Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

  • Congratulations strongm on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

VLAN Configuration for HP 5120-48G EI Switch with 2 Interface Slots (JE069A)

Status
Not open for further replies.

KChanAuc

Technical User
Nov 7, 2012
1
I recently got 3 new HP 5120-48G EI Switch with 2 Interface Slots (JE069A). Each swith is currently fitted with 1 local connect module and effectively function as a stacked switch. I would like to partition my network as below. I currently do not have any experience with VLAN and based on my assumptions and understanding on VLAN, I presume the following can be done. Please let me know if this is actually possible and how to achieve it. Attached is visual on how my switch would be partition with VLAN.

(Visio diagram as attached)

S1 = Windows AD Domain Controller
S2 = Internet Gateway
S3 = Confidential File Server
S4 = General File Server

Team A = VLAN 1
Team B = VLAN 2
Team C = VLAN 3
Team D = VLAN 4
Team E = VLAN 5
Team F = VLAN 6

VLAN 1 can only see S1, S4
VLAN 2 can only see S1, S2, S4
VLAN 3 can see everything
VLAN 4 can only see S2
VLAN 5 can only see S2
VLAN 6 can only see S2
 
People are somewhat mislead by textbooks on networking which still suggest that VLANs are a method of providing security between workgroups.
That was true 20 years ago, before Windows NT.
Nowadays, security is provided through identity management & authentication, in your case, AD. It boggles my mind that educational institutions and networking equipment vendors still all use this workgroup segregation as their prime example of the use of VLANs. Nobody in their right mind uses VLANs for this on a corporate network.
It's a complete waste of time devising a complex network design for a purpose which has been superseded 20 years ago.
The purpose of VLANs is to segregate traffic for performance purposes and to break down broadcast domains, again for performance purposes.
The most important thing is to make it simple in order to make it easy to support. Making it complicated astronomically increases your risk of configuration mistakes and security incidents due to staff not understanding the implications or details of changes they make.
 
Of course, it´s possible.

e.g.

interface GigabitEthernet1/0/1
port link-type hybrid
undo port hybrid vlan 1
port hybrid vlan 5 untagged
port hybrid pvid vlan 5

:
:
interface GigabitEthernet1/0/9
port link-type hybrid
undo port hybrid vlan 1
port hybrid vlan 6 untagged
port hybrid pvid vlan 6


- add ACLs with "packet-filter" to all ports for your subnets:
Don´t forget to install latest firmware:
 
Seriously, do it with authentication on the domain and user permissions. That stuff has to be configured anyway, but trying to use VLANs for your security creates a whole layer of configuration that's unnecessary, probably won't really work very well (what happens when the finance guys off VLAN2 start a project using the same server application as the finance guys off VLAN4? You'll end up with a horrible mess), and worst of all will be difficult to understand and support and therefore add to risk and cost of ownership.
 
Status
Not open for further replies.

Part and Inventory Search

Sponsor

Back
Top