HPE Community
Aruba & ProVision-based
1753877 Members
7472 Online
108809 Solutions
New Discussion юеВ

Re: ,Re: Vlan access restriction

 
Ceasersa
Occasional Contributor

тАО11-27-2012 12:48 AM

тАО11-27-2012 12:48 AM

Vlan access restriction

Hi

I have recently installed an 5412ZL switch and for some reason no matter what your port's tagging is set to you can still ping across the vlan's to devices that your tagging is set to no. So a pc is untagged for the workstation VLAN and tagged for voice and Servers, all other vlans are set to no but they can ping devices in all other vlans. It's almost as if the port does not follow it's tagging. I have done this setup many times before and have not had this issue.

The switch is set as the gateway for their respective VLAN's and IP routing is enabled. Please see the inserted config:

module 1 type J9535A
module 2 type J9534A
module 3 type J9534A
module 4 type J9534A
module 5 type J9534A
module 6 type J9534A
module 7 type J9534A
module 8 type J9534A
module 9 type J9534A
trunk A1-A2 Trk1 LACP
trunk A3-A4 Trk2 LACP
trunk A5-A6 Trk3 LACP
trunk A7-A8 Trk4 LACP
trunk A9-A10 Trk5 LACP
ip routing
vlan 1
name "Servers"
untagged A11-A24,H11,Trk1-Trk5
ip address 192.168.0.1 255.255.255.0
tagged B1-B13,D1-D6,D8-D12,D21-D24,E1-E24,F1-F11,F13-F24,G1-G24,H1-H10,H12-H24,I1-I24
exit
vlan 20
name "Workstations"
untagged E1-E24,F1-F24,G1-G24,H1-H10,H12-H24,I1-I24
ip helper-address 192.168.0.27
ip address 192.168.100.1 255.255.255.0
tagged A11-A24,B1-B13,D1-D6,D8-D12,D21-D24,H11,Trk1-Trk5
exit
vlan 30
name "Voice"
untagged C20-C24
ip address 10.200.0.1 255.255.255.0
tagged A11-A24,B1-B12,D21-D24,E1-E24,F1-F11,F13-F24,G1-G24,H1-H24,I1-I24,Trk1-Trk5
voice
exit
vlan 40
name "CRCS"
untagged D1-D12
ip address 192.168.1.1 255.255.255.0
tagged I19-I24,Trk1-Trk5
exit
vlan 50
name "Bur"
untagged B1-B12,D21-D24
ip helper-address 192.168.0.27
ip address 192.168.66.1 255.255.255.0
tagged I19-I24,Trk1-Trk5
exit
vlan 70
name "AX"
untagged B13,C1
ip address 172.16.0.1 255.255.255.0
tagged I19-I24,Trk1-Trk5
exit
vlan 80
name "Guest"
ip address 10.0.0.1 255.255.255.0
tagged I19-I24,Trk1-Trk5
exit
vlan 90
name "Sec"
untagged B14-B24,C2-C19
ip helper-address 192.168.0.27
ip address 10.254.0.1 255.255.255.0
tagged A11-A24,I19-I24,Trk1-Trk5
exit
console inactivity-timer 30
ip route 0.0.0.0 0.0.0.0 192.168.0.254
snmp-server community "public"
no snmp-server enable
spanning-tree Trk1 priority 4
spanning-tree Trk2 priority 4
spanning-tree Trk3 priority 4
spanning-tree Trk4 priority 4
spanning-tree Trk5 priority 4
loop-protect B1-B24,C1-C24,D1-D24,E1-E24,F1-F24,G1-G24,H1-H24,I1-I24
loop-protect disable-timer 600
no autorun
no dhcp config-file-update
no dhcp image-file-update
password manager
password operator
0 Kudos
6 REPLIES 6
EckerA
Respected Contributor

тАО11-27-2012 03:17 AM

тАО11-27-2012 03:17 AM

Re: Vlan access restriction

Sure,

 

but i bet the ping is using l3 and not l2, as you have routing enabled.

So it's the normal behavior that the client can ping systems from different vlans.

 

If you want to change that you need ACLs.

 

 

hth

Alex

0 Kudos
Ceasersa
Occasional Contributor

тАО11-27-2012 04:16 AM

тАО11-27-2012 04:16 AM

,Re: Vlan access restriction

Hi Alex

 

Now it makes sense, i'm use to having smaller core switches and then edge switches that are normally conncted on layer 2.

 

Blonde moment

 

I will look into access lists.

 

Thanks

0 Kudos
paulgear
Esteemed Contributor

тАО11-27-2012 10:20 PM

тАО11-27-2012 10:20 PM

Re: ,Re: Vlan access restriction

Note that there are various different types of ACLs available on 5400 switches - you want VACLs.
Regards,
Paul
0 Kudos
Ceasersa
Occasional Contributor

тАО11-28-2012 12:00 AM

тАО11-28-2012 12:00 AM

Re: ,Re: Vlan access restriction

Thank you, will give it a go
0 Kudos
Ceasersa
Occasional Contributor

тАО12-03-2012 03:41 AM

тАО12-03-2012 03:41 AM

Re: ,Re: Vlan access restriction

Hi

I'm not having much luck eith the VACL.

Let's say i need to permit the server vlan 192.168.0.0/24 to see vlan 40
permit workstation addresses from 192.168.100.1-20/24 to see vlan 40
and then deny all other ip ranges

how would the access list look like?
0 Kudos
paulgear
Esteemed Contributor

тАО12-05-2012 01:11 PM

тАО12-05-2012 01:11 PM

Re: ,Re: Vlan access restriction

Post your config along with the VACL that you've tried, and i'll see if i can work it out.  It's been a while since i used 5400 VACLs...

Regards,
Paul
0 Kudos
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.