Comware

Here are some questions on vlans. Even if you have the answer for one or two of the questions I would be grateful!

1. Does the "name" command on a VLAN have any technical usage or is it just an administrative feature?

2. If I create, for example, VLAN10 and move a random port to the new vlan,

conf
vlan 10
untag a5

the "untag a5" line is visible as expected in the VLAN10 part of the config, but why do I also see a line in VLAN1 like "no untag a5"? There is also the expected line in VLAN1 like "untag a1-a4,a6-a24" or similar. But why the no-line, it seems to be unneccerary?

3. On the default config on Procurve 5406zl I see a VLAN2100, what does that mean and can it be removed?

4. If a certain port, e.g. a5, is an untagged member of for example VLAN10, but a PC attached to the a5 port sends a faked 802.1Q frame with a tag of VLAN20, what will happen? We can assume that VLAN20 does exist on some other ports on the same switch.

5. Is it possible to not use VLAN1 at all and even delete it?

Hi RicN

1.
VLAN names - VLAN names are text fields that assist administrators to identify VLANs, within the switch the VLAN is identified by the 4 byte VLAN ID


2.
The No line means that the port in question has no association whatsoever with that VLAN. One VLAN rule is that a port can be an untagged member of at most one VLAN


3.
When you install the Wireless Module in the 5406zl Switch chassis, the wireless
Services-enabled switch detects the module and automatically creates a Radio Port VLAN. By default, the switch allocates VLAN 2100 for RP traffic. In addition to creating the default Radio Port VLAN, the wireless services-enabled switch automatically configures the moduleâ s internal downlink port as a tagged member of this VLAN. The Wireless Moduleâ s internal downlink port handles the traffic sent to and from RPs. You can remove it or assign another VLAN to it , wouldnâ t recommend it though.



4.
VLANs are virtual broadcast domains. When VLANs are configured on a switch, the switch maintains a separate forwarding table for each VLAN. As long as a5 is not a member (tagged or untagged) of VLAN20, the frame will be dropped


5.
VLAN 1 is the default VLAN, saying that when the switch is delivered all the ports are untagged members of the default VLAN1, removing untagged member from VLAN1 is not applicable If an administrator wants to delete a VLAN, the administrator should first reassign each port that is an untagged member of the VLAN to another VLAN. If you do
not explicitly reassign all untagged members to another VLAN, you are prompted
to allow the untagged members to be moved to the default VLAN.


Observe the following rules:

1. A port may be an untagged member of at most one VLAN
2. A port must be a member of at least one VLAN
3. When deleting a VLAN, for any ports that are untagged members, you are prompted to have them moved to the default VLAN

Good Luck!!

1.Thanks!

>2. The No line means that the port in question has no
>association whatsoever with that VLAN.

Yes, but this seems to be expressed twice for some reason, for example from VLAN1 config:

VLAN1
untagged a1-a4,a6-a24
no untagged a5
VLAN 10
untagged a5

Perhaps it does not matter, but I am just curious why VLAN1 must have the "no"-line, when the line above already excludes port a5?

3. Thanks!

>4. VLANs are virtual broadcast domains.
>When VLANs are configured on a switch, the
>switch maintains a separate forwarding table
>for each VLAN. As long as a5 is not a member
>(tagged or untagged) of VLAN20, the frame will be dropped

So there is not the risk that a malicous user could create a faked tagged VLAN frame (with say vlan id 20) and send it through some random port (untagged for VLAN10) and the switch would strip the VLAN tag and put it into the other VLAN (20)?


>5. VLAN 1 is the default VLAN, saying that when the
>switch is delivered all the ports are untagged
>members of the default VLAN1, removing untagged member
>from VLAN1 is not applicable If an administrator wants
>to delete a VLAN, the administrator should first
>reassign each port that is an untagged member of
>the VLAN to another VLAN.

I have tried to first move all ports to other VLANs, but when trying to execute the command "no vlan 1" I get the response that primary vlan can not be removed. Can I change which vlan is the "primary"?

What is by the way the primary VLAN? :)


And, one more VLAN question! Every switch has a certain number of supported VLANs (like 256 or 2048) and I have noticed that this number can be lowered with the command max-vlans - which also makes the switch reboot.

Why would you do this? Even if you just will use 25 different vlan, what advantages would you get with a lower number of supported vlans - from 256 to 50 for example.

4. There is always a risk :) What you are referring to is called Vlan hopping and its a computer security exploit: http://en.wikipedia.org/wiki/VLAN_hopping

5.Two different concepts here

In factory default configuration, the default VLAN:
- has the name "DEFAULT_VLAN".
- has VID = 1.
- includes all of the switch's ports.
- has all of its ports untagged.

Concept to be understood with the Default vlan/native vlan

You can change the name of the default VLAN, but you cannot delete it or change it's VID.

The switch requires that all ports be members of a VLAN. So, in order to remove a port from the default VLAN, you must first assign that port to another VLAN. In this way, you can move all ports out of the default VLAN, if you wish.

Primary Vlan/Management Vlan

1. In factory default configuration, the primary VLAN is the default VLAN.
2. The user can configure any VLAN to be the primary VLAN.
3. The switch sends and receives its stacking management packets only on the primary VLAN

Changing the Primary VLAN Using the CLI:

HP2512(config)# primary-vlan 22

6.Since the switch maintains a separate forwarding table for each VLAN.Its all about resource usage, the higher amount of vlans, the more the switch has too work :), in my opinion, the vlans should be created on needs basis

1. Does the "name" command on a VLAN have any technical usage or is it just an administrative feature?

Yes, there is a technical use for this feature now. When returning a VLAN ID from your RADIUS server for the purpose of Dynamic VLANs (802.1X) you can use either the 'name' or the VLAN ID.

