MISIT
asked on
Multiple VLANs via multiple HP switches with routing and ACL? (access lists)
Dear Mrs.and Mr.Experts.
I have problems with configuration of my (2x)HP switches 2920(layer3), (1x)HP 1920PoE(for WLAN AP's)(basic layer3) and 1910(for Surveillance PoE - cameras,etc..)(basic layer3) and i do not know how to solve it.
Here is the scenario whose i partialy configure but i am not an expert so i need some help:
The first HP2920-48G-1 switch (hostname 2920-48G-1) is on the 1.st floor of building and probably this will be the "master" switch for routing,VLANS, etc..
The second switch HP2920 (hostname 2920-48G-2) on the ground floor of building (will) probably be the "L2" switch but this switch probably must also have "knowledge" of VLANs on the whole network via Trk1 (trunk) interface?
On both of these HP2920-48G switches i made "Trunk" (Trk1) channel via SFP 45 port and SFP46 port.
(please see the attached config files of both switches)
The third switch (HP1920-8G) is for WLAN Access Points and give power over ethernet and data connections to the WLAN controller HP-MSM720.
The fourth (HP1910-24G) switch gives power over ethernet and data connections to surveillance (cameras) but all of this debate i will post later, because firstly i want to have both of 2920HP's solved and configured properly.
The first main problems which i have is:
If i connect to the second switch (2920-48G-2) via ssh and ping some device on "PRODUCTION" network (VLAN 10) i do not receive any ping requests ("The destination address is unreachable.")
If i want to delete the untagged port 43 of VLAN 20 the switch says:"Ports 43 would be orphaned. No ports removed."
If someone can answer and help with this (for me) a little confused scenario i will be very, very happy and grateful.
Many thanks in advance.
Switch1-2.txt
I have problems with configuration of my (2x)HP switches 2920(layer3), (1x)HP 1920PoE(for WLAN AP's)(basic layer3) and 1910(for Surveillance PoE - cameras,etc..)(basic layer3) and i do not know how to solve it.
Here is the scenario whose i partialy configure but i am not an expert so i need some help:
The first HP2920-48G-1 switch (hostname 2920-48G-1) is on the 1.st floor of building and probably this will be the "master" switch for routing,VLANS, etc..
The second switch HP2920 (hostname 2920-48G-2) on the ground floor of building (will) probably be the "L2" switch but this switch probably must also have "knowledge" of VLANs on the whole network via Trk1 (trunk) interface?
On both of these HP2920-48G switches i made "Trunk" (Trk1) channel via SFP 45 port and SFP46 port.
(please see the attached config files of both switches)
The third switch (HP1920-8G) is for WLAN Access Points and give power over ethernet and data connections to the WLAN controller HP-MSM720.
The fourth (HP1910-24G) switch gives power over ethernet and data connections to surveillance (cameras) but all of this debate i will post later, because firstly i want to have both of 2920HP's solved and configured properly.
The first main problems which i have is:
If i connect to the second switch (2920-48G-2) via ssh and ping some device on "PRODUCTION" network (VLAN 10) i do not receive any ping requests ("The destination address is unreachable.")
If i want to delete the untagged port 43 of VLAN 20 the switch says:"Ports 43 would be orphaned. No ports removed."
If someone can answer and help with this (for me) a little confused scenario i will be very, very happy and grateful.
Many thanks in advance.
Switch1-2.txt
ASKER
Dear rharland2009.
Firstly,many thanks to your comment.
Yes if i connect to the second switch i can ping the first switch(192.168.10.1) from switch 2.
About (un)assign the untagged port on VLAN 20, thanks! It solved this little problem. :)
Firstly,many thanks to your comment.
Yes if i connect to the second switch i can ping the first switch(192.168.10.1) from switch 2.
About (un)assign the untagged port on VLAN 20, thanks! It solved this little problem. :)
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thank you rharland2009.
Now, it works!
Now if we can continue this debate i have on this "core" switch also second router (192.168.1.3) which provide VPN connections to remote offices. I already set up the static routes on "core" switch, but i don't want all the clients to have access to all of these vpn static subnets(routes) who are connected to this switch.
What can i do to limit some clients on VLAN10 to deny connections to VPN subnets?
