Learn to build secure applications from the mindset of the hacker and avoid being exploited.
HP Switch port Vlan Configuration.
Recently i received the mission to deploy the VOIP for our company ,my mission basically to configure internal LAN(192.168.1.0) able to access to the VOIP LAN(192.168.2.0)
I already add the Vlan in Fortinet FW 100D interface internal interface
Vlan Name:VOIP LAN
Vlan id : 500
DHCP: enable 192.168.2.50~200
IP Address:192.168.2.254
New Equitment
1.HPE 2530-48G-PoE+ Switch x 2 units
2.70 VOIP Phone
3.VOIP Software running on window server 2012 R2
Target
---------
1.Configure all the IP Phone able to take IP Address from FW .
2.Configure internal user able to access the window server 2012 R2
Question
-------------
1.What should i configure in SW port 1 for uplink to FW like tagged and untagged
2.What should i configure for the switch port for window server 2012 R2
3.What should i configure for all the IP Phone switch port and must able to get IP address automatically from DHCP server
4.What should i configure for Uplink switch to switch port ?
I already add the Vlan in Fortinet FW 100D interface internal interface
Vlan Name:VOIP LAN
Vlan id : 500
DHCP: enable 192.168.2.50~200
IP Address:192.168.2.254
New Equitment
1.HPE 2530-48G-PoE+ Switch x 2 units
2.70 VOIP Phone
3.VOIP Software running on window server 2012 R2
Target
---------
1.Configure all the IP Phone able to take IP Address from FW .
2.Configure internal user able to access the window server 2012 R2
Question
-------------
1.What should i configure in SW port 1 for uplink to FW like tagged and untagged
2.What should i configure for the switch port for window server 2012 R2
3.What should i configure for all the IP Phone switch port and must able to get IP address automatically from DHCP server
4.What should i configure for Uplink switch to switch port ?
Who is Participating?
Experts Exchange Solution brought to you by
Enjoy your complimentary solution view.
Get every solution instantly with Premium.
Start your 7-day free trial.
I wear a lot of hats...
"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.
Experts Exchange Solution brought to you by
Your issues matter to us.
Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.
Start your 7-day free trial
The answers from @vivigatt are complete --
But one other though I would like to add -- DO NOT use the 192.168.n.n subnet for a production environment like this.. Unless you have vary tight control of the network as way to much gear comes with that as the defaults, and can easily create a duplicate IP storm or Routing errors.
Refer to RFC-1918 for alternate IP subnet ranges.
=======
But one other though I would like to add -- DO NOT use the 192.168.n.n subnet for a production environment like this.. Unless you have vary tight control of the network as way to much gear comes with that as the defaults, and can easily create a duplicate IP storm or Routing errors.
Refer to RFC-1918 for alternate IP subnet ranges.
=======
Just share with my working below and now is running live in my environment.
1.Add Vlan 200 for VOIP Lan in internal interface.
2.Plugin the one cable from SW01 port 1 to internal firewall interface Port 2. (Firewall actually is configure switch mode 16 interface as the internal Lan) .
3.Configure SW01 port 1(Vlan 1:tagged ,Vlan 200:tagged)
4.Configure SW01 ,SW02 port 48 (Vlan 1:tagged ,Vlan 200 :tagged) and connect it together
5.All other switch port Sw01 and SW02 (Vlan 1 :tagged,Vlan 200:untagged)
6.Configure policy to allow 192.168.1.0(Internal)able to access 192.168.2.0(VOIP LAN)
Now my phone is able to get DHCP from my firewall.
Question :
1.Why I no need to configure IP helper also can get DHCP from firewall.
2.We have one VOIP management server which is need to access from VLAN 1 ,I trying to configure as Vlan 1:untagged and leave the vlan 200 :blank can not work and even I can go to internal LAN
3.But I leave the management server on (Vlan 1 :tagged,Vlan 200:untagged) and configure Static IP which is 192.168.2.xxx then don't have any issue to allow internal lan and own lan to access ?
1.Add Vlan 200 for VOIP Lan in internal interface.
2.Plugin the one cable from SW01 port 1 to internal firewall interface Port 2. (Firewall actually is configure switch mode 16 interface as the internal Lan) .
3.Configure SW01 port 1(Vlan 1:tagged ,Vlan 200:tagged)
4.Configure SW01 ,SW02 port 48 (Vlan 1:tagged ,Vlan 200 :tagged) and connect it together
5.All other switch port Sw01 and SW02 (Vlan 1 :tagged,Vlan 200:untagged)
6.Configure policy to allow 192.168.1.0(Internal)able to access 192.168.2.0(VOIP LAN)
Now my phone is able to get DHCP from my firewall.
Question :
1.Why I no need to configure IP helper also can get DHCP from firewall.
2.We have one VOIP management server which is need to access from VLAN 1 ,I trying to configure as Vlan 1:untagged and leave the vlan 200 :blank can not work and even I can go to internal LAN
3.But I leave the management server on (Vlan 1 :tagged,Vlan 200:untagged) and configure Static IP which is 192.168.2.xxx then don't have any issue to allow internal lan and own lan to access ?
1: DHCP relaying is needed if your DHCP server is on another subnet than the DHCP clients
2 and 3: Unless there are needs to work with broadcasts, you DO NOT need to have several VLANs/IP IP Addresses assigned to your management server. What you need is
- assign the management server to Vlan 2 and make sure that this management server has the correct routes to access Vlan1
- make sure that your default routers have the correct routes to route packets between Vlan1 and Vlan2
- make sure the devices that need to access vlan2 from vlan1 and vlan1 from vlan2 are configured to use the correct routers/default routes.
