![[H]ard|Forum](/styles/hardforum/xenforo/logo_dark.png){kind=logo}
Failed to get response at HP's forum so Ill try Hardforum instead 
A common use for Protocol-VLAN is when you want IPv4/ARP to go into one VLAN and IPv6 into another.
Such as:
#
vlan 100
description R1
protocol-vlan 0 mode ethernetii etype 0806
protocol-vlan 4 ipv4
#
vlan 101
description 01_CUSTOMER
protocol-vlan 6 ipv6
#
...
#
vlan 148
description 48_CUSTOMER
protocol-vlan 6 ipv6
#
#
interface GigabitEthernet1/0/1
description 01_CUSTOMER
port link-type hybrid
undo port hybrid vlan 1
port hybrid vlan 100 101 untagged
port hybrid protocol-vlan vlan 100 0
port hybrid protocol-vlan vlan 100 4
port hybrid protocol-vlan vlan 101 6
port-isolate enable
#
However the above means that PVID is still set to VLAN 1 according to "display interface GigabitEthernet 1/0/1":
PVID: 1
Mdi type: auto
Port link-type: hybrid
Tagged VLAN ID : none
Untagged VLAN ID : 100-101
As I understand the use of Protocol-VLAN goes something like (according to http://www.startnetworks.info/2011/07/vlan-technology-2.html , Im having a hard time locating a reference from HP/H3C on how this actually works):
"
* If the packet matches the protocol template, and the In port of the packet is allocated to the VLAN of the corresponding VLAN ID, the packet is allocated to VLAN ID corresponding to the port configuration protocol template.
* If the packets have no matched protocol template, the packets are divided to the default VLAN ID of the port.
"
My interpretation of this (if this is correct) is that sure IPv4/ARP goes into VLAN 100 and IPv6 goes into VLAN 101. But if some other ethertype shows up that goes into VLAN 1... which sounds bad because this would mean that for example two IPX clients connected to two physical interfaces of this switch would be able to bypass the security model.
So how to secure a Protocol-VLAN configuration as above so that if the ethertype doesnt match IPv4/ARP/IPv6 then the packet arriving from the client should be dropped?
A common use for Protocol-VLAN is when you want IPv4/ARP to go into one VLAN and IPv6 into another.
Such as:
#
vlan 100
description R1
protocol-vlan 0 mode ethernetii etype 0806
protocol-vlan 4 ipv4
#
vlan 101
description 01_CUSTOMER
protocol-vlan 6 ipv6
#
...
#
vlan 148
description 48_CUSTOMER
protocol-vlan 6 ipv6
#
#
interface GigabitEthernet1/0/1
description 01_CUSTOMER
port link-type hybrid
undo port hybrid vlan 1
port hybrid vlan 100 101 untagged
port hybrid protocol-vlan vlan 100 0
port hybrid protocol-vlan vlan 100 4
port hybrid protocol-vlan vlan 101 6
port-isolate enable
#
However the above means that PVID is still set to VLAN 1 according to "display interface GigabitEthernet 1/0/1":
PVID: 1
Mdi type: auto
Port link-type: hybrid
Tagged VLAN ID : none
Untagged VLAN ID : 100-101
As I understand the use of Protocol-VLAN goes something like (according to http://www.startnetworks.info/2011/07/vlan-technology-2.html , Im having a hard time locating a reference from HP/H3C on how this actually works):
"
* If the packet matches the protocol template, and the In port of the packet is allocated to the VLAN of the corresponding VLAN ID, the packet is allocated to VLAN ID corresponding to the port configuration protocol template.
* If the packets have no matched protocol template, the packets are divided to the default VLAN ID of the port.
"
My interpretation of this (if this is correct) is that sure IPv4/ARP goes into VLAN 100 and IPv6 goes into VLAN 101. But if some other ethertype shows up that goes into VLAN 1... which sounds bad because this would mean that for example two IPX clients connected to two physical interfaces of this switch would be able to bypass the security model.
So how to secure a Protocol-VLAN configuration as above so that if the ethertype doesnt match IPv4/ARP/IPv6 then the packet arriving from the client should be dropped?