Hi.

Got a good deal on a used Procurve switch with managedcontrol and hope to replace a few switches scattered around the towers here.

One problem I have hit so far (and it is probably just my lack of expertise here).

Situation is two unmanaged switches (there are more, but for the example it is easier to say one and one).

Switch one has the primary internet and secondary internet feed coming in (two cables) and two cables going to the two firewalls on the WAN side (two cables)

Switch two has the two outputs from the firewalls (firewall primary and hot standby secondary) and then usual LAN connections.

Firewall does port forwarding so external IP address 85.x.x.x is mapped in firewall to 192.168.0.x internal LAN connection.

Now, moving things over to managed HP switch which has VLAN support.

Would it work that I could move everything into this large switch (it has many modules) and then use VLAN to say the incoming "unsecure" internet stuff is on the VLAN segment 1 and everything else (firewall and LAN) is on VLAN2 with the 192.168.0.x network.

There is no need to access stuff with IP numbers on the "unsecured" side of things but obviously everything "external" needs to know that external IP number goes to firewall (has external IP address, so that would be the first two cables) and then routed to the other VLAN (internal side)?

Looking at the configuration, one has now tried this:

Switch Configuration - VLAN - VLAN Names

802.1Q VLAN ID Name
-------------- ------------
1 DEFAULT_VLAN
2 Unsecured


Port DEFAULT_VLAN Unsecured
---- + ------------ ------------ | ---- + ------------ ------------
A1 | Untagged No | E1 | Forbid Tagged
A2 | Untagged No | E2 | Forbid Tagged

And the plan is to put the external unsecured stuff into E1 through E4 (only showed the first two here) but a) am under orders from SWMBO to not fizz up the network presently and b) I am concerned that even if it does work, I am suddenly opening up a 787 sized hole in my previously secure network.

So any hand holding welcomed and warmly appreciated.

Many thanks :) Luoto

I would have thought that you would want to have the firewall with one interface into each of the 2 VLANs, and no possibility of each VLAN communicating with the other EXCEPT via the firewall.

Whether the procurve switch is secure enough for this purpose (and you are able to configure it correctly) is not something that I can answer - I'm sure that you can get information from the HP website.

Having implemented secure networks for corporate, Government and military clients, I would not dream of putting the external and internal networks on the same switch.

However, the risk may be acceptable in a home environment.

SD

Hi thanks for the reply. It is for a small business environment but I have a blindspot on this side of things. I had only considered the option since the seller mentioned it would be a good idea to do such a thing, but didn't explain how. Certainly so far the firewall (primary and its secondary on a heartbeat connection) have their own connection to the "insecure" switch where the two internet connections (primary and backup) go and it is then the firewall appliances that provide the security before popping out on the "secured" network.

I suspect I have got the wrong idea of the VLAN concept and I have managed to configure everything else with the HP web site (ntp, snmp, upgrading flash and the like) but as I said, somethings just create a blind side (if you pardon the pun, it makes me smile though as i am partially sighted !).

I think I will go back to plan A and not do this fiendish VLAN stuff. Better to have separate bits I reckon. Easier too.

Many thanks ! Luoto