How To Configure Layer 3 Static Routes & VLANs On HP

v1910 24G
In the last how to, we performed the firmware upgrade
and initial configuration on the HP v1910 24G.
Its now time to start placing some VLANs onto our switch. A good
starting point is why do we use VLANs?
Well a VLAN enables us to:

Logically segment a switch into smaller switches, much same

way that ESXi allows you to run multiple virtual machines on the
same physical hardware.
Create logical boundaries so that traffic from one VLAN to

another VLAN is permitted or not permitted e.g. User VLAN accessing

Server VLAN.
Reduce the broadcast domains, in the same way that a switch
creates a separate collision domain for each device plugged into it. A
VLAN reduces the ARP broadcasts sent out.
Before we move any further, we need to understand what purpose the
VLANs will serve in our environment and what they will be assigned
too. For me, its quite straight forward, the HP v1910 will be used as
my main home lab switch and as such I need a VLAN for the following
purposes:

Management
iSCSI
vMotion
Backup
HP Fail Over Manager
With this in mind, I would highly recommend creating a network
table containing your VLAN Names, VLAN ID, Subnet and Switch IP
Address. You may ask why do you bother? Well I deal with large
number of clients infrastructure and I often find that I get confused as
what subnets are doing what!

You will notice that I have assigned an IP address to the switch on

every VLAN. The reason for this is the HP v1910 can also do layer 3
static routing so in my home environment the switch is the default
gateway as well.
Layer 3 Static Routes
OK, lets login to the HP v1910 24G using the IP address and
username/password we assigned previously.
Why use layer 3 static routes? Well I want to be able to route between
VLANs. This is critical for my HP Failover Manager (FOM VLAN) which
needs to be in a logical third site to communicate with the HP Virtual
Storage Appliance (iSCSI VLAN). For each device on each VLAN they
will use the switch as there default gateway. This means that the
network traffic will only leave the switch if it has a destination subnet
for which it is not responsible e.g. the internet.
To do this, click on Network from the left hand panel then IPv4 Routing

Click Create in the Destination IP Address enter 0.0.0.0 Mask enter

0.0.0.0 Next Hop enter 192.168.37.254 Select Preference and enter
10
So what are we actually doing? Well we are saying to the switch for
any destination IP address and any subnet send all that traffic to
this router/firewall whose IP address is 192.168.37.254 (next hop).
Hopefully it should look something like this.

Cool, lets test it. Change a computer to use the HP v1910 24G switch
as its default gateway.

We should now be able to ping the switch, the switches next hop and
also something out on the internet.

Boom, its all working, lets move on!

VLAN Configuration
Hopefully, you have already decided on your VLAN configuration and
IP addresss for the switch. So lets crack on and start configuring.
Select Network from the left hand menu then VLAN and then Create

My first VLAN ID is 10, so we enter this and click Create to the left
hand side. Next Modify the VLAN description from VLAN 0010 to
iSCSI and then click Apply.

Rinse and repeat until you have entered all of your VLANs into the
switch. Heres one I made earlier.

TOP TIP, dont forget to click Save in the top right hand corner
on a regular basis.
Great, we have created the VLANs now we need to assign them to
some switch ports. We need to understand what happens when we
change the port characteristics. The options we have are:

Untagged what ever device we plug into this switch port

will automatically be placed into this VLAN. Commonly used for
devices which are not VLAN aware (most desktops/laptops).

Tagged if a device is VLAN aware and it has been assigned to

a VLAN, when it is plugged into the switch port it wont go into the
Untagged VLAN, it will go into the Tagged VLAN (think IP phones)
As this switch is for my vSphere 5 environment and vSphere is VLAN
aware. We are going to set every port to be Tagged into every VLAN.
What will this achieve? Well every device which is not VLAN away will
go straight into the Management VLAN. Then on the port groups
within the vSwitches I can assign VLANs.
To do this, click Network from the left hand menu, then VLAN and
finally Modify Port

By default every port will be untagged in VLAN 1 so we dont need to

make any modifications to this. Click Select All then Tagged and last
of all Enter the VLAN IDs in this case 10,20,30,40 and click Apply.

You will receive a pop up letting you know that Access Ports
will change to Hybrid Ports, we are cool with this, so Click OK.
To verify the VLANs have been set correctly, go to Port Detail and
choose Select All, it should show the following.

Assign An IP Address To Each VLAN

I mentioned earlier on in the post that we wanted to assign an IP
address to each VLAN so that the HP v1910 24G becomes the default
gateway for all devices. To do this select Network from the left hand
menu, then VLAN interface and Create.

Now this is when I need to refer back to my network table! We input

the VLAN ID e.g. 10 and then enter the IP Address e.g. 10.37.10.221
and Mask e.g. 255.255.255.0
I always deselect Configure IPv6 Link Local Address then click Apply.

Rinse and repeat for the rest of your VLANs. To make sure everything
is tickety boo click on Summary and you should be greeted with a
page similar to this.

Time to test. So from your computer you should now be able to ping
each VLAN IP address on the switch.

Success, thats our HP v1910 24G configured with VLANs.

