Friday, March 14, 2014
Configure VLAN(s) and enable routing on an HP Procurve switch
If you're running a managed HP Procurve switch and want to take advantage of VLANs to subnet your network, it's pretty easy. Here's a diagram of my example
In this example we have two VLANs (VLAN 1 and VLAN 2). VLAN 2 is setup just for workstations and must connect to VLAN 1 for DHCP, DNS, and Internet access.
In case the image is too small, on the switch, ports 1-24 are being designated as part of VLAN 1, and 25-48 are part of VLAN 2. VLAN 1 is the 192.168.10.0/24 subnet, and VLAN 2 is the 192.168.20.0/24 subnet.
On my primary and secondary DNS/DHCP servers, I have a DHCP scope setup for the primary network (VLAN 1), and another scope setup for VLAN 2. In my DHCP options for both, I set the primary DNS server to 192.168.10.10, and the secondary to 192.168.10.11. For VLAN 1, I set the router to 192.168.10.1, but on VLAN 2 I set the router to 192.168.20.254 since the default gateway needs to be found within the same subnet.
To actually set this up, first, you would telnet into your Procurve switch, which I'm hoping you know how to do if you're going to attempt setting up a VLAN. You'll need enable access on the switch as well. Once you've logged into the switch and are at the terminal, here is what I would enter to set up the above example. I've added comments/explanations on all lines, so be aware that you do not want to enter the - (.....) from the lines into the terminal window
enable - (enables admin access)
conf t - (enters configuration mode using the terminal)
ip routing - (enabled IP-based routing, which is required to allow the two VLANs to communicate)
vlan 1 - (will enter the configuration mode for vlan 1, which should exist by default on the switch)
untag 1-24 - (untags ports 1-24 on the switch to indicate they're going to be restricted to vlan 1)
ip address 192.168.10.254/24 - (assigns the IP address of 192.168.10.254 to the VLAN 1 interface)
vlan 2 - (will create vlan 2 if it doesn't already exist, then enters configuration mode for it)
untag 25-48 - (untags ports 25-48 on the switch to indicate they're going to be restricted to vlan 2)
ip address 192.168.20.254/24 - (assigns the IP address of 192.168.20.254 to the VLAN 1 interface)
ip helper-address 192.168.10.10 - (sets VLAN 2 to send DHCP packets to the primary DHCP server)
ip helper-address 192.168.10.11 - (sets VLAN 2 to send DHCP packets to the secondary DHCP server)
ip route 0.0.0.0 0.0.0.0 192.168.10.1 - (sets the default route to the default gateway in VLAN 1)
write mem - (commits the changes you made to the configuration stored in memory on the switch)
end - (exits configuration mode)
exit - (exits enable mode)
exit - (logs you off from your telnet session)
The one issue I ran into when I first did it is I had "ip default-gateway 192.168.10.1" set on my switch and thought that was good enough for my VLAN 2 to get to the Internet. However, that is only effective when ip routing is disabled, and for the VLANs to communicate ip routing needs to be turned on. That requires you to add an actual static route, or use ip default-network if it's an available option. For more information on that see this link. It's from Cisco, but the same applies to the Procurve devices. That link explains the differences between the default gateway options, and what routing protocols are affected by each.
The one thing I didn't touch on here is setting your actual routing to be able to reach VLAN 2. For that you'll have to decide what is best because it depends on your network and routing devices and protocols in use. In my example, I need to setup a route in VLAN 1 that would send traffic for 192.168.20.0/24 to 192.168.10.254 (the switch's IP on VLAN 1). If you have OSPF configured on your network and your switch participates, then you likely have nothing to do here. For my network, the switch doesn't support OSPF and the router is managed by my ISP and I have no access. In order to get traffic to VLAN 2, I added a static route to my firewall for it. That way it still gets advertised over OSPF and VLAN 2 can be reached.
When I initially decided to do this, I used a few articles to come up with the final configuration. In case they may be helpful to you: