Network Management

 View Only
last person joined: yesterday 

Keep an informative eye on your network with HPE Aruba Networking network management solutions
Back to discussions
Expand all | Collapse all

Basic VLAN setup with HP Switch

This thread has been viewed 3 times

  • 1.  Basic VLAN setup with HP Switch

    Posted 18 hours ago

    # Please point out if I selected the wrong forum

    Hi Guys,

    I am not from the networking side, so please help me with this.

    I have a lab where I have a firewall, a switch (HP 2530-24G), and a vmware server(host).

    What I want is to create two VLANs, so that I can use them on my vmware VMs.

    Currently, my firewall is connected from port 2 to switch port 1.  And my vmware server is connected from switch port 2. I tried getting the config from ChatGPT, but it's not working.

    Below is the configuration I run on the switch

    vlan 1
    name "mgmt"
    ip address 192.168.1.200 255.255.255.0
    untagged 1
    exit

    vlan 10
    name "NFR"
    ip address 192.168.10.200 255.255.255.0
    tagged 1,2
    exit

    vlan 20
    name "LAB"
    ip address 192.168.20.200 255.255.255.0
    tagged 1,2
    exit

    On the firewall side, I am configuring port 2 as VLAN and created three vlans

    VLAN 1 - IP 192.168.1.1 (Untagged traffic)

    VLAN 10 - IP 192.168.10.1 (Tagged Traffic)

    VLAN 20 - IP 192.168.20.1 (Tagged Traffic)

    Now when I try to connect any laptop from any free port in the firewall, I cannot access the switch. 



  • 2.  RE: Basic VLAN setup with HP Switch

    MVP GURU
    Posted 15 hours ago
    Hi, the proposed portion of running configuration looks reasonable at first rapid sight: you Firewall is the router of your network (at it is for any VLAN since it owns the SVI for each one VLAN you defined on its LAN facing interface as /24 subnet: VLAN 1 with 192.168.1.1, VLAN 10 with 192.168.10.1 and VLAN 20 with 192.168.20.1), your Switch acts as a simple Layer 2 device (it can't do IZp routing for its VLANs) and on it you defined the very same set of VLAN IDs and you propagated them to the Firewall (uplink on Switch interface 1 which is untagged member of VLAN 1 and, concurrently, it is also a tagged member of VLAN 10 and 20) and it propagates them to any potential access device you need connected (e.g. a Desktop/Laptop connected to, say, a Switch interface untagged member of VLAN 1 or 10 or 20 as required) or to other downlinked devices to which you want various VLAN IDs to be transported as well (as it happens on uplink to Firewall) like the Switch interface 2 connecting to your ESXi node (for which you allowed just VLAN 10 and VLAN 20 only by tagging those VLAN IDs to that port, VLAN 1 excluded).

    Given the above you can check the VLAN membership of a particular port on the HP 2530 with this command:

    show vlan ports ethernet <physical-or-logical-nterface-id, list or range> detail

    just to be sure about all involved ports VLAN  membership.

    Now the above looks correct and you can test - just an example, take it as a "what-if" scenario - if a peer (e.g. you workstation) once connected to a particular Switch port configured to work as an Access port (thus untagged, say, on VLAN 1 or 10 or 20) and proprely IP addressed (for the sake of simplicity please set the IP, Subnet Mask and D.G. manually and accordingly to desired VLAN subnet the peer should be part of) can ping (a) its D.G. which is the Firewall, (b) other D.G. IP addresses on all the others VLANs (included eventually the IP addresses you assigned to VLAN on the Switch, the .200) and (c) other physical or virtual peers on the very same VLAN and also placed into any other VLAN of your network (I'm here implying that you have many peers to test against).

    You will rapidly discover IF the Firewall (or the peers' guest OSes Firewalls <- if enabled) is permitting that ICMP traffic on both direction or IF there are issues instead or not (maybe due to Firewall IP routing and/or Firewall access policies limiting inter-VLAN icmp/ip traffic or, again, issues due to bad Port Group VLAN ID settings on the vSwitch side on the ESXi node), that's to say you need to approach the switching and routing from the very basic Peer A ping to Peer B with Peer A and B hosted on the very same VLAN (no routing involved) up to more complex cases where routing is involved (Peer A and Peer B are on different VLANs) and/or Peers are a mix of physical and virtual (so involving the ESXi part into the equation).

    I voluntarily omitted the case that you seem to use as the very first test: a Peer on another Firewall interface...and I omitted that exactly because I want first to exclude issues related to Firewall port roles, access control lists and so on...telling you to focus on the internal part which is partially Firewall independant.



    Original Message