VLAN Configuration for HP 5120-48G EI Switch with 2 Interface Slots (JE069A)

[KChanAuc]

I recently got 3 new HP 5120-48G EI Switch with 2 Interface Slots (JE069A). Each swith is currently fitted with 1 local connect module and effectively function as a stacked switch. I would like to partition my network as below. I currently do not have any experience with VLAN and based on my assumptions and understanding on VLAN, I presume the following can be done. Please let me know if this is actually possible and how to achieve it. Attached is visual on how my switch would be partition with VLAN.

(Visio diagram as attached)

S1 = Windows AD Domain Controller
S2 = Internet Gateway
S3 = Confidential File Server
S4 = General File Server

Team A = VLAN 1
Team B = VLAN 2
Team C = VLAN 3
Team D = VLAN 4
Team E = VLAN 5
Team F = VLAN 6

VLAN 1 can only see S1, S4
VLAN 2 can only see S1, S2, S4
VLAN 3 can see everything
VLAN 4 can only see S2
VLAN 5 can only see S2
VLAN 6 can only see S2

 

[VinceWhirlwind]

People are somewhat mislead by textbooks on networking which still suggest that VLANs are a method of providing security between workgroups.
That was true 20 years ago, before Windows NT.
Nowadays, security is provided through identity management & authentication, in your case, AD. It boggles my mind that educational institutions and networking equipment vendors still all use this workgroup segregation as their prime example of the use of VLANs. Nobody in their right mind uses VLANs for this on a corporate network.
It's a complete waste of time devising a complex network design for a purpose which has been superseded 20 years ago.
The purpose of VLANs is to segregate traffic for performance purposes and to break down broadcast domains, again for performance purposes.
The most important thing is to make it simple in order to make it easy to support. Making it complicated astronomically increases your risk of configuration mistakes and security incidents due to staff not understanding the implications or details of changes they make.

 

[merrym]

Of course, it´s possible.

e.g.

interface GigabitEthernet1/0/1
port link-type hybrid
undo port hybrid vlan 1
port hybrid vlan 5 untagged
port hybrid pvid vlan 5

:
:
interface GigabitEthernet1/0/9
port link-type hybrid
undo port hybrid vlan 1
port hybrid vlan 6 untagged
port hybrid pvid vlan 6


- add ACLs with "packet-filter" to all ports for your subnets:

http://www.h3c.com/portal/download.do?id=1290690

Don´t forget to install latest firmware:

https://h10145.www1.hp.com/downloads/SoftwareReleases.aspx?ProductNumber=JE066A

 

[VinceWhirlwind]

Seriously, do it with authentication on the domain and user permissions. That stuff has to be configured anyway, but trying to use VLANs for your security creates a whole layer of configuration that's unnecessary, probably won't really work very well (what happens when the finance guys off VLAN2 start a project using the same server application as the finance guys off VLAN4? You'll end up with a horrible mess), and worst of all will be difficult to understand and support and therefore add to risk and cost of ownership.