthor Commented:
current switch config:

unning configuration:

; J9148A Configuration Editor; Created on release #W.15.08.0012
; Ver #02:11.05:16
hostname "HP-E2910al-48G-PoE"
module 1 type j9148a
power-over-ethernet pre-std-detect
ip default-gateway 172.19.10.15
interface 1
   name "HP1910"
   no power-over-ethernet
   exit
interface 2
   no power-over-ethernet
   exit
interface 3
   no power-over-ethernet
   exit
interface 4
   no power-over-ethernet
   exit
interface 5
   no power-over-ethernet
   exit
interface 6
   no power-over-ethernet
   exit
interface 7
   name "Shoretel E1k"
   exit
interface 8
   name "Shoretel SG90"
   exit
interface 9
   name "Shoretel SG90Bri"
   exit
interface 48
   name "vlan20 to Firewall"
   exit
snmp-server community "public" unrestricted
snmp-server contact "IT" location ""
vlan 1
   name "DEFAULT_VLAN"
   no untagged 7-48
   untagged 1-6
   ip address 172.19.4.5 255.255.0.0
   exit
vlan 20
   name "Voice"
   untagged 7-19,23-48
   ip address 172.16.4.5 255.255.0.0
   ip helper-address 172.19.10.17
   exit
vlan 30
   name "Voice "
   untagged 20-22
   ip address 10.0.0.1 255.255.255.0
   ip helper-address 172.19.10.18
   exit
no autorun
password manager

I have added a second voice vlan30 as a test, this isnt working either...
0
jburgaardCommented:
I do not see a
IP ROUTING
statement in your 2910-config.

you have a L2 gateway, but no L3 DGW

dhcp configured on 172.19.10.17 should have clients point to 172.16.4.5 as dgw

I suppose vlan 30 would use same DHCP-server= 172.19.10.17?
0
CHI-LTDAuthor Commented:
vlan30 was just a test and will be deleted soon.

config:

Running configuration:

; J9148A Configuration Editor; Created on release #W.15.08.0012
; Ver #02:11.05:16
hostname "HP-E2910al-48G-PoE"
module 1 type j9148a
power-over-ethernet pre-std-detect
ip default-gateway 172.19.10.15
ip routing
interface 1
   name "HP1910"
   no power-over-ethernet
   exit
interface 2
   no power-over-ethernet
   exit
interface 3
   no power-over-ethernet
   exit
interface 4
   no power-over-ethernet
   exit
interface 5
   no power-over-ethernet
   exit
interface 6
   no power-over-ethernet
   exit
interface 7
   name "Shoretel E1k"
   speed-duplex 100-full
   exit
interface 8
   name "Shoretel SG90"
   speed-duplex 100-full
   exit
interface 9
   name "Shoretel SG90Bri"
   speed-duplex 100-full
   exit
interface 48
   name "vlan20 to Firewall"
   exit
snmp-server community "public" unrestricted
snmp-server contact "IT"
vlan 1
   name "DEFAULT_VLAN"
   no untagged 7-48
   untagged 1-6
   ip address 172.19.4.5 255.255.0.0
   exit
vlan 20
   name "Voice"
   untagged 7-19,23-48
   ip address 172.16.4.5 255.255.0.0
   ip helper-address 172.19.10.17
   exit
vlan 30
   name "Voice2"
   untagged 20-22
   ip address 10.0.0.1 255.255.255.0
   ip helper-address 172.19.10.18
   exit
no autorun
password manager
0
jburgaardCommented:
I think you have to deal with IP-routing (DGW's)
what is dgw of 172.19.10.17?
 fx. is it fw or 172.19.4.5

this switch does not know of fw (or next hop router)
-guess 172.19.10.15?, if so add to your config:
IP ROUTE 0.0.0.0  0.0.0.0 172.19.10.15

routes back on fw configured?
0
CHI-LTDAuthor Commented:
DGW of .17 is 172.19.10.15
 fx. is it fw or 172.19.4.5  - not sure what you mean here?...
0
jburgaardCommented:
If you do not want vlan 20 clients to reach internet
either set up some ACL's
or
on DHCP server add a static route to 172.16.0.0 255.255.0.0 via gateway 172.19.4.5

but anyway vlan 20 clients should have 172.16.4.5 as dgw
HTH
0
jburgaardCommented:
"DGW of .17 is 172.19.10.15
 fx. is it fw or 172.19.4.5  - not sure what you mean here?..."
Normaly you would have routing along these lines:
For the inter-vlan-routig:
all dgw's of clients should point to their vlan-IP as set up on L3-switch
on L3-switch (so dgw of 172.19.10.17 fx should be 172.19.4.5)
For access outside of vlans known on L3-switch, there should be a
default-gateway for the switch's routing-engine
and
on this (=Firewall, I asume) there should be routes back to the networks, not directly connected to firewall, so packets destined to networks on L3 not to go out the FW's dgw (=disapear in the cloud)

But as mentioned there also is the possibility with the dgw=fw to reach the vlan20,
provided you on every server and pc ment do do that, isue a
ROUTE ADD statement
0
CHI-LTDAuthor Commented:
ok.  
Would the proposed work without setting up static routes?

thanks
Current--test--vs-New-Setups.jpg
0
jburgaardCommented:
"Would the proposed work without setting up static routes?"
yes,
If all client dgw's match the IP's of respective vlan's (here on ASA) .
I am not an expert on setting up the ASA's ACL's however.
0
CHI-LTDAuthor Commented:
Apparently our asa come with only 1x licence so cant set up multiple vlans on it for this test....
0
CHI-LTDAuthor Commented:
A tracert from Client01 (using dhcp) is failing to 172.16.4.5.  
Resolves to our external WAN ip of the Cisco router..
0
jburgaardCommented:
0
CHI-LTDAuthor Commented:
Sure...
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Switches / Hubs

From novice to tech pro — start learning today.