Comware Based
1748061 Members
5561 Online
108758 Solutions
New Discussion

Re: Inter-VLAN routing on A5830

 
MB99
Occasional Contributor

Inter-VLAN routing on A5830

Hi,

 

I've been thrown in at the deep end with some equipment to install a switch into an existing network, and with far too little expertise in this area.

 

 

===================
Simplified Scenario
===================

 

The real network is obviously far more complex, but if I can resolve the problem of this simplified scenario, then I should be able to apply the logic to the full implementation.


Two HP switches - an A5830 and an E2910

Two VLANS exist - VLAN-10: Standard-Clients
                                      VLAN-90: Management-Clients & Devices

An LACP trunk is configured between them, with both VLANS tagged.

 


-------------------------
Current Config Diagram
-------------------------

 

See .jpg  Attachment

 

---------------
Requirements
---------------

 

  • Clients on VLAN-10 need access to other clients on VLAN-10 and hence the internet via the network gateway.

  • Clients on VLAN-90 need access to clients on both VLAN-90 and VLAN-10 and hence the internet via the network gateway.

  • Clients on VLAN-10 should NOT have access to clients on VLAN-90.

  • The network gateway can't be modified (it's a multi-node TMG array, and more than my job is worth to even ask for that to be touched).


----------------
Current Status
----------------

 

  • Both switches (at the CLI) can ping addresses on either vlan and hence ping external addresses through the network gateway.
    - OK.

  • Clients on VLAN-10 can ping addresses on VLAN-10 and hence ping external addