VLAN Set-up
How do you set-up a VLAN?
I have never done this before and everything I read leads me down the wrong path.
Simply, I need a set of ports (12 ports total) to only allow traffic for 10.0.5.x leaving the rest of the switch to accept traffic for 172.20.1.x. Right now the entire switch will see traffic for both.
The test environment is using an HP ProCurve 2910al 24G Ethernet Switch.
Help!
I have never done this before and everything I read leads me down the wrong path.
Simply, I need a set of ports (12 ports total) to only allow traffic for 10.0.5.x leaving the rest of the switch to accept traffic for 172.20.1.x. Right now the entire switch will see traffic for both.
The test environment is using an HP ProCurve 2910al 24G Ethernet Switch.
Help!
ASKER
My ignorance is the problem. Sorry. I think we want to isolate.
Here's the scenario. For PCI compliance we have to make sure our wireless traffic (10.0.1.x) is completely segregated from our standard traffic (172.20.1.x).
Our main router has one interface assigned to 172.20.1.x traffic and another interface assigned to 10.0.1.x traffic.
From router we plug in both interface Ethernet cables from two interfaces into HP switch (taking up two ports). We want ports 1-12 to only allow for 172.20.1.x traffic and the remaining ports to allow for 10.0.1.x traffic.
Based on this I think we want to ISOLATE traffic from one vlan to another on the switch since the vlans are set-up already on the isolated ports on the router.
Here's the scenario. For PCI compliance we have to make sure our wireless traffic (10.0.1.x) is completely segregated from our standard traffic (172.20.1.x).
Our main router has one interface assigned to 172.20.1.x traffic and another interface assigned to 10.0.1.x traffic.
From router we plug in both interface Ethernet cables from two interfaces into HP switch (taking up two ports). We want ports 1-12 to only allow for 172.20.1.x traffic and the remaining ports to allow for 10.0.1.x traffic.
Based on this I think we want to ISOLATE traffic from one vlan to another on the switch since the vlans are set-up already on the isolated ports on the router.
Ok
There are a few ways that this can be achieved
Option 1. Create access-list that deny traffic between the vlans and apply it either to the vlan interface or the trunk port
Option 2. Make the trunk port a promiscuous port, ports 1-12 isolated ports and the rest community ports
Option 3. Create policy map or vlan map that prevents intercommunication between the 2 vlans
There are a few ways that this can be achieved
Option 1. Create access-list that deny traffic between the vlans and apply it either to the vlan interface or the trunk port
Option 2. Make the trunk port a promiscuous port, ports 1-12 isolated ports and the rest community ports
Option 3. Create policy map or vlan map that prevents intercommunication between the 2 vlans
You are to use a Procurve sw. like 2910al or some Cisco product fx.? -I assume: 2910al.
Is the switch in question going to do routing? -I assume: no ip routing should take place here
If you don't assign an IP to wireless-vlan on the switch, as far as I can see the 2 vlans are separated with ports 1-12 untagged in the wireless-vlan.
With 2 uplinks to main router , the spanning tree protocol could pull your leg.
My guess is , your router rather than the switch is responsible for "Right now the entire switch will see traffic for both."
You could provide output from "show running" for the experts to have a look at.
Is the switch in question going to do routing? -I assume: no ip routing should take place here
If you don't assign an IP to wireless-vlan on the switch, as far as I can see the 2 vlans are separated with ports 1-12 untagged in the wireless-vlan.
With 2 uplinks to main router , the spanning tree protocol could pull your leg.
My guess is , your router rather than the switch is responsible for "Right now the entire switch will see traffic for both."
You could provide output from "show running" for the experts to have a look at.
ASKER
So if I have two upload ports, one that is dedicated to 10.0.1.x and the second one that is 172.20.1.x and I don't want the two to be able to ping each other do I simply tag one group and untag the other? Spanning Tree is turned on.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
This is exactly what we ended up doing. Thank-you for your help!
glad to help
- You can allow or block certain vlans from traversing a switch with "Allowed vlan" configuration on the trunk port connection to other switches.
- You can configure access-lists to block traffic from one vlan to another or use private vlans to isolate one vlan from another
It seems to me that the access-list option is what you're asking for but I also think you're referring to port assignment. If port assignment, lets assume 10.0.5 network is vlan 10 and 172.20.1 network is vlan 172
Let's also assume there are 48 ports and the 1st 12 ports are to be reserved for vlan 10 and port 48 is your trunk / uplink
You will assign ports 1-12 to vlan 10 and ports 11 to 47 to vlan 172.
By "accepting", did you mean allowing the traffic to come through or devices connected to those ports should communicate on that vlan.