2 and 3: Unless there are needs to work with broadcasts, you DO NOT need to have several VLANs/IP IP Addresses assigned to your management server. What you need is
- assign the management server to Vlan 2 and make sure that this management server has the correct routes to access Vlan1
- make sure that your default routers have the correct routes to route packets between Vlan1 and Vlan2
- make sure the devices that need to access vlan2 from vlan1 and vlan1 from vlan2 are configured to use the correct routers/default routes.
Thanks you for the explanation. From my scenario if I want to configure just only one port untagged for vlan 1 is not possible because this is second layer switch only and probably my default route is 192.168.2.254(fw interface), if I need to achieve the target above I need to have 3rd layer switch right ?
?
If you can configure VLANs, you usually have a Layer-3 switch.
HP 2530are layer-3 sw.
A firewall is layer-3 (and above)
If you can configure VLANs, you usually have a Layer-3 switch.
HP 2530are layer-3 sw.
A firewall is layer-3 (and above)
I don't think the switch is layer 3 because that is second layer manage switch
HP 2530 J9772A ProCurve 48 Port Gigabit Switch
Back to my question why I use one port untagged vlan 1 and no tagged for vlan 200 result is both network and also can not working let said I set Static IP address to 192.168.1.123/24 gateway :192.168.1.254 then I try to ping 192.168.2.254 and 192.168.1 254 also can not.
HP 2530 J9772A ProCurve 48 Port Gigabit Switch
Back to my question why I use one port untagged vlan 1 and no tagged for vlan 200 result is both network and also can not working let said I set Static IP address to 192.168.1.123/24 gateway :192.168.1.254 then I try to ping 192.168.2.254 and 192.168.1 254 also can not.
OK, I'll try my best to answer, although I guess that English is not your mother tongue (neither is it mine...) and I may not have understood what you wrote...
If you can assign an IP address to an interface in a switch, said switch is layer-3...
But it seems that your switch is actually a layer2 switch.
However, your FW is layer-3, so you can either connect your management server to the switch, which is all Vlan200, or to a port on the FW that is VLAN200 only. You don't need to have two vlans assigned to the port that the server is connected to. What you need is that, on the FW, Vlan200 and VLAN1 are interconnected, routed together. What you alswo need is a gateway interface for both Vlan, These gateway interfaces are virtual interfaces in your FW. I assume they exist and have the addresses 192.168.1.254 and 192.168.2.254.
You must make sure that the intervlan routing is enabled on teh FW and that it is working.
Your FW is your default gateway :
All devices in Vlan1 have to have 192.168.1.254 as their default gateway.
All devices in Vlan200 have to have 192.168.2.254 as their default gateway.
The router (the FW) then does the routing between both vlans.
You may want to read about routing. Don't play with trunked Vlans if you are not clear with routing in the first place. You don't need to tag ports (with a VLANs) as long as all ports on the FW are assigned a single VLAN each. Then, the FW does the routing.
If you absolutely want to have both Vlan1 and Vlan200 assigned to the port your server is connected to, please explain why. This is doable but involve more complex settings at all levels, including teh server network configuration.
If you can assign an IP address to an interface in a switch, said switch is layer-3...
But it seems that your switch is actually a layer2 switch.
However, your FW is layer-3, so you can either connect your management server to the switch, which is all Vlan200, or to a port on the FW that is VLAN200 only. You don't need to have two vlans assigned to the port that the server is connected to. What you need is that, on the FW, Vlan200 and VLAN1 are interconnected, routed together. What you alswo need is a gateway interface for both Vlan, These gateway interfaces are virtual interfaces in your FW. I assume they exist and have the addresses 192.168.1.254 and 192.168.2.254.
You must make sure that the intervlan routing is enabled on teh FW and that it is working.
Your FW is your default gateway :
All devices in Vlan1 have to have 192.168.1.254 as their default gateway.
All devices in Vlan200 have to have 192.168.2.254 as their default gateway.
The router (the FW) then does the routing between both vlans.
You may want to read about routing. Don't play with trunked Vlans if you are not clear with routing in the first place. You don't need to tag ports (with a VLANs) as long as all ports on the FW are assigned a single VLAN each. Then, the FW does the routing.
If you absolutely want to have both Vlan1 and Vlan200 assigned to the port your server is connected to, please explain why. This is doable but involve more complex settings at all levels, including teh server network configuration.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Switches / Hubs
From novice to tech pro — start learning today.
-
Microsoft ApplicationsCertification: MCSA MCSE Microsoft Certified Solutions Associate & … 398 lessons
Experts Exchange Solution brought to you by
Enjoy your complimentary solution view.
Get every solution instantly with Premium.
Start your 7-day free trial.
2. It would certainly be better if your Windows server was on the same VLAN as the phone, so connect the Win server to any of the SW port
3. There must be a dhcp relay (ip helper-adress). Check https://en.wikipedia.org/wiki/Dynamic_Host_Configuration_Protocol#DHCP_relaying. On the switch(es), add such an ip helper-address so that DHCP discover packet sent to broadcast address on the 1925.168.2.x subnet be forwarded to the DHCP server (on your FW if I got it right)
4. nothing if you want to uplink them, and you go untagged as it seems this would be the simplest solution. Now I seem to remember that HPE 2530 can be stacked. If so, then stack them with the appropriate cable (if they are virtual stacking framework/VSF enabled, the cable is a network cable, otherwise, it would be a back pane stacking cable) and it would then be as if you had a single 96 port switch. If you have to use VSF, you must select one switch to be the commander, the other one will be the slave. You will find details in the manuals.
Don't forget to enable inter-vlan routing on your FW, and be sure to have your routes and DHCP settings correctly configured
One recommendation: update the switches (and FW) firmware.