HP switch and vlan
-
Trying to setup vlan in HP switch connected to pfsense and Unifi AP.
- Wireless network is assigned vlan 20.
- Vlan 20 is created and DHCP enabled for subnet is .20.1
- HP switch is connected to a Unifi switch on port 23 and 24 (LACP).
- On vlan port config, checked tagged only and assign PVID = 20.
But device connected cannot pull an IP and AP lost connection to controller. If check ALL, AP connects to controller again. - I know VLAN 1 should not be use for HP switch.
Can't seem to find a writeup on how to setup vlan on HP switch.
-
I am not familiar with the new HP series, I used to deal with them.
I mean, I have an idea since we've been deal with Cisco for a long time.
For Cisco, if you are using LACP, the VLAN must be configured separately under LACP and also separately on the ports too (in your case 23 and 24)(Yes, VLAN1 is usually always native (on switches / for mng.))
It may help if the philosophy at HP is similar.
Somehow, so in the case of Cisco:
for ports:
for VLANs
Until, that doesn't happen, the VLAN will not pass through the ports associated with the LACP.
At least that's the case with Cisco -
the switch is question is 1800-24G. I suppose all traffic needs to be tagged in order for vlan to work properly.
-
I don't know the GUI, just the HP CLI:
LAG:
conf t
vlan x tagged trk1
vlan x untagged trk1Upling:
vlan 1 untagged is needed for STP, MSTP.You have to deal vlan based and set the ports tagged oder untagged.
HP LAG:
trunk ethernet 23 trk1 lacpMy pfsense uplink at HP 2520G-24 looks like:
untagged vlan 1
tagged vlan 11-20Switch Management works with a vlan ip set and a default GW what goes with it.
Unifi AP:
vlan 1 untagged 5
vlan 18 tagged 5 -
I will try to find a description of this switch, but in the meantime...
the following:
HP switch to Unifi switch, a trunk must be created
(between two switches are usually required to pass through any VLAN later)- the trunk also (cleverly) gets a LACP (LAG)
(because the VLANs consumes bandwidth)
everything on the trunk except VLAN1 is tagged, VLAN1 is untagged, because it is native
as I wrote, to Cisco it is not enough to have only ports associated with a VLAN
but it is also necessary to assign the LAG (with LACP) on the trunk itself to a VLAN (of course, to which the ports are also assigned) - the trunk also (cleverly) gets a LACP (LAG)
-
@NOCling said in HP switch and vlan:
trunk ethernet 23 trk1 lacp
My pfsense uplink at HP 2520G-24 loThis is interesting.. on the Unifi AP, what gets assign to vlan 1? The IP for the AP? The APs are all connected to the Unifi switch
-
Vlan 1 is use for Switch Management, my internal Clients, SSID 1 and Switch, AP Management.
But you can set SSIDs to Tagged Vlan only, it is your decision.
-
@NOCling
SSIDs are tagged appropriately with vlan ids.
Plan is to config the mgmt vlan last.
My main issue is trying to get HP switch VLANs setup properly -
AP Management VLAN always untagged.
Management VLAN can be tagged to pfsense if there is the GW or to the Unify Switch and there is the pfsense with the GW.
The default GW is idependet from tagging.Set operator pw first, then manager.
-
This is the vlan port config. (Pic1 & 2). if I set the LACP 24 to PVID 20 and Tagged only. Unifi switch and APs loses connection to pfsense. Which make sense because it is only allow vlan 20 tags to go through.. vlan 1 is blocked.
Making LACP 24 a member of vlan 20 should allow vlan 20 tags to pass through. (Pic 3 & 4).However, devices cant access internet.
pfsense rules allow vlan20 net to dest any.. what is blocking internet access? Disabling vlan20 on Unifi. fixes internet issue. -
Switch to Switch Uplinks use normaly untagged vlan 1, this is important if you use STP Mode MST.
The Vlan 20 tagging look good.
-
@NOCling
I think i know why vlan20 traffic is not getting to pfsense vm. The port which ESXi is connected to HP switch needs to be a member of vlan 20. vswitch is already set to 4095. All traffic is just passthrough. -
Making LACP port member of vlan20 did not resolve DHCP issue. How do i trace where the request is being dropped?
-
@moosport said in HP switch and vlan:
How do i trace where the request is being dropped?
I think it's time:
https://www.wireshark.org/download.html
https://wiki.wireshark.org/VLAN -
looks like i have work to do tonight. :)
-
@moosport said in HP switch and vlan:
looks like i have work to do tonight. :)
exactly yes
I usually use Wireshark on Cisco systems with the following method.