Many thanks.
Now, it works!
Now if we can continue this debate i have on this "core" switch also second router (192.168.1.3) which provide VPN connections to remote offices. I already set up the static routes on "core" switch, but i don't want all the clients to have access to all of these vpn static subnets(routes) who are connected to this switch.
What can i do to limit some clients on VLAN10 to deny connections to VPN subnets?
Many thanks.
The easiest way would be to put an access-list on your VPN VLAN interface denying traffic from VLAN 10.
Here's a link to configuring ACLs on Procurve switches - very straightforward and works perfectly.
http://www.hp.com/rnd/support/manuals/pdf/release_06628_07110/Bk2_Ch3_ACL.pdf
In this case, you would configure an incoming ACL on your VPN VLAN interface denying traffic from the VLAN 10 subnet.
Here's a link to configuring ACLs on Procurve switches - very straightforward and works perfectly.
http://www.hp.com/rnd/support/manuals/pdf/release_06628_07110/Bk2_Ch3_ACL.pdf
In this case, you would configure an incoming ACL on your VPN VLAN interface denying traffic from the VLAN 10 subnet.
ASKER
Ok. Thank you.
And if i want deny traffic from one VLAN to another VLAN what i must do? (Because now all configured VLAN's see each other). I hear from someone that this can be done also with routing?! Or i must also for this case configure an ACL's?
And if i want deny traffic from one VLAN to another VLAN what i must do? (Because now all configured VLAN's see each other). I hear from someone that this can be done also with routing?! Or i must also for this case configure an ACL's?
ACLs are the easiest way. Simply configure them on your core switch to your satisfaction and you're good to go.
I assure you - it's easy and works well.
I assure you - it's easy and works well.
ASKER
Ok, i will let you know about my "findings" in relation with your suggestion.
Thanks!
Thanks!
ASKER
Dear rharland2009.
I would like to ask you another question about my VLAN 30 (WIFI-GUESTS). The WLAN controller and AP's, would also must have a PRODUCTION network (in my case scenario this is VLAN 10) on the same AP's. So, for this i have a HP MSM720 controller who manage all AP's and HP1920-8G PoE switch which provide power and data connection to the AP's. (This debate continues previous about routing ACL's, etc..)
So now ..what would you suggest to configure the whole (with both of 2920-48G switches)network?
I would like to put the WIFI-GUESTS on VLAN 30 and isolate this whole VLAN 30 from any other network. The problem which i have is in which network put the AP's and controller to see each other. If i put it to VLAN 30 this is not probably the good idea for security reasons.
To conclude all of this i want to:
On WLAN network i would like to have two SSID (two VLAN network). One for production and one for wlan-guests network. The production wlan network is VLAN 10 network and must see the whole VLAN 10 network. AP's and controller must be on VLAN 1 (management network) WLAN-GUESTS must be on the same AP's and controller but on VLAN 30 network and isolated from any other network, but if i connecnt to controller i must "see" what is going on on the VLAN 30 (WLAN-GUESTS network).
The VLAN 1 (default-vlan) is the network in my mind which i want to use it for "management network" for manage the network device like server0s (iLO, iDRAC), Switches management,router's management, etc..
Many thanks!!!
I would like to ask you another question about my VLAN 30 (WIFI-GUESTS). The WLAN controller and AP's, would also must have a PRODUCTION network (in my case scenario this is VLAN 10) on the same AP's. So, for this i have a HP MSM720 controller who manage all AP's and HP1920-8G PoE switch which provide power and data connection to the AP's. (This debate continues previous about routing ACL's, etc..)
So now ..what would you suggest to configure the whole (with both of 2920-48G switches)network?
I would like to put the WIFI-GUESTS on VLAN 30 and isolate this whole VLAN 30 from any other network. The problem which i have is in which network put the AP's and controller to see each other. If i put it to VLAN 30 this is not probably the good idea for security reasons.
To conclude all of this i want to:
On WLAN network i would like to have two SSID (two VLAN network). One for production and one for wlan-guests network. The production wlan network is VLAN 10 network and must see the whole VLAN 10 network. AP's and controller must be on VLAN 1 (management network) WLAN-GUESTS must be on the same AP's and controller but on VLAN 30 network and isolated from any other network, but if i connecnt to controller i must "see" what is going on on the VLAN 30 (WLAN-GUESTS network).