Franklyn:

> 4. There is always a risk :) What you are
> referring to is called Vlan hopping

Is it know if Procurve switches are vulnerable to this exploit? And is it possible to protect against?


Regarding the special VLANs:

Am I correct in my understanding that the Default VLAN can not be changed from VID 1 to anything else, and that in effect makes the VLAN 1 not possible to delete?
(But you can however move away all ports from it.)

I am not really clear about the difference between Primary and Management VLANs. Is it correct that if you define the management VLAN with "management-vlan" command than all administration (telnet, ssh, http and more..) must go through this vlan?

The Primary VLAN, if I change this from VLAN 1 to for example VLAN 10, which traffic will go on this new VLAN? Is it frames like LLDP and STP? Anything else?


>6. Since the switch maintains a separate forwarding
>table for each VLAN.Its all about resource usage,
>the higher amount of vlans, the more the switch
>has too work :), in my opinion, the vlans should
>be created on needs basis.

If you know that you will never need more than, say, 50 VLANs and you only define the VLANs when you actually is going to use them, will there be any gain to lower the maximum range with "max-vlans" command to 50? Since it requires a reboot it seems to have something to do with perhaps memory resources management, but I wonder if it is worth doing?

Am I correct in my understanding that the Default VLAN can not be changed from VID 1 to anything else, and that in effect makes the VLAN 1 not possible to delete?

Yes


Is it know if Procurve switches are vulnerable to this exploit? And is it possible to protect against?

Regards to Vlan Hopping, attack is not easy, require followings:
â ¢Access to the Management Vlan
â ¢Target machine is in different switch
â ¢Attacker knows MAC address of the target machine

I am not really clear about the difference between Primary and Management VLANs. Is it correct that if you define the management VLAN with "management-vlan" command than all administration (telnet, ssh, http and more..) must go through this vlan?

The Primary VLAN, if I change this from VLAN 1 to for example VLAN 10, which traffic will go on this new VLAN? Is it frames like LLDP and STP? Anything else?

Management VLANâ The management VLAN is for managing the switches through remote management tools, such as the web interface, SSH, Telnet, or SNMP. The management VLAN ID is configurable. Communication with the switch management interface is through the switch IP address. The IP address is associated with the management vlan.

Thanks Franklyn for keeping up with my questions! :)

I think now that I understand the Default and Management VLANs, still unsure of which traffic is passed over the Primary VLAN?

(And also, is the Default VLAN the same as the Native VLAN on Cisco?)

Hi

Yes, Native Vlan on Cisco = Default Vlan on ProCurve (and most of the vendors except Cisco).

Primary Vlan = Default Vlan.

You can change Default Vlan ID from 1 to any other ID if you like and thats recommended for security reasons (because by default all the ports are Untagged to Vlan1).

Command:
Sw(config)#primary-vlan <VLAN id="">

Management Vlan, is the Vlan used or Dedicated to Manage the Network Switches in Multiple Vlans environment,
and for Security & Performance reasons, you can implement the Management Vlan feature.

In this case the Management Vlan Subnet won;t be inserted in the Routing Table and it will be accessible only from the Same Vlan, and if you have PCM+ in the same Vlan then life will be good :)

Good Luck !!!</VLAN>

>Yes, Native Vlan on Cisco = Default Vlan on
>ProCurve (and most of the vendors except
>Cisco).

>Primary Vlan = Default Vlan.

>You can change Default Vlan ID from 1 to
>any other ID if you like and thats
>recommended for security reasons

But a strange thing is that even if I change primary VLAN to, say VID 2, I can still not delete VLAN1.

And more strange is if I set primary VLAN to something, vlan 2, and move all ports to VLAN 10, and then remove VLAN10 - the ports are being moved to VLAN1 and not to the primary VLAN.

So it seems like VLAN1 is something like hard-coded for default vlan, but what does the primary VLAN do?

Hi

I guess you should read page 2-46 from this:

http://cdn.procurve.com/training/Manuals/3500-5400-6200-8200-ATG-Jan08-2-VLAN.pdf

It explains whats the Default Vlan and Primary Vlan, and the Roles to deal with both.


Good Luck !!!

Thank you for your reply!

>I guess you should read page 2-46 from this:

>http://cdn.procurve.com/training/Manuals/3500-5400-6200-8200-ATG-Jan08-2-VLAN.pdf

>It explains whats the Default Vlan and
>Primary Vlan, and the Roles to deal with both.

I have now downloaded and read the pdf-file and it was a good document!

I was a little confused because some things did not match what you wrote earlier, i.e.:

>>Primary Vlan = Default Vlan.
>>You can change Default Vlan ID from 1 to
>>any other ID if you like and thats
>>recommended for security reasons

From what I can read from the document the Primary VLAN is in the factory default the same as the Default VLAN, but you can not change the Default VLAN. It seems to be hardcoded as VLAN1.

You seems however be able to the change the "Primary VLAN", but from the examples in the document it seems to be mostly used for dhcp traffic if the switch is a dhcp client.

I wonder on which VLAN frames like LLDP and BPDU are being sent?

Hi

The Primary or Native Vlan (Default=1) is used to send such frames.

One more document talk ALOT about the real use of Native or Primary Vlan in both Cisco and ProCurve.

http://www.tecnocael.it/ftp/docs/ProCurve_Cisco.pdf

Good Luck !!!