Log In

Come Join Us!

Are you a
Computer / IT professional?
Join Tek-Tips Forums!
  • Talk With Other Members
  • Be Notified Of Responses
    To Your Posts
  • Keyword Search
  • One-Click Access To Your
    Favorite Forums
  • Automated Signatures
    On Your Posts
  • Best Of All, It's Free!
  • Students Click Here

*Tek-Tips's functionality depends on members receiving e-mail. By joining you are opting in to receive e-mail.

Posting Guidelines

Promoting, selling, recruiting, coursework and thesis posting is forbidden.

Students Click Here


All HP Switches VLAN, Routing ACL newbie questions

All HP Switches VLAN, Routing ACL newbie questions

All HP Switches VLAN, Routing ACL newbie questions

Here is the setup.

2 E2510-48Gs for gigabit desktop traffic
1 2824 for gigabit server traffic
2 E2520-24-POE for VOIP traffic
2 2650s for server/NAS management and WiFi traffic
1 2910al-24G-POE for Layer3/4 routing for above traffic and VOIP traffic

2 SonicWall Firewalls, one with DSL connectivity, one with Ethernet over Copper for Citrix access and VPN

I am setting them up this week at a new location. Previously we had 3 switches and no VLANs.

I am designating the following:
10.1.0.x for desktops and current server traffic (Default VLAN 1)
10.1.1.x for future VMware/NAS traffic (VLAN 10) for wireless clients with Internet-only traffic (VLAN 20) for VOIP phones and voicemail server (VLAN 30)

I've never set up VLANs before and therefore never needed to route between subnets so my understanding of the steps and questions are as follows:

1) Assign the VOIP and WiFi ports to their respective VLANs on the respective switches
2) Create physical connections between switches (that cross VLANs) on 2910al, assign appropriate VLAN and related IP to the right ports and turn on IP Routing. This will automatically route between VLANs assigned on the switch correct?
3) I want to prevent all traffic between 10.1.2.x and 10.1.0.x except for three specific PCs (which I can assign static IPs or use MAC addresses to identify). How do I do that? I want no traffic from 10.1.2.x to go to the other subnets either. I will have one port in VLAN 20 going to the SonicWall which will provide DHCP and metered Internet access.
4) Should I assign management IPs to the switches all in the 10.1.0.x range? For example, it's not good practice to assign the POE switches management IPs in 10.1.3.x. If I keep the management IPs in 10.1.0.x, then I need uplinks connecting all the switches with at least one port assigned to the Default VLAN?
5) Do I need turn on tagging on any ports? I don't really understand the need for tagging in my configuration. For instance, the DHCP requests will have a DHCP server in the VLAN requesting IPs. So one DHCP server for VOIP, another for WiFi traffic and and another in the Default VLANs. I assume these will not be routed by the 2910al by default.
6) In the web interface on the HP switches it offers four modes for tagging - No, tagged, untagged, and forbid. I assume I am using untagged in all contexts except for the ports that uplink to the 2910al and the ones that come in from the 2910al. For those I use tagged, correct?

I attached a PDF of my first attempt at a network diagram. Thanks in advance for any input you can offer.

RE: All HP Switches VLAN, Routing ACL newbie questions

Also, is there any benefit to stacking all the switches together (an can I only stack the models of switches together)?

RE: All HP Switches VLAN, Routing ACL newbie questions

Normally, you would want a "core" which is your layer3 switch doing the routing. All other switches are layer2, "edge", just switching.
1/ As you say, assign the correct VLAN to each "edge" switchport as "untagged".
2/ Link each "edge" switch to the "core" and then configure each of the VLANs required by the "edge" switch onto the switch<---->switch link ports as "tagged" VLANs. When you extend VLANs to edge switches, only one VLAN can be "untagged", each additional VLAN must be "tagged".
3/ This is what your "core" is for - at the core, configure access lists.
4/ Why not - either that or create a subnet/VLAN specifically for "NET_Admin"
5/ DHCP is nothing to do with tagging. Again, this is what your "core" is for - the "core" sees the DHCP broadcasts on each VLAN and forwards them to the DHCP server which is only on VLAN20. It knows where to forward the DHCP broadcasts because on each VLAN interface you configure an "IP Helper" address.
6/ "edge" switchports are assign to just one VLAN and are "untagged".
uplinks have multiple VLANs and use "tagged". The exception being for your virtualised server environment which will often use "tagged" because it may use multiple VLANs.

RE: All HP Switches VLAN, Routing ACL newbie questions

Your answers are awesome and totally helped me get the mental model for how VLAN configuration works.

Can I ask a question about routing on my core switch? I have on my 2910 two VLANs configured. VLAN 30 and Default VLAN. The management address of the 2910 is I assigned an IP to VLAN 30 ( I turned on IP Routing. I tried pinging from an address in 10.1.0.x to 3.x and it didn't work when my router was set to, but it did work when I changed my router setting on my computer's NIC to Does this mean to route my traffic I need to set the route on my NIC to If I want to change this (to say do I need to change the management IP on my 2910 to

If so, what is the best way via the CLI to do this?


- Elan

RE: All HP Switches VLAN, Routing ACL newbie questions

If you enable IP routing, then an IP addresses on a VLAN interfaces is no longer a "management address" but becomes the router address for the subnet it is in.
Other devices on that same subnet are configured with that router address as their default gateway.
So, your router address for VLAN 30 is, therefore your voice server and IP phones should all have as their default gatweway.
If all your devices in VLAN 1 have their default gateway set as, then your 2910's VLAN1 IP address should be

Red Flag This Post

Please let us know here why this post is inappropriate. Reasons such as off-topic, duplicates, flames, illegal, vulgar, or students posting their homework.

Red Flag Submitted

Thank you for helping keep Tek-Tips Forums free from inappropriate posts.
The Tek-Tips staff will check this out and take appropriate action.

Reply To This Thread

Posting in the Tek-Tips forums is a member-only feature.

Click Here to join Tek-Tips and talk with other members! Already a Member? Login

Close Box

Join Tek-Tips® Today!

Join your peers on the Internet's largest technical computer professional community.
It's easy to join and it's free.

Here's Why Members Love Tek-Tips Forums:

Register now while it's still free!

Already a member? Close this window and log in.

Join Us             Close