HPE Community
Comware Based
1752562 Members
4323 Online
108788 Solutions
New Discussion

Re: A5500 EI Inter VLAN Routing

 
SOLVED
Go to solution
Boseley
Occasional Collector

‎09-15-2016 03:30 PM

‎09-15-2016 03:30 PM

A5500 EI Inter VLAN Routing

Hi all,
First post so please forgive me if it's in the wrong place. I have a small problem with inter vlanning on my a5500.

It may largely be lack of knowledge so any help would be greatly appreciated.

In short, my scenario is that I have a fully working network using a single A5500 as the only switch and gateway.

We have a a few vlans, for easy explaining let's call them "100" and "200".

The problem we have is that devices attached to these vlans can ping devices on the other vlans. They can also use windows explorer to browse to them with credentials, although granted the user would need to know the ip of the other device and the credentials.

I believe they can talk to each other because the A5500 is allowing inter vlan traffic.

My question is, can this be prevented so they cannot talk to each other at all? They would obviously still need to use the A5500 as the gateway.

I hope that makes sense and is clear enough.
Thank you.
0 Kudos
4 REPLIES 4
Vince-Whirlwind
Honored Contributor

‎09-15-2016 05:28 PM

‎09-15-2016 05:28 PM

Solution

Re: A5500 EI Inter VLAN Routing

The 5500 is a switch, not a firewall.

If you have two subnets that require a security gateway between them, then you should be trunking those VLANs to the security gateway.

If the concern is that users on one subnet should not have access to resources on another subnet, then the answer is - as you have pointed out - authentication and authorisation on the actual devices themselves.

Having said that, if you absolutely have to do it, you can put access lists on the switch.
Subnet1 --> Subnet2 = Deny
And vice-versa.

0 Kudos
Boseley
Occasional Collector

‎09-16-2016 02:43 AM

‎09-16-2016 02:43 AM

Re: A5500 EI Inter VLAN Routing

Hi Vince,

Thanks very much for getting back to me, most appreciated.

That makes things a little clearer I believe.

Ideally we would like them to be isolated and just have gateway access and not cross VLAN access. 

Sounds like we need to do this using ACL configuration.

Not 100% sure where these settings reside on the switch but I'll do some digging and see if I can locate where this needs to be set etc and do some testing.

Thank you for your help.

Kind Regards,

Boseley

0 Kudos
Ian Vaughan
Honored Contributor

‎09-16-2016 10:32 AM

‎09-16-2016 10:32 AM

Re: A5500 EI Inter VLAN Routing

Howdy,

Does your internet / WAN gateway live on a third subnet?

If not, I would segregate the external gateway onto its own network befor eyou do any thing else as that will make the ACL configurations easier and you won't be mixing "end user" and "gateway" nodes in the same subnet

Thanks

Ian

Hope that helps - please click "Thumbs up" for Kudos if it does
## ---------------------------------------------------------------------------##
Which is the only cheese that is made backwards?
Edam!
Tweets: @2techie4me
0 Kudos
Boseley
Occasional Collector

‎09-16-2016 12:28 PM

‎09-16-2016 12:28 PM

Re: A5500 EI Inter VLAN Routing

Hi Ian,
We think we've got it mapped in our heads now and will bare in mind the separation advice. Appreciate your input thanks.
0 Kudos
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.