If your HP switch knows the SPAN protocol, your life may be easier.just an example:
https://www.ciscozine.com/how-to-analyze-traffic-with-span-feature/ -
Any managed switch should be able to do that. Even my crappo TP-Link can. I first did it with Adtran switches several years ago.
-
Good to know...
(I wouldn’t have thought of this, to from many SMB category mng. switches)
for a long time, I only have Cisco and Juniper in my life
TP-Link...hmmmm, though I wouldn't use it for letter weights either (hahaha) -
-
Is there a big price difference in your country between the Cisco SMB series (SG350, SG350X, etc.) and the TP-Link devices?
Pls don't think that, I hate TP-Link so much, but we haven't used it in a long time, so I only have experience up to the TL-SG series
BTW:
we deal with AoIP stuff a lot (DANTE protocol) TP-Link is totally dead on the IGMP and DSCP QoS themes
(https://www.audinate.com/) -
I paid about $100 for a Cisco SG 200-08 switch, but that TP-Link TL-SG105E was only around $35.
BTW, my early experience with managed switches was with Adtran, as my employer was their Canadian distributor. Adtran's AOS was pretty much a clone of Cisco's IOS.
-
I understand...
just a story:
for me, TP-Link customer service answered a simple question for three months...
the question is was the factory SFP modules know DOM / DDM?then I gave up and tried no further
(of course, there was no reference in the description)-there was an SFP diag menu in the GUI of the switches
didn't give any info about any DOM / DDM capable SFP, so we thought it only works with his own...the joke is that as it turned out they don't produce SFP modules with DDM / DOM capabilities
then what is that menu for in the GUI?
-
My experience with them was in regards to that VLAN problem, but with my access point rather than a switch. The problem is that multicasts would leak from the native LAN to the VLANs, which meant that devices on the VLAN/2nd SSID would get config info from the native LAN. When I called support, they insisted that that was how VLANs were supposed to work. Eventually, I talked to 2nd level support, who agreed it was a flaw. However, there was no fix forthcoming for my AP.
-
@DaddyGo said in HP switch and vlan:
@moosport said in HP switch and vlan:
looks like i have work to do tonight. :)
exactly yes
I usually use Wireshark on Cisco systems with the following method.
If your HP switch knows the SPAN protocol, your life may be easier.just an example:
https://www.ciscozine.com/how-to-analyze-traffic-with-span-feature/HP 1800 do support port mirroring. tried wireshark but monitor mode option is greyed out.
airmon-ng needs to be installed before trying to enable monitor mode.BTW, does ingress filtering needs to be enabled on the LACP port on the HP switch connecting to the Unifi switch? I left it disabled.
-
@moosport said in HP switch and vlan:
HP 1800 do support port mirroring. tried wireshark but monitor mode option is greyed out.
airmon-ng needs to be installed before trying to enable monitor mode.???
Airmon-ng is for WiFi monitoring. What does it have to do with port mirroring? -
Reason is I'm testing the vlan using wifi. The plan is all ports on the HP switch will be on vlan30.
iot and guest are on vlan50 and vlan60 off wifi (no lan).Unifi switch will handle vlan40 for cctv which does not go anywhere.
currently topology is
pass all pass all vlans vlans | |
modem -> pfsense -> hp1800 ->unifi16
| |
vlan20 |
vlan40,50,60 -
-
yeah.. you're right.. I must lost my mind for a moment there.
-
Configure the port mirroring, Now wireshark capture the DHCP request the vlanid 50 for guest.
Vmware has LAN portgroup to allow all. FW rules are set to allow all but blocked to other vlans. Not sure where to look now. -
I'm no expert, but I just went through setting up Guest and IOT VLANs with Unifi and two HP switches.
If your switch is the J9028B, then here's the link to your switch manual. I can't really tell if your port configuration is correct from those partial screenshots you are linking.
I don't know if it matters, but why are you only allowing TCP through the FW?
Also, you might need to check your NAT rules? I had the port tagging and firewall rules correct, but my NAT was fouled up. In my case, I could get an IP on the VLAN and could see the laptop connected to the VLAN in my pfSense DHCP table, but I could not connect to the internet.
-
@newberger said in HP switch and vlan:
Also, you might need to check your NAT rules? I had the po
change FW to allow all and still not getting IP. Prior to using wireshark, HP switch is configured to LAGG with Unifi switch, I had remove the LAGG to enable port mirroring.
Capture trace on the port connecting esxi box and vmnic. DHCP traffic vlan50 is captured on the switch port but not on vmnic.
I have pfblocker running and the NAT rules are for DNSBL.