Configuring VLANs and Internet Access with HPE 1920S Switch and Asus RT-AC87U Router

Question

(I'm not an IT expert)

I'm looking for guidance on configuring my network setup involving an HPE 1920S 24G Layer 2 / Layer 3 Switch and an Asus RT-AC87U Router. I aim to divide the network into two VLANs:

• VLAN1: Consisting of ports 1-20.
• VLAN2: Consisting of ports 21-24.

Both VLANs should be able to access the internet through the Asus router. Additionally, I'd like each VLAN to be linked to its own subnet (I suppose two separate DHCP services are required, and my assumption is that the specified router cannot provide them.).

Any insights or tips would be greatly appreciated. Could someone walk me through the steps or provide a guide on how to achieve this configuration?

---

A short research on the Router end lead me here (although I am not sure if it the right place). What is the meaning / what to write in the yellow marked region):

---

On the Switch end, I have this:

Answer 1

This can only be made to work using a separate DHCP server for the 2nd vlan.

The Asus router doesn't support multiple DHCP scopes.
(Either natively or via the alternative Merlin-WRT firmware.)

The switch can handle the static routing between the VLAN's, but (to my knowledge) can't act as DHCP server either.

The way to go would be to connect the Asus router with 1 of its lan ports to vlan A on the switch. This makes the VLAN A ports on the switch an extension of the wired ports on the router and the router will provide DHCP to VLAN A. Then, on the router you add a static route that redirects traffic for VLAN B to the VLAN A interface of the switch. And on the switch you set a default route to the LAN address of the router.

That shoudl do the trick... Except that there is no DHCP server on VLAN B.
That you will have to add by other means.

PS. That Asus router is old and doesn't get firmware/security updates anymore. I would really recommend you get a newer model...

Answer 2

Additionally, I'd like each VLAN to be linked to its own subnet

That's already mandatory (more or less). It would actually be a bit more annoying to set up VLANs that didn't have separate subnets while still staying isolated (i.e. not becoming a single VLAN).

Both VLANs should be able to access the internet through the Asus router

Your Asus router doesn't seem to support VLANs directly; at least not with stock Asus firmware. (It's usually easy to do with e.g. OpenWRT or DD-WRT or similar, but it's relatively rare for "home router" products – not limited to Asus – to have that kind of flexibility out of the box.)

Generally you would need, at the very minimum, the ability to create two "LANs" – either by using two separate LAN ports, or by using 802.1Q "tagged" VLANs over a single port. It doesn't seem that Asus firmware offers any of those options for generic LAN usage. The Switch Control tab hints at it being a possibility, but the official manual doesn't even show what's in there, and the LAN IP tab also seems to lack anything useful.

The IPTV section does indeed deal with 802.1Q tagging in a way, but it won't quite work for this; it's made for a very specific purpose and will most likely only be capable of bridging the VLAN directly through – not routing for it.

On the other hand, your HP switch is a "Layer 3" switch – which basically means it can also be a router. That might be your easiest option… although unfortunately the switch doesn't support being a DHCP server; per its manuals, it can only relay the DHCP requests to some other DHCP server (and you can't use the Asus for that). For example, if you had a spare RPi to run "isc-dhcp-server" on, that could do the job.

So if DHCP weren't an issue, I would first enable routing on the L3 switch under "Routing > Global", then create "Routing IP interfaces" on the switch (for any additional VLANs aside from the "main" Asus VLAN). Then, on the Asus router, you would need to create static routes specifying that the additional subnets are reachable via the HP switch/router.

(Alternatively, replace the Asus with another router that has direct support for VLANs, while keeping the Asus as only a Wi-Fi access point.)