Don't use VLAN 1, it's a security risk and trivial to avoid (and if you're 
audited, will almost certainly fail you on that point).

To save fingers, this explanation from a quick Google explains it reasonably:

"All ports on Cisco switches are members of VLAN 1... if the port is an access 
port. Which it will be if a typical PC is connected to the port.

Which means that if someone connects a PC to an unconfigured port, they will be 
in VLAN 1 and only VLAN 1. Now we don't like to use VLAN for user-type data so 
hopefully your switches don't have any data using that VLAN. But VLAN 1 is used 
for VTP, DTP, CDP, STP and other management-type traffic which means someone 
could have access to any of that data.

However, all Cisco switch ports are in DTP desirable mode. Which means that if 
the person with the PC can make the switch think it's connected to another DTP 
capable switch (not that hard with a decent protocol analyzer) then the link 
becomes a trunk. And now the person has access to all VLANs.

This is why part of the best practices or switch management is to disable DTP 
and manually define as access link all ports that don't need to be trunks. Also 
good to create a dead-end VLAN (or one that only has access to internet or 
whatever anyone needs that connect to said port) or simply disable all unused 
ports."


Also check out:
http://www.cisco.com/en/US/products/hw/switches/ps708/products_white_paper09186a008013159f.shtml#wp39009

and:
http://en.wikipedia.org/wiki/VLAN_hopping



a 

-----Original Message-----
From: Kurt Buff [mailto:[email protected]] 
Sent: 11 July 2010 23:30
To: NT System Admin Issues
Subject: Re: Procurve "seeing" other vlans

Let's say you have a WAPs on ports 8 through 10 on the procurve.
Further, you want those WAPs to be on VLAN 50.

At the moment, those ports are on VLAN 1 - the default VLAN.

To get the WAPs on VLAN 50, you'd need to issue the following commands:

'en'
'conf t'
'vlan 50'
'untagged 8,9,10'
   or
'untagged 8-10'
'exit'

That will set up those ports on VLAN 50, and they should start passing data 
across the trunk. If you want to save that config, then you'll need to issue 
the following command:

'write mem'

You're done.

