Configure VLAN(s) and enable routing on an HP ProCurve switch

How to connect, setup and secure network and internet connections.
Forum rules
READ: Project-W rules
Post Reply
User avatar
kinerity
Administrator
Administrator
Posts: 5
Joined: Thu Feb 08, 2018 11:08 pm
Name: Kailey Truscott

Configure VLAN(s) and enable routing on an HP ProCurve switch

Post by kinerity » Tue Feb 13, 2018 7:40 am

Ramblings o' Techie wrote:If you're running a managed HP Procurve switch and want to take advantage of VLANs to subnet your network, it's pretty easy. Here's a diagram of my example:

VLAN.jpg

In this example we have two VLANs (VLAN 1 and VLAN 2). VLAN 2 is setup just for workstations and must connect to VLAN 1 for DHCP, DNS and internet access.

In case the image is too small, on the switch, ports 1-24 are being designated as part of VLAN 1, and 25-48 are part of VLAN 2. VLAN 1 is the 192.168.10.0/24 subnet and VLAN 2 is the 192.168.20.0/24 subnet.

On my primary and secondary DNS/DHCP servers, I have a DHCP scope setup for the primary network (VLAN 1), and another scope setup for VLAN 2. In my DHCP options for both, I set the primary DNS server to 192.168.10.10 and the secondary to 192.168.10.11. For VLAN 1, I set the router to 192.168.10.1, but on VLAN 2 I set the router to 192.168.20.254 since the default gateway needs to be found within the same subnet.

To actually set this up, first, you would telnet into your ProCurve switch, which I'm hoping you know how to do if you're going to attempt setting up a VLAN. You'll need enable access on the switch as well. Once you've logged into the switch and are at the terminal, here is what I would enter to set up the above example. I've added comments/explanations on all lines.

enable - enables admin access
conf t - enters configuration mode using the terminal
ip routing - enabled IP-based routing, which is required to allow the two VLANs to communicate
vlan 1 - will enter the configuration mode for VLAN 1, which should exist by default on the switch
untag 1-24 - untags ports 1-24 on the switch to indicate they're going to be restricted to VLAN 1
ip address 192.168.10.254/24 - assigns the IP address of 192.168.10.254 to the VLAN 1 interface
vlan 2 - will create VLAN 2 if it doesn't already exist, then enters configuration mode for it
untag 25-48 - untags ports 25-48 on the switch to indicate they're going to be restricted to VLAN 2
ip address 192.168.20.254/24 - assigns the IP address of 192.168.20.254 to the VLAN 1 interface
ip helper-address 192.168.10.10 - sets VLAN 2 to send DHCP packets to the primary DHCP server
ip helper-address 192.168.10.11 - sets VLAN 2 to send DHCP packets to the secondary DHCP server
ip route 0.0.0.0 0.0.0.0 192.168.10.1 - sets the default route to the default gateway in VLAN 1
write mem - commits the changes you made to the configuration stored in memory on the switch
end - exits configuration mode
exit - exits enable mode
exit - logs you off from your telnet session

The one issue I ran into when I first did it is I had ip default-gateway 192.168.10.1 set on my switch and thought that was good enough for my VLAN 2 to get to the internet. However, that is only effective when ip routing is disabled, and for the VLANs to communicate ip routing needs to be turned on. That requires you to add an actual static route or use ip default-network if it's an available option. For more information on that see this link. It's from Cisco, but the same applies to the ProCurve devices. That link explains the differences between the default gateway options and what routing protocols are affected by each.

The one thing I didn't touch on here is setting your actual routing to be able to reach VLAN 2. For that you'll have to decide what is best because it depends on your network and routing devices and protocols in use. In my example, I need to setup a route in VLAN 1 that would send traffic for 192.168.20.0/24 to 192.168.10.254 (the switch's IP on VLAN 1). If you have OSPF configured on your network and your switch participates, then you likely have nothing to do here. For my network, the switch doesn't support OSPF and the router is managed by my ISP and I have no access. In order to get traffic to VLAN 2, I added a static route to my firewall for it. That way it still gets advertised over OSPF and VLAN 2 can be reached.

Post Reply