VLAN – Give Internet Access with Non-VLAN Enabled Router

hp-procurvevlan

I'm a bit of a novice in this area. I currently have two VLAN-capable switches (HP ProCurve 2850 2824) and some switches and routers that are not VLAN-capable, more like consumer-level devices (such as POE switches for cameras and remote APs). My goal is to separate different networks. I have the hardware but I need to understand the theory a little bit more before trying to do this.
To simplify the question, let's assume I only have two VLAN-capable switch (lets call them HP1 e HP2) and a router.

I'll connected all the PC of VLAN 1 to HP1 ports and configure them as "untagged VLAN_1" and all the PC of VLAN 2 to HP2 ports and configure them as "untagged VLAN_2"

Then I can
-option A, connect the two switches between them and configure these 2 ports as "tagged VLAN_1 & tagged VLAN_2", then connect HP1 to the router and I think I should set the eth port as untagged as the router seems not to support VLANs, bue then if is "untagged" I can set only onle VLAN, and so if I'll configure it as "untagged VLAN_1" no one from VLAN_2 will be able to access internet

-option B, connect HP1 to the router, setting the eth port as "untagged VLAN_1" and HP2 to another port of the router setting eth port as "untagged VLAN_2".
In this configuration, both devices from VLAN_1 and VLAN_2 will be able to reach the router and so to go online, but all traffic from VLAN_1 will be stripped of VLAN identifiers once exiting from the port connected to router, and will be tagged as VLAN_2 when re-entering from the router from the port connected to HP2.
So the two VLANs will not be separated.

Are my suppositions true, both for option A and option B?
Is there any way to achieve VLAN separation AND internet access with the previous mentioned hardware?

Best Answer

  • Connecting a VLAN to a device without tagging support requires a dedicated, untagged port ("access").
  • In reverse, a device without VLAN support can only use a single, untagged VLAN on each port.
  • Routing between VLANs requires either a layer-3 switch (like an HPE 2824), or a router which multiple routed ports (VLAN subinterfaces on a VLAN-capable router).
  • You can configure a single (trunk) port for multiple, tagged VLANs between VLAN-capable switches or routers.
  • If you bridge between different VLANs, then they effectively become one.
  • Off-topic consumer-grade routers often have multiple "LAN" ports, but those are actually switched and cannot be configured separately. Most consumer routers can only route between a single WAN and all LAN ports. Most cannot deactivate NAT for IP4.

Your easiest option is to use a 2824 as a layer-3 switch (ip routing) that can be used for routing between VLANs. If you want to separate different security zones the switch also requires (extended) ACL support for restricting traffic.

enter image description here

With an L3 switch, you'd set your clients' default gateway to the respective switch VLAN/virtual interface (SVI), and the switch's default route via the router's private IP. On the router, you'd add a static route, e.g. for 192.168.0.0/16 via the L3 switch's VLAN interface.

On the switch you could then freely create VLANs with subnets from 192.168.0.0/16 (e.g. 192.168.10.0/24, 192.168.11.0/24, ...) and configure ACLs to limit each VLAN's access to the other VLANs or the Internet.

The 2800 switch series is pretty aged (retired in 2009) and has no IPv6 support - so there's no v6 routing between VLANs or v6 ACLs.

Related Topic