luoto
16th Feb 2008, 10:48
Hi.
Got a good deal on a used Procurve switch with managedcontrol and hope to replace a few switches scattered around the towers here.
One problem I have hit so far (and it is probably just my lack of expertise here).
Situation is two unmanaged switches (there are more, but for the example it is easier to say one and one).
Switch one has the primary internet and secondary internet feed coming in (two cables) and two cables going to the two firewalls on the WAN side (two cables)
Switch two has the two outputs from the firewalls (firewall primary and hot standby secondary) and then usual LAN connections.
Firewall does port forwarding so external IP address 85.x.x.x is mapped in firewall to 192.168.0.x internal LAN connection.
Now, moving things over to managed HP switch which has VLAN support.
Would it work that I could move everything into this large switch (it has many modules) and then use VLAN to say the incoming "unsecure" internet stuff is on the VLAN segment 1 and everything else (firewall and LAN) is on VLAN2 with the 192.168.0.x network.
There is no need to access stuff with IP numbers on the "unsecured" side of things but obviously everything "external" needs to know that external IP number goes to firewall (has external IP address, so that would be the first two cables) and then routed to the other VLAN (internal side)?
Looking at the configuration, one has now tried this:
Switch Configuration - VLAN - VLAN Names
802.1Q VLAN ID Name
-------------- ------------
1 DEFAULT_VLAN
2 Unsecured
Port DEFAULT_VLAN Unsecured
---- + ------------ ------------ | ---- + ------------ ------------
A1 | Untagged No | E1 | Forbid Tagged
A2 | Untagged No | E2 | Forbid Tagged
And the plan is to put the external unsecured stuff into E1 through E4 (only showed the first two here) but a) am under orders from SWMBO to not fizz up the network presently and b) I am concerned that even if it does work, I am suddenly opening up a 787 sized hole in my previously secure network.
So any hand holding welcomed and warmly appreciated.
Many thanks :) Luoto
Got a good deal on a used Procurve switch with managedcontrol and hope to replace a few switches scattered around the towers here.
One problem I have hit so far (and it is probably just my lack of expertise here).
Situation is two unmanaged switches (there are more, but for the example it is easier to say one and one).
Switch one has the primary internet and secondary internet feed coming in (two cables) and two cables going to the two firewalls on the WAN side (two cables)
Switch two has the two outputs from the firewalls (firewall primary and hot standby secondary) and then usual LAN connections.
Firewall does port forwarding so external IP address 85.x.x.x is mapped in firewall to 192.168.0.x internal LAN connection.
Now, moving things over to managed HP switch which has VLAN support.
Would it work that I could move everything into this large switch (it has many modules) and then use VLAN to say the incoming "unsecure" internet stuff is on the VLAN segment 1 and everything else (firewall and LAN) is on VLAN2 with the 192.168.0.x network.
There is no need to access stuff with IP numbers on the "unsecured" side of things but obviously everything "external" needs to know that external IP number goes to firewall (has external IP address, so that would be the first two cables) and then routed to the other VLAN (internal side)?
Looking at the configuration, one has now tried this:
Switch Configuration - VLAN - VLAN Names
802.1Q VLAN ID Name
-------------- ------------
1 DEFAULT_VLAN
2 Unsecured
Port DEFAULT_VLAN Unsecured
---- + ------------ ------------ | ---- + ------------ ------------
A1 | Untagged No | E1 | Forbid Tagged
A2 | Untagged No | E2 | Forbid Tagged
And the plan is to put the external unsecured stuff into E1 through E4 (only showed the first two here) but a) am under orders from SWMBO to not fizz up the network presently and b) I am concerned that even if it does work, I am suddenly opening up a 787 sized hole in my previously secure network.
So any hand holding welcomed and warmly appreciated.
Many thanks :) Luoto