The VLAN 1 (default-vlan) is the network in my mind which i want to use it for "management network" for manage the network device like server0s (iLO, iDRAC), Switches management,router's management, etc..
Many thanks!!!
ASKER
Keep in mind that i wonder what i must set up on 1920-8G PoE and on a controller to work as it should. (VLAN's, DHCP,..)?
While I'm not intimately familiar with the HP wireless solutions, I can offer how I solve this problem using Aruba infrastructure. Our setup is quite familiar to yours. What we do is this.
The controller will connect to your core switch untagged on the default vlan and tagged in the VLANs it needs to communicate with on your LAN (in this case your PRODUCTION network). The APs can connect back to the controller on the default VLAN, and the AP configuration profile tells the APs about the VLANs for which they'll carry traffic - but the AP forwards all traffic to the controller in a tunnel on the default VLAN, which in turn puts the tag for the appropriate VLAN on the packet and forwards it.
For the guest network, we segregate it by keeping the guest VLAN *on the controller*, with only a default route for them to get to the internet. We also provide DHCP for the guest VLAN on the Aruba controller. Since the guest VLAN doesn't even exist on our LAN, it's completely segregated.
Again, I don't have specific experience with the GUI or CLI of the HP wireless controllers - and HP's method of doing this may be different - but you're on the right track.
Here's a link to a good config guide I found for the MSM that goes into some detail about config steps:
http://cdn.cnetcontent.com/0c/9c/0c9c9003-0f7c-4b04-bc71-eba0ba4d6bbc.pdf
The controller will connect to your core switch untagged on the default vlan and tagged in the VLANs it needs to communicate with on your LAN (in this case your PRODUCTION network). The APs can connect back to the controller on the default VLAN, and the AP configuration profile tells the APs about the VLANs for which they'll carry traffic - but the AP forwards all traffic to the controller in a tunnel on the default VLAN, which in turn puts the tag for the appropriate VLAN on the packet and forwards it.
For the guest network, we segregate it by keeping the guest VLAN *on the controller*, with only a default route for them to get to the internet. We also provide DHCP for the guest VLAN on the Aruba controller. Since the guest VLAN doesn't even exist on our LAN, it's completely segregated.
Again, I don't have specific experience with the GUI or CLI of the HP wireless controllers - and HP's method of doing this may be different - but you're on the right track.
Here's a link to a good config guide I found for the MSM that goes into some detail about config steps:
http://cdn.cnetcontent.com/0c/9c/0c9c9003-0f7c-4b04-bc71-eba0ba4d6bbc.pdf
ASKER
Thanks you for this hint and link.
If are we a little more specific, i probably must set up a VLAN 30 on a 1920-8G switch and or only VLAN 10 on switch or both on 1920-8G PoE and controller?
And what i must set up for WLAN on 2920-48G "core" switches ?
If are we a little more specific, i probably must set up a VLAN 30 on a 1920-8G switch and or only VLAN 10 on switch or both on 1920-8G PoE and controller?
And what i must set up for WLAN on 2920-48G "core" switches ?
You're in luck....I found a link for you that shows the steps for precisely what you want to accomplish!
You can disregard the steps about the ASA firewall. Concentrate on the core HP switch pieces and the controller configuration - substituting your private (LAN) and public (guest) information for the references in the walkthrough.
Long story short, your implementation will be a little different than how Aruba accomplishes this, but it will get you a good result.
http://www.petenetlive.com/KB/Article/0000833.htm
You can disregard the steps about the ASA firewall. Concentrate on the core HP switch pieces and the controller configuration - substituting your private (LAN) and public (guest) information for the references in the walkthrough.
Long story short, your implementation will be a little different than how Aruba accomplishes this, but it will get you a good result.
http://www.petenetlive.com/KB/Article/0000833.htm
ASKER
Thank you rharland2009.
Re port 43 and VLAN 20 - you have to assign port 43 to be untagged in some other vlan. A port needs to be untagged in some VLAN at all times. If you do that, it will remove it from untagged in vlan 20.