Aruba & ProVision-based

Re: Could not reach Vlan2 members form Vlan3 or in general from one Vlan to other Vlans

 
Myro
Occasional Contributor

Could not reach Vlan2 members form Vlan3 or in general from one Vlan to other Vlans

 

I am trying to configure a 5406 with 80xGbE and 8 x 10GbE. ports. As you can see from the below config I got 6xVlans created on the router. I would like to be able to reach from Vlan3 members to Vlan6 members. To enable this I enabled iprouting on the switch. Still I can not reach it. What in the end I am trying to do is I would like to enable some vlans to be able to coomunicate between each other and some vlans to be kept private.

 

hostname "BROADCAST_BACKUP"

module 1 type J9548A
module 2 type J9548A
module 3 type J9548A
module 4 type J9548A
trunk B22,D22 Trk1 Trunk
ip routing
vlan 1
name "DEFAULT_VLAN"
untagged B21,D21,Trk1
no untagged A1-A22,B1-B20,C1-C22,D1-D20
no ip address
exit
vlan 2
name "PRIV2"
untagged A1-A4
no ip address
exit
vlan 3
name "SERVER"
untagged A5-A20
tagged Trk1
no ip address
exit
vlan 4
name "MANAGER"
untagged B1-B4
no ip address
exit
vlan 5
name "MG_PUBLIC"
untagged A21-A22,C1-C4,C21-C22
tagged Trk1
no ip address
exit
vlan 6
name "SHOP_PUBLIC"
untagged B5-B20,C5-C20,D1-D20
tagged Trk1
no ip address
exit
snmp-server community "public" unrestricted
spanning-tree Trk1 priority 4

3 REPLIES 3
a_gizmo
Visitor

Re: Could not reach Vlan2 members form Vlan3 or in general from one Vlan to other Vlans

Do you currently have a router that allows your clients on VLAN 2 and VLAN 3 to talk to other subnets (like the Internet)? When you turn on ip routing on your 5206 you need to give each VLAN an IP address that the clients of the given subnet can talk to (you are literally turning the switch into a router). To prevent subnets from talking to each other then implement ACL's. We use a 8206 for routing and the configuration goes like this:

 

1. VLAN 2 & 3 are assigned an IP address for their given subnet

2. The client computers are configured so their default gateway is the IP address of the switch

3. ACL's are used to prevent clients on different subnets from talking to each other as desired.

 

Simple Example based on how we do it:

ip routing

ip route 0.0.0.0 0.0.0.0 X.X.X.X #Unknown IP traffic is sent to the next router hop

VLAN 2

name "PRIV2"
untagged A1-A4

ip access-group "VLAN2-ACL" in

ip address 192.168.2.1 255.255.255.0
exit

VLAN 3

name "SERVER"
untagged A5-A20

ip access-group "VLAN3-ACL" in
tagged Trk1
ip address 192.168.3.1 255.255.0.0
exit

ip access-list extended "VLAN2-ACL"

  10 permit ip 192.168.2.0 0.0.0.255 192.168.3.0 0.0.0.255

  20 deny ip 192.168.2.0 0.0.0.255 192.168.4.0 0.0.0.255 #IP address 192.168.4.0 used as an example. Continue adding denies for IP ranges you do not want the subnet to have access to.

exit

ip access-list extended "VLAN3-ACL"

  10 permit ip 192.168.3.0 0.0.0.255 192.168.2.0 0.0.0.255

  20 deny ip 192.168.2.0 0.0.0.255 192.168.4.0 0.0.0.255

exit

# Continue writing access lists for each VLAN and assign accordingly.

 

 

Computer on VLAN2 settings:

IP: 192.168.2.2

Mask: 255.255.0.0

Gateway: 192.168.2.1

 

Computer on VLAN3 settings

IP: 192.168.3.2

Mask: 255.255.0.0

Gateway: 192.168.3.1

 

In that configuration a computer on VLAN 2 should be able to talk to a computer on VLAN 3, but no VLAN4. Check out the documentation on ACL's. You can get pretty crazy depending on what you want to do.

Matcol
Frequent Advisor

Re: Could not reach Vlan2 members form Vlan3 or in general from one Vlan to other Vlans

Minor correction required: in your reply you've used a lot of /16 subnet masks which should be /24 instead.

 

 

a_gizmo
Visitor

Re: Could not reach Vlan2 members form Vlan3 or in general from one Vlan to other Vlans

Sorry about that. We use /16 subnets on our network and I guess I typed in those masks because of muscle memory.