I'm a bit of a novice in this area. I currently have two VLAN-capable switches (HP ProCurve 2850 2824) and some switches and routers that are not VLAN-capable, more like consumer-level devices (such as POE switches for cameras and remote APs). My goal is to separate different networks. I have the hardware but I need to understand the theory a little bit more before trying to do this.
To simplify the question, let's assume I only have two VLAN-capable switch (lets call them HP1 e HP2) and a router.
I'll connected all the PC of VLAN 1 to HP1 ports and configure them as "untagged VLAN_1" and all the PC of VLAN 2 to HP2 ports and configure them as "untagged VLAN_2"
Then I can
-option A, connect the two switches between them and configure these 2 ports as "tagged VLAN_1 & tagged VLAN_2", then connect HP1 to the router and I think I should set the eth port as untagged as the router seems not to support VLANs, bue then if is "untagged" I can set only onle VLAN, and so if I'll configure it as "untagged VLAN_1" no one from VLAN_2 will be able to access internet
-option B, connect HP1 to the router, setting the eth port as "untagged VLAN_1" and HP2 to another port of the router setting eth port as "untagged VLAN_2".
In this configuration, both devices from VLAN_1 and VLAN_2 will be able to reach the router and so to go online, but all traffic from VLAN_1 will be stripped of VLAN identifiers once exiting from the port connected to router, and will be tagged as VLAN_2 when re-entering from the router from the port connected to HP2.
So the two VLANs will not be separated.
Are my suppositions true, both for option A and option B?
Is there any way to achieve VLAN separation AND internet access with the previous mentioned hardware?
Best Answer
Your easiest option is to use a 2824 as a layer-3 switch (
ip routing
) that can be used for routing between VLANs. If you want to separate different security zones the switch also requires (extended) ACL support for restricting traffic.With an L3 switch, you'd set your clients' default gateway to the respective switch VLAN/virtual interface (SVI), and the switch's default route via the router's private IP. On the router, you'd add a static route, e.g. for 192.168.0.0/16 via the L3 switch's VLAN interface.
On the switch you could then freely create VLANs with subnets from 192.168.0.0/16 (e.g. 192.168.10.0/24, 192.168.11.0/24, ...) and configure ACLs to limit each VLAN's access to the other VLANs or the Internet.
The 2800 switch series is pretty aged (retired in 2009) and has no IPv6 support - so there's no v6 routing between VLANs or v6 ACLs.