- Community Home
- >
- Networking
- >
- Switching and Routing
- >
- Aruba & ProVision-based
- >
- Re: ,Re: Vlan access restriction
Categories
Company
Local Language
Forums
Discussions
Forums
- Data Protection and Retention
- Entry Storage Systems
- Legacy
- Midrange and Enterprise Storage
- Storage Networking
- HPE Nimble Storage
Discussions
Discussions
Discussions
Forums
Forums
Discussions
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
- BladeSystem Infrastructure and Application Solutions
- Appliance Servers
- Alpha Servers
- BackOffice Products
- Internet Products
- HPE 9000 and HPE e3000 Servers
- Networking
- Netservers
- Secure OS Software for Linux
- Server Management (Insight Manager 7)
- Windows Server 2003
- Operating System - Tru64 Unix
- ProLiant Deployment and Provisioning
- Linux-Based Community / Regional
- Microsoft System Center Integration
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Community
Resources
Forums
Blogs
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО11-27-2012 12:48 AM
тАО11-27-2012 12:48 AM
Vlan access restriction
I have recently installed an 5412ZL switch and for some reason no matter what your port's tagging is set to you can still ping across the vlan's to devices that your tagging is set to no. So a pc is untagged for the workstation VLAN and tagged for voice and Servers, all other vlans are set to no but they can ping devices in all other vlans. It's almost as if the port does not follow it's tagging. I have done this setup many times before and have not had this issue.
The switch is set as the gateway for their respective VLAN's and IP routing is enabled. Please see the inserted config:
module 1 type J9535A
module 2 type J9534A
module 3 type J9534A
module 4 type J9534A
module 5 type J9534A
module 6 type J9534A
module 7 type J9534A
module 8 type J9534A
module 9 type J9534A
trunk A1-A2 Trk1 LACP
trunk A3-A4 Trk2 LACP
trunk A5-A6 Trk3 LACP
trunk A7-A8 Trk4 LACP
trunk A9-A10 Trk5 LACP
ip routing
vlan 1
name "Servers"
untagged A11-A24,H11,Trk1-Trk5
ip address 192.168.0.1 255.255.255.0
tagged B1-B13,D1-D6,D8-D12,D21-D24,E1-E24,F1-F11,F13-F24,G1-G24,H1-H10,H12-H24,I1-I24
exit
vlan 20
name "Workstations"
untagged E1-E24,F1-F24,G1-G24,H1-H10,H12-H24,I1-I24
ip helper-address 192.168.0.27
ip address 192.168.100.1 255.255.255.0
tagged A11-A24,B1-B13,D1-D6,D8-D12,D21-D24,H11,Trk1-Trk5
exit
vlan 30
name "Voice"
untagged C20-C24
ip address 10.200.0.1 255.255.255.0
tagged A11-A24,B1-B12,D21-D24,E1-E24,F1-F11,F13-F24,G1-G24,H1-H24,I1-I24,Trk1-Trk5
voice
exit
vlan 40
name "CRCS"
untagged D1-D12
ip address 192.168.1.1 255.255.255.0
tagged I19-I24,Trk1-Trk5
exit
vlan 50
name "Bur"
untagged B1-B12,D21-D24
ip helper-address 192.168.0.27
ip address 192.168.66.1 255.255.255.0
tagged I19-I24,Trk1-Trk5
exit
vlan 70
name "AX"
untagged B13,C1
ip address 172.16.0.1 255.255.255.0
tagged I19-I24,Trk1-Trk5
exit
vlan 80
name "Guest"
ip address 10.0.0.1 255.255.255.0
tagged I19-I24,Trk1-Trk5
exit
vlan 90
name "Sec"
untagged B14-B24,C2-C19
ip helper-address 192.168.0.27
ip address 10.254.0.1 255.255.255.0
tagged A11-A24,I19-I24,Trk1-Trk5
exit
console inactivity-timer 30
ip route 0.0.0.0 0.0.0.0 192.168.0.254
snmp-server community "public"
no snmp-server enable
spanning-tree Trk1 priority 4
spanning-tree Trk2 priority 4
spanning-tree Trk3 priority 4
spanning-tree Trk4 priority 4
spanning-tree Trk5 priority 4
loop-protect B1-B24,C1-C24,D1-D24,E1-E24,F1-F24,G1-G24,H1-H24,I1-I24
loop-protect disable-timer 600
no autorun
no dhcp config-file-update
no dhcp image-file-update
password manager
password operator
- Tags:
- VLAN
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО11-27-2012 03:17 AM
тАО11-27-2012 03:17 AM
Re: Vlan access restriction
Sure,
but i bet the ping is using l3 and not l2, as you have routing enabled.
So it's the normal behavior that the client can ping systems from different vlans.
If you want to change that you need ACLs.
hth
Alex
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО11-27-2012 04:16 AM
тАО11-27-2012 04:16 AM
,Re: Vlan access restriction
Hi Alex
Now it makes sense, i'm use to having smaller core switches and then edge switches that are normally conncted on layer 2.
Blonde moment
I will look into access lists.
Thanks
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО11-27-2012 10:20 PM
тАО11-27-2012 10:20 PM
Re: ,Re: Vlan access restriction
Paul
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО11-28-2012 12:00 AM
тАО11-28-2012 12:00 AM
Re: ,Re: Vlan access restriction
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО12-03-2012 03:41 AM
тАО12-03-2012 03:41 AM
Re: ,Re: Vlan access restriction
I'm not having much luck eith the VACL.
Let's say i need to permit the server vlan 192.168.0.0/24 to see vlan 40
permit workstation addresses from 192.168.100.1-20/24 to see vlan 40
and then deny all other ip ranges
how would the access list look like?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО12-05-2012 01:11 PM
тАО12-05-2012 01:11 PM
Re: ,Re: Vlan access restriction
Post your config along with the VACL that you've tried, and i'll see if i can work it out. It's been a while since i used 5400 VACLs...
Paul