ProCurve 2610

wij · 2 Mar 2009 at 22:06

Could somebody tell me if this is possible using these switches:

1 Subnet, lots of VLANs.

I.e. all the ports have a machine on the end of them and I want to block communication between the ports on the switch. But at the same time I'd like each port to be able to get an IP from DHCP from a router attached to the switch and then access the internet via said router.

I'm assuming that as I don't need to route between any of the ports/Vlans I can do this at L2 and it should be fairly simple?

I think on Cisco this is called a Private VLAN? Do HP do this or is it one of those proprietary things you don't miss until you can't do it with another vendors hardware?

Not bought/specced these switches yet, but I'm tempted to use them as they are 1/3 of the cost of the Cisco to me, and my client are being very tight with the purse strings!

iaind · 2 Mar 2009 at 22:33

Theoretically you should be able to do that, although the adapter on the DHCP server would probably need to support tagged VLANs.

Sounds like an unusual requirement though, why would they want to do that?

wij · 2 Mar 2009 at 23:01

Its for an exhibition / trade show type thing, lots of stands/booths from different exhibitors and companies etc. that need to be isolated from each other.

From what I'm reading from the HP manual for the switch it would appear it *is* possible.

Guess that at £300 I could probably just buy at 2610-24 and give it a go.

JonnyT · 2 Mar 2009 at 23:39

Looks like you can:

Overlapping (Tagged) VLANs. A port on the switch can be a member of more than one VLAN if the device to which it is connected complies with the 802.1Q VLAN standard. For example, a port connected to a central server using a network interface card (NIC) that complies with the 802.1Q standard can be a member of multiple VLANs, allowing members of multiple VLANs to use the server. Although these VLANs cannot communicate with each other through the server, they can all access the server over the same connection from the switch. Where VLANs overlap in this way, VLAN “tags” are used to distinguish between traffic from different VLANs

But it looks like the router needs 802.1Q (Tagging) support

wij · 3 Mar 2009 at 00:15

Thanks chaps.

They also support source-port filtering which apparently allows only specified ports to communicate with each other.

Whether that will do what I want it to though I'm not quite so sure - wouldn't the router just pass information between say port1 > router > port2?

I'm open to suggestions if someone has a neater tidier way of doing this, but it has to be cheap as chips (or HP switches!).

Nikumba · 3 Mar 2009 at 07:25

We have the 1900 range of procurve, and you can set each port to a seperate VLAN.

Now I am not sure if this is the case, but all our VLANs are on different subnets eg 10.97, 10.98 etc

I think your routher would need to be able to do this

Kimbie

iaind · 3 Mar 2009 at 07:43

As has been stated, the router will need to support .1Q, if its not a Cisco its pretty unlikely that it will.

I presume you're not responsible for the PCs themselves? If you were, a software firewall would be a neater solution.

If it were me, I'd just ask the exhibitors to sign something to say they accept it is a public network and they are responsible for taking measures to protect their machines.

wij · 3 Mar 2009 at 10:32

The router will be a 2800 of some description so it should all work, think thought what you have suggested is probably the easier way Iain

iaind · 3 Mar 2009 at 17:30

Ah in which case you should be alright, might take a bit of config tweaking to get working properly though!