- Community Home
- >
- Networking
- >
- Switching and Routing
- >
- Aruba & ProVision-based
- >
- Re: Could not reach Vlan2 members form Vlan3 or in...
Categories
Company
Local Language
Forums
Discussions
Forums
- Data Protection and Retention
- Entry Storage Systems
- Legacy
- Midrange and Enterprise Storage
- Storage Networking
- HPE Nimble Storage
Discussions
Discussions
Discussions
Forums
Forums
Discussions
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
- BladeSystem Infrastructure and Application Solutions
- Appliance Servers
- Alpha Servers
- BackOffice Products
- Internet Products
- HPE 9000 and HPE e3000 Servers
- Networking
- Netservers
- Secure OS Software for Linux
- Server Management (Insight Manager 7)
- Windows Server 2003
- Operating System - Tru64 Unix
- ProLiant Deployment and Provisioning
- Linux-Based Community / Regional
- Microsoft System Center Integration
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Community
Resources
Forums
Blogs
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО03-13-2013 12:39 PM
тАО03-13-2013 12:39 PM
Could not reach Vlan2 members form Vlan3 or in general from one Vlan to other Vlans
I am trying to configure a 5406 with 80xGbE and 8 x 10GbE. ports. As you can see from the below config I got 6xVlans created on the router. I would like to be able to reach from Vlan3 members to Vlan6 members. To enable this I enabled iprouting on the switch. Still I can not reach it. What in the end I am trying to do is I would like to enable some vlans to be able to coomunicate between each other and some vlans to be kept private.
hostname "BROADCAST_BACKUP"
module 1 type J9548A
module 2 type J9548A
module 3 type J9548A
module 4 type J9548A
trunk B22,D22 Trk1 Trunk
ip routing
vlan 1
name "DEFAULT_VLAN"
untagged B21,D21,Trk1
no untagged A1-A22,B1-B20,C1-C22,D1-D20
no ip address
exit
vlan 2
name "PRIV2"
untagged A1-A4
no ip address
exit
vlan 3
name "SERVER"
untagged A5-A20
tagged Trk1
no ip address
exit
vlan 4
name "MANAGER"
untagged B1-B4
no ip address
exit
vlan 5
name "MG_PUBLIC"
untagged A21-A22,C1-C4,C21-C22
tagged Trk1
no ip address
exit
vlan 6
name "SHOP_PUBLIC"
untagged B5-B20,C5-C20,D1-D20
tagged Trk1
no ip address
exit
snmp-server community "public" unrestricted
spanning-tree Trk1 priority 4
- Tags:
- VLAN
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО03-13-2013 02:42 PM
тАО03-13-2013 02:42 PM
Re: Could not reach Vlan2 members form Vlan3 or in general from one Vlan to other Vlans
Do you currently have a router that allows your clients on VLAN 2 and VLAN 3 to talk to other subnets (like the Internet)? When you turn on ip routing on your 5206 you need to give each VLAN an IP address that the clients of the given subnet can talk to (you are literally turning the switch into a router). To prevent subnets from talking to each other then implement ACL's. We use a 8206 for routing and the configuration goes like this:
1. VLAN 2 & 3 are assigned an IP address for their given subnet
2. The client computers are configured so their default gateway is the IP address of the switch
3. ACL's are used to prevent clients on different subnets from talking to each other as desired.
Simple Example based on how we do it:
ip routing
ip route 0.0.0.0 0.0.0.0 X.X.X.X #Unknown IP traffic is sent to the next router hop
VLAN 2
name "PRIV2"
untagged A1-A4
ip access-group "VLAN2-ACL" in
ip address 192.168.2.1 255.255.255.0
exit
VLAN 3
name "SERVER"
untagged A5-A20
ip access-group "VLAN3-ACL" in
tagged Trk1
ip address 192.168.3.1 255.255.0.0
exit
ip access-list extended "VLAN2-ACL"
10 permit ip 192.168.2.0 0.0.0.255 192.168.3.0 0.0.0.255
20 deny ip 192.168.2.0 0.0.0.255 192.168.4.0 0.0.0.255 #IP address 192.168.4.0 used as an example. Continue adding denies for IP ranges you do not want the subnet to have access to.
exit
ip access-list extended "VLAN3-ACL"
10 permit ip 192.168.3.0 0.0.0.255 192.168.2.0 0.0.0.255
20 deny ip 192.168.2.0 0.0.0.255 192.168.4.0 0.0.0.255
exit
# Continue writing access lists for each VLAN and assign accordingly.
Computer on VLAN2 settings:
IP: 192.168.2.2
Mask: 255.255.0.0
Gateway: 192.168.2.1
Computer on VLAN3 settings
IP: 192.168.3.2
Mask: 255.255.0.0
Gateway: 192.168.3.1
In that configuration a computer on VLAN 2 should be able to talk to a computer on VLAN 3, but no VLAN4. Check out the documentation on ACL's. You can get pretty crazy depending on what you want to do.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО03-13-2013 03:47 PM
тАО03-13-2013 03:47 PM
Re: Could not reach Vlan2 members form Vlan3 or in general from one Vlan to other Vlans
Minor correction required: in your reply you've used a lot of /16 subnet masks which should be /24 instead.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО03-14-2013 05:50 AM
тАО03-14-2013 05:50 AM
Re: Could not reach Vlan2 members form Vlan3 or in general from one Vlan to other Vlans
Sorry about that. We use /16 subnets on our network and I guess I typed in those masks because of muscle memory.