How To Configure Access Lists & Route Between VLANs On HP
v1910 24G
In the previous how to, we configured layer 3 static routes and VLANs
on the HP v1910 24G you will have noticed that all traffic can pass
between VLANs without any restrictions. So why is this happening?
Well the answer is because we have turned on routing by giving an IP
Address to each VLAN. This means the HP v1910 uses its own
routing table to send traffic from VLAN 1 to VLAN 10.

Lets test this. My laptop sits on VLAN 1 on IP Address

192.168.37.152 using the HP v1910G as its default gateway on
192.168.37.221

I have five VLAN Interfaces created which can be found under

Network > VLAN Interface > Summary

Behind VLAN 10 is a device with IP Address 10.37.10.11, which I can

ping

Next, Im going to remove the VLAN Interface for VLAN 10

Dont worry, the VLAN is still in play, we just have removed the ability
to route between subnets. Now if we ping the same device we get an
epic fail.

Notice we get a reply from 192.168.37.254 which isnt an VLAN IP

Address. The reason for this is that 192.168.37.254 is the default

gateway for our HP v1910G. The HP v1910G is saying I havent got a

clue how to get to 10.37.10.11, so let me send that traffic to my
default gateway 192.168.37.254.

My firewall which is on 192.168.37.254 has a static route to

10.37.10.0 255.255.255.0 via 192.168.37.221 (VLAN 1 Interface on
HP v1910G). When the HP v1910G receives the packet, it drops it as
has no where to send the ICMP request.
So just to reiterate, that when we have an VLAN Interface, the HP
v1910G will be able to route all traffic between VLANs, unless we do
something about it.
Access Lists
This is where the Access List comes into play, an Access List specifies
what source traffic is allowed to get to what destination traffic. Think
of it as being in a hallway in a house and all the doors are locked. You
then get given a key and you can get from the hallway into the
lounge. The source is the hallway, the destination is the lounge and
the key is the Access List.
So before we move any further, I want to give you a brief explanation
of what I want to be able to achieve.

My laptop resides on 192.168.37.152/24 on VLAN 1 and I want to be

able to connect to my HP StoreVirtual VSA which is on 10.37.20.1/24
VLAN 20.
I also have a Windows 7 machine on 10.37.20.211/24 VLAN 20.
I want to be able to get from my laptop to 10.37.20.1, but I dont want
to let any other traffic threw.
Lets run a ping to both devices, you can see that I
have connectivity to both 10.37.20.1 HP StoreVirtual VSA and
10.37.20.221 Windows 7.

So lets create an Access List to do something about this.

Creating An Access List
We need to go to QoS from the left hand menu then onto ACL IPv4

Next we want to select Create

Now we have a choice from Basic ACLs, Advanced ACLs and Ethernet
Frame Header ACLs. OK what are the differences?
Basic ACL these only match source IPv4 addresss
Advanced ACL these match source and destination IPv4 addresss
and also protocols on different port numbers e.g. TCP 80
Ethernet Frame Header ACL these match source and destination
MAC addresses
With this is in mind, we are going to use Advanced ACLs as we want
to match interesting traffic from source to destination.
In the ACL Number section, type in 3001 and we want the match
order to be Config and click Apply

You will see the ACL Number appear in the bottom table, notice we
have no rules applied against it yet.

Next we want to go onto the Advanced Setup Tab at the top. We are
going to enter the following information:

ACL > Select 3001

Rule ID > Select and Enter 10
Action > Permit
Source IP Address > 192.168.37.152
Source Wildcard > 0.0.0.0
Destination IP Address > 10.37.20.1
Destination Wildcard > 0.0.0.0
Protocol > IP
Click Add
Now when you click on the Summary Tab you should see your rule in
place!

I want to back track slightly on some of the entries we made into the
Advanced ACL, to make sure you are clear on what we did.
Rule ID this is the order in which the rules are read we entered in
number 10, so this rule is read first, if you added a rule ID 9 this
would get read before rule ID 10.
Wildcard this is the reverse of a normal subnet mask e.g.
255.255.255.0 becomes 0.0.0.255
TOP TIP: At the end of every Access List is always a silent
deny, which means you dont see the traffic being dropped it
just happens!
Lets see if it works shall we? Lets ping from my laptop to a HP
StoreVirtual VSA 10.37.20.1 success, what about the Windows 7 on
10.37.20.211, err also success, thats not right!

So what the heck is going on? Well as we havent applied the

ACL3001 to an interface, everything carries on as per normal.
To be honest, applying an Access List to an interface on the HP
v1910G is a royal pain. For most switches you just choose to apply
the ACL to an interface either inbound or outbound. However, on the
HP v1910G you have to perform the following:

Create a QoS Classifier

Create a QoS Behavior
Create a QoS Policy using the QoS Classifier and QoS Behavior
Apply the QoS Policy to a Port
Im not going to run through how to do this, as examples can be found
in theHP v1910G Manual page 465.

https://vmfocus.com/2012/09/26/how-to-configure-layer-3-static-routesvlans-on-hp-v1910-24g/
https://vmfocus.com/2012/10/14/how-to-configure-access-lists-routebetween-vlans-on-hp-v1910-24g/