On Sun, Jul 11, 2010 at 15:21, paul d <[email protected]> wrote:
> There are other endpoints. I'm not at work now but I'll take a look at 
> your config and see how it differs from mine.
> I know it'll work eventually.  I just don't understand why it's not 
> passing the traffic if I have the vlans defined and am using port 16 as trunk.
>
>> Date: Sun, 11 Jul 2010 13:13:57 -0700
>> Subject: Re: Procurve "seeing" other vlans
>> From: [email protected]
>> To: [email protected]
>>
>> Using port 16 on the procurve for your trunk is just fine, and will 
>> work. I just like to do it a bit different.
>>
>> Are you using the procurve as a transit between the other switches, 
>> or are there endpoint units in the procurve?
>>
>> On Sun, Jul 11, 2010 at 12:37, paul d <[email protected]> wrote:
>> > Thanks for the feedback, Kurt.  I did forget to mention the setup 
>> > (it's Sunday; my 'work' brain usually sleeps that day :) ).
>> >
>> > I have 3 floors:  mob1, mob2, mob3.
>> >
>> > Mob 2 and 3 have w/less ap's.  The switches in those are Cisco 2950's.
>> > Port
>> > 24 on both are trunk, vlans all.
>> > Due to a lack of fiber down to the data center, Mob3 connects to a 
>> > trunked port on the 2950 in Mob2.
>> > Mob2 has fiber down to mob1 where it connects into a media converter.
>> > That
>> > is then connected to the Procurve on port 16. That's why I tagged 
>> > port
>> > 16 on
>> > the other 3 vlans (24,50,51).
>> >
>> >> Date: Sun, 11 Jul 2010 12:26:38 -0700
>> >> Subject: Re: Procurve "seeing" other vlans
>> >> From: [email protected]
>> >> To: [email protected]
>> >>
>> >> Well, It looks as if:
>> >>
>> >> 1) Your VLAN trunk is port 16 and
>> >>
>> >> 2) You don't have any ports defined in your VLANs. All of them are 
>> >> defined in VLAN 1.
>> >>
>> >> I assume this is a 24-port switch (that's what the config makes it 
>> >> look like).
>> >>
>> >> My personal preference is to make the trunk port(s) the 
>> >> next-to-last
>> >> port(s) on the switch - I also make the very last port on the 
>> >> switch a mirror port, or at least reserve it for that purpose if 
>> >> it's not actually being used for that at that moment. I also don't 
>> >> tend to use VLAN 1 at all.
>> >>
>> >> For comparison, below is my config for a 2510-48 in my shop - note 
>> >> that
>> >>
>> >> 1) VLAN 99 is just for the switches - nothing else lives on that 
>> >> IP address range or VLAN.
>> >> 2) the snmp community public is only "operator" - "unrestricted"
>> >> basically means read-write, while operator is read-only
>> >> 3) VLANs 111, 113 and 115 don't have any ports assigned and that 
>> >> port 50 is currently unused (reserved for mirroring), and that 
>> >> ports 51 and
>> >> 52 are "virtual" ports - they don't have actual physical ports.
>> >> 4) the trunk port for all of the VLANs is 49.
>> >>
>> >> To put a port in a VLAN, you 'untag' it inside that VLAN.
>> >>
>> >> ----------
>> >> hostname "2510-48 Dist 2"
>> >> max-vlans 10
>> >> time timezone -480
>> >> time daylight-time-rule Continental-US-and-Canada ip 
>> >> default-gateway 192.168.99.1 sntp server 192.168.10.191 timesync 
>> >> sntp logging 192.168.10.225 snmp-server community "public" 
>> >> Operator snmp-server community "private" Operator Unrestricted 
>> >> snmp-server host 192.168.24.63 "public"
>> >> vlan 1
>> >> name "DEFAULT_VLAN"
>> >> untagged 50-52
>> >> ip address dhcp-bootp
>> >> tagged 49
>> >> no untagged 1-48
>> >> exit
>> >> vlan 99
>> >> name "vlan99"
>> >> ip address 192.168.99.3 255.255.255.0 tagged 49 exit vlan 111 name 
>> >> "vlan111"
>> >> tagged 49
>> >> exit
>> >> vlan 112
>> >> name "vlan112"
>> >> untagged 1,3,6-7,9-11,13-27,29-43,45-47 tagged 49 exit vlan 124 
>> >> name "vlan124"
>> >> untagged 2,4-5,8,12,28,44,48
>> >> tagged 49
>> >> exit
>> >> vlan 113
>> >> name "vlan113"
>> >> tagged 49
>> >> exit
>> >> vlan 115
>> >> name "vlan115"
>> >> tagged 49
>> >> exit
>> >> password manager
>> >> password operator
>> >> ----------
>> >>
>> >>
>> >> On Sun, Jul 11, 2010 at 10:46, paul d <[email protected]> wrote:
>> >> > Startup configuration:
>> >> >
>> >> > ; J9279A Configuration Editor; Created on release #Y.11.
>> >> >
>> >> > hostname "MOB-1PRO"
>> >> > time timezone 300
>> >> > ip default-gateway 192.168.103.6 snmp-server community "public" 
>> >> > Unrestricted vlan 1
>> >> >    name "DEFAULT_VLAN"
>> >> >    untagged 1-24
>> >> >    ip address 192.168.103.75 255.255.0.0
>> >> >    exit
>> >> > vlan 24
>> >> >    name "V24"
>> >> >    ip address 10.1.50.2 255.255.255.0
>> >> >    ip address 97.86.85.237 255.255.255.0
>> >> >    tagged 16
>> >> >    exit
>> >> > vlan 50
>> >> >    name "v50"
>> >> >    tagged 16
>> >> >    exit
>> >> > vlan 51
>> >> >    name "v51"
>> >> >    ip address 10.1.51.2 255.255.255.0
>> >> >    tagged 16
>> >> >    exit
>> >> > ip authorized-managers x.x.x.x
>> >> > ip authorized-managers x.x.x.x
>> >> > spanning-tree
>> >> > password ***
>> >> > password ***
>> >> >
>> >> >> Date: Sun, 11 Jul 2010 09:43:06 -0700
>> >> >> Subject: Re: Procurve "seeing" other vlans
>> >> >> From: [email protected]
>> >> >> To: [email protected]
>> >> >>
>> >> >> What does the config look like for the switch?
>> >> >>
>> >> >> On Sun, Jul 11, 2010 at 09:32, paul d <[email protected]> wrote:
>> >> >> > I'm more knowledgeable with Cisco than I am with Procurves 
>> >> >> > and I'm having trouble getting my Procurve2510G to pass 
>> >> >> > packets to vlan's other than vlan1 Our wireless is on a 
>> >> >> > different vlan and right now I can't access the wireless AP. 
>> >> >> > With the procurve, I think I'm missing some key ingredient, 
>> >> >> > so to speak.
>> >> >> > I  have 4 vlans:  1 (network), 24, 50, 51 I tagged port 16 
>> >> >> > for vlans 24,50,51. Do I need to add IP addresses for the 
>> >> >> > other vlans?
>> >> >> > The default g/way for the Procurve is our Cisco 4510 L3 switch.
>> >> >> > ________________________________ Hotmail is redefining busy 
>> >> >> > with tools for the New Busy. Get more from your inbox. See 
>> >> >> > how.
>> >> >> >
>> >> >> >
>> >> >> >
>> >> >> >
>> >> >>
>> >> >> ~ Finally, powerful endpoint security that ISN'T a resource 
>> >> >> hog! ~ ~ 
>> >> >> <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~
>> >> >>
>> >> >
>> >> > ________________________________ The New Busy think 9 to 5 is a 
>> >> > cute idea. Combine multiple calendars with Hotmail. Get busy.
>> >> >
>> >> >
>> >> >
>> >> >
>> >>
>> >> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ 
>> >> ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~
>> >>
>> >
>> > ________________________________
>> > The New Busy think 9 to 5 is a cute idea. Combine multiple 
>> > calendars with Hotmail. Get busy.
>> >
>> >
>> >
>> >
>>
>> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ 
>> <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~
>>
>
> ________________________________
> The New Busy is not the old busy. Search, chat and e-mail from your inbox.
> Get started.
>
>
>
>

~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ 
<http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~


************************************************************************************
WARNING:
The information in this email and any attachments is confidential and may be 
legally privileged.

If you are not the named addressee, you must not use, copy or disclose this 
email (including any attachments) or the information in it save to the named 
addressee nor take any action in reliance on it. If you receive this email or 
any attachments in error, please notify the sender immediately and then delete 
the same and any copies.

"CLS Services Ltd × Registered in England No 4132704 × Registered Office: 
Exchange Tower × One Harbour Exchange Square × London E14 9GE"



~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

Reply via email to