Print | Rate this content

HP ProCurve 5400zl Switch Series - Designated VLANs Explained

Information

Designated VLANs:

Procurve switch uses these static, port-based VLAN types to separate switch management traffic from other network traffic. While these VLANs are not limited to management traffic only, they can provide improved security and availability for management traffic.

Details

The Default VLAN: This port-based VLAN is always present in the switch and in the default configuration including all ports as members.

One can partition the switch into multiple virtual broadcast domains by configuring one or more additional VLANs and moving ports from the default VLAN to the new VLANs. User can change the name of the default VLAN, but cannot change the default VLAN’s VID (which is always "1"). Although one can remove all ports from the default VLAN (by placing them in another port-based VLAN) this VLAN is always present; that is, one cannot delete it from the switch.

The Primary VLAN: The switch uses this port-based VLAN to run certain features and management functions including DHCP/Bootp responses for switch management. In the default configuration, the default VLAN is also the primary VLAN. However user can designate another port-based, non-default VLAN, as the Primary VLAN.

The Primary VLAN is the VLAN the switch uses to run and manage these features and data. In the factory-default configuration, the switch designates the default VLAN (DEFAULT_VLAN; VID = 1) as the primary VLAN. To provide more control in the network one can designate another static port-based VLAN as primary.

  • The switch reads DHCP responses on the Primary VLAN instead on the default VLAN. (This includes such DHCP-resolved parameters as the TimeP server address, Default TTL, and IP addressing - including the Gateway IP address - when the switch configuration specifies DHCP as the source for these values.)

  • The default VLAN continues to operate as a standard VLAN (except, as noted above, user cannot delete it or change its VID).

  • Any ports not specifically assigned to another VLAN will remain assigned to the Default VLAN, regardless of whether it is the Primary VLAN.

  • Candidates for Primary VLAN include any static, port-based VLAN currently configured on the switch. (Protocol-based VLANs and dynamic GVRP learned VLANs that have not been converted to a static VLAN cannot be the Primary VLAN.)

  • If a non-default VLAN is configured as the Primary VLAN, user cannot delete that VLAN unless one first select a different VLAN to serve as primary.

  • If one manually configures a gateway on the switch, it ignores any gateway address received via DHCP or Bootp.

  • To display the current Primary VLAN, use the CLI show vlan command.


    ProCurve_Switch# show vlan
    Status and Counters - VLAN Information


    Maximum VLANs to support : 8
    Primary VLAN : DEFAULT_VLAN
    Management VLAN :

    802.1Q VLAN ID Name | Status Voice
    -------------- ------------ + ---------- -----
    1 DEFAULT_VLAN | Port-based No

  • To change the Primary VLAN configuration use the commands listed directly below.


    ProCurve_Switch(config)# vlan 10
    ProCurve_Switch(vlan-10)# exit
    ProCurve_Switch(config)# primary-vlan 10
    ProCurve_Switch(config)# show vlan

    Status and Counters - VLAN Information

    Maximum VLANs to support : 8
    Primary VLAN : VLAN10
    Management VLAN :

    802.1Q VLAN ID Name | Status Voice
    -------------- ------------ + ---------- -----
    1 DEFAULT_VLAN | Port-based No
    10 VLAN10 | Port-based No

The Secure Management VLAN: This optional port-based VLAN establishes an isolated network for managing the ProCurve switches that support this feature. Secure Management VLANs are designed to restrict management access to the switch to only those nodes connected to the Management VLAN. That is, only clients who are connected to ports who are members of the Secure Management VLAN can be allowed to gain management access to the ProCurve device. This sharply limits the universe of devices that can attempt unauthorized access.

  • Configuring a secure Management VLAN creates an isolated network for managing the ProCurve switches that support this feature. If one configures a secure Management VLAN, access to the VLAN and to the switch’s management functions (Menu, CLI, and web browser interface) is available only through ports configured as members.

  • Multiple ports on the switch can belong to the Management VLAN. This allows connections for multiple management stations user want to have access to the Management VLAN, while at the same time allowing Management. VLAN links between switches configured for the same Management VLAN.

  • Only traffic from the Management VLAN can manage the switch which means that only the workstations and PCs connected to ports belonging to the Management VLAN can manage and reconfigure the switch.

  • Access to this VLAN and to the switch’s management functions are available only through ports configured as members.

  • Only one VLAN per switch can be identified as the Secure Management VLAN.

  • IP addresses must be assigned manually to the Secure Management VLAN. The switch will not allow the Management VLAN to acquire its address through DHCP/Bootp.

  • To maintain the secure nature of the management VLAN only ProCurve switch ports that are connecting authorized management stations, or those extending the management VLAN to other ProCurve switches, should be members of the Management VLAN.

  • Internet Group Management Protocol (IGMP) is not supported on the Management VLAN.

  • Routing to or from the Secure Management VLAN is not permitted. Routing can be enabled on the switch and all other VLANs will be routable but the Secure Management VLAN will remain isolated.

  • To change the Primary VLAN configuration use the commands listed directly below.


    ProCurve_Switch(config)# vlan 100
    ProCurve_Switch(vlan-100)# name Management
    ProCurve_Switch(vlan-100)# exit
    ProCurve_Switch(config)# management-vlan 100
    ProCurve_Switch(config)# show vlan

    Status and Counters - VLAN Information

    Maximum VLANs to support : 8
    Primary VLAN : VLAN10
    Management VLAN : Management

    802.1Q VLAN ID Name | Status Voice
    -------------- ------------ + ---------- -----
    1 DEFAULT_VLAN | Port-based No
    10 VLAN10 | Port-based No
    100 Management | Port-based No

Voice VLAN: This optional, port-based VLAN type enables one to separate, prioritize, and authenticate voice traffic moving through your network, and to avoid the possibility of broadcast storms affecting VoIP (Voice-over-IP) operation.

  • One must statically configure voice VLANs. GVRP and dynamic VLANs do not support voice VLAN operation.

  • Configure all ports in a voice VLAN as tagged members of the VLAN. This ensures retention of the QoS (Quality of Service) priority included in voice VLAN traffic moving through the network.

  • If a telephone connected to a voice VLAN includes a data port used for connecting other networked devices (such as PCs) to the network, then user must configure the port as a tagged member of the voice VLAN and a tagged or untagged member of the data VLAN one wants the other networked device to use.

  • Configure one or more voice VLANs on the switch. Some reasons for having multiple voice VLANs include:

    1. Employing telephones with different VLAN requirements.

    2. Better control of bandwidth usage.

    3. Segregating telephone groups used for different, exclusive purposes.

  • Where multiple voice VLANs exist on the switch, user can use routing to communicate between telephones on different voice VLANs.

  • Voice VLAN QoS Prioritizing (Optional), without configuring the switch to prioritize voice VLAN following conditions applies:

    1. If the ports in a voice VLAN are not tagged members then the switch forwards all traffic on that VLAN at "normal" priority.

    2. If the ports in a voice VLAN are tagged members then the switch forwards all traffic on that VLAN at whatever priority the traffic has when received inbound on the switch.

  • To configure a Voice VLAN use the commands listed directly below.


    ProCurve_Switch(config)# vlan 20
    ProCurve_Switch(vlan-20)# name voice_vlan
    ProCurve_Switch(vlan-20)# voice
    ProCurve_Switch(vlan-20)# show vlan 20

    Status and Counters - VLAN Information - Ports - VLAN 20

    802.1Q VLAN ID : 20
    Name : voice_vlan
    Status : Port-based
    Voice : Yes

Provide feedback

Please rate the information on this page to help us improve our content. Thank you!