Wired Intelligent Edge

 View Only
last person joined: yesterday 

Bring performance and reliability to your network with the HPE Aruba Networking Core, Aggregation, and Access layer switches. Discuss the latest features and functionality of your switching devices, and find ways to improve security across your network to bring together a mobile-first solution
Back to discussions
Expand all | Collapse all

vlan help procurve 2650

This thread has been viewed 0 times

  • 1.  vlan help procurve 2650

    Posted Apr 17, 2013 12:33 PM

    i have two vlans. My default vlan and then my guest. Trying to allow the guest network outside access to the internet through my firewall, but having difficulty figuring out how. Any help would be appreciated. 


    #vlans
    #Networking
    #VLAN
    #Switching


  • 2.  RE: vlan help procurve 2650

    Posted Apr 17, 2013 05:53 PM
    Hi ccarter81,

    If you need help with this, a lot more information is needed. Start with your switch's configuration, your firewall's IP address and routing table, and your guest network's DHCP options. Also, explain what tests you have done so far, including which tests succeed and which tests fail.


  • 3.  RE: vlan help procurve 2650

    Posted Apr 17, 2013 06:23 PM

    Paul,

     

    Thanks for the reply. My switch is configured with two vlans. One is the default and the other is a guest.

     

    10.5.64.0/20 gw 10.5.64.1 - Default VLAN

     

    192.168.10.0/24  - Guest VLAN 

     


    IP Route Entries

    Destination Gateway VLAN Type Sub-Type Metric Dist.
    ------------------ --------------- ---- --------- ---------- ---------- -----
    0.0.0.0/0 10.5.64.1 1 static 1 1
    10.5.64.0/20 DEFAULT_VLAN 1 connected 0 0
    127.0.0.0/8 reject static 0 250
    127.0.0.1/32 lo0 connected 0 0
    192.168.10.0/24 Guest 2 connected 0 0

     

    I don't have DHCP setup for the guest VLAN yet. Haven't gotten that far. I have a laptop on one switch on our first floor and am able to ping both first floor switch and our core switch Guest VLAN IP's using GVRP. This is as far as I have gotten. Tried creating a sub interface on our firewall for the Guest VLAN to get out, but not working. Surely I am doing something wrong here. 

     



  • 4.  RE: vlan help procurve 2650

    Posted Apr 18, 2013 11:34 AM

    You need to do "router on a stick" here. 

     

    Basically, on your firewall create a new sub-interface or virtual interface.  Assign the gateway IP for your guest VLAN on this sub-interface, and also place it in the required VLAN.  The physical port that goes from your switch to router will need to be configured as a trunk (tag non-native VLANs).

     

    Point all the guest clients default gateway to the sub-interface on the firewall.

     

    This is the most secure and common way of doing this.  Plus, you have a layer 2 switch anyways.  You need the firewall/router upstream to handle the routes.  This way you can apply firewall policies to make sure guests cannot find their way in to your private LAN.



  • 5.  RE: vlan help procurve 2650

    Posted Apr 18, 2013 05:03 PM
    Note that a 2650 can actually do static L3 routing, but that doesn't really matter - John's recommended solution is definitely the way i would go.


  • 6.  RE: vlan help procurve 2650

    Posted Apr 18, 2013 05:08 PM

    Indeed inter-vlan routing capabilities, which is pretty much a baseline requirement for layer 2 / SVIs

     

    If the switche supports ACLs I would consider doing it there, but ideally you trunk up to a firewall.  Just a guess here, but you want to secure the "Guest" traffic as best as you can.



  • 7.  RE: vlan help procurve 2650

    Posted Apr 19, 2013 06:46 PM

    Thanks! That worked for me!



  • 8.  RE: vlan help procurve 2650

    Posted Apr 18, 2013 11:37 AM

    Watch this.  The same principles apply no matter who your hardware is from (Cisco, HP, Juniper, Dell, Sonicwall, etc.)

     

    http://www.youtube.com/watch?v=bO6nbkza008