Security – VLAN security on HP ProCurve 1810G-24

hphp-procurveSecurityswitchvlan

I'm looking into the managed switch HP ProCurve 1810G-24 to see if it can meet our office demands. The specs say it has IEEE802.1Q – whatever that means.

Our office consists of four companies that share a common broadband connection. The infrastructure of the building is such that it results in all ethernet cables are located in our server room with a patch panel.

I've read a some about VLAN and what it is about, but can't quite get a grasp on whether it is suited for our needs or not, so I decided to post our scenario here and get some professional opinions on the matter.

We wish to separate our four companies so that each company cannot access resources on a different VLAN. At the same time, we wish to allow for a shared internet access.

I thought the solution would be to set port 1 as VLAN 1 and connect the broadband router to that port. Then create VLAN 2-5 (four VLAN's) on the remaining ports by setting T (tag) on all ports for the VLAN in question, and setting E (exclude all) on all ports not on that VLAN – BESIDES port 1 where the broadband router is located, which i set to U (untag).

Or is the solution to also include port 1 as T (tag) for each VLAN?

I hope I made myself understood and that someone could shine a light on this scenario.

Best Answer

VLANs are no replacement for NAT.

HP ProCurve 1810G-24 is a very nice silent gigabit web-managed L2 switch with VLAN capabilities, SNMP monitoring and more.

You can split the switch into several virtual switches using separate VLANs so that each virtual switch has a virtual port on the physical port of the router.

       VLAN1 VLAN2 VLAN3
Port1    U     T     T
Port2    E     U     E
Port3    E     E     U

Here Port1 is the router, Port2 is Company1, Port3 is Company2, VLAN1 is for network management, VLAN2 and VLAN3 are for the customers.

However you need a router that is capable of having several virtual interfaces for each VLAN and doing NAT for several networks. This is not a stock broadband router.

The router should be capable of accepting traffic with at least 5 different VLAN tags including the default VLAN for the uplink.

Other capabilities to look for in a router for your network:

  • DHCP server and DHCP relay
  • Network address translation (NAT)
  • At least 5 active 802.1Q VLAN tags
  • Firewall
  • If a router has an ADSL modem functionality, you could used it to replace the device that installed by your provider.
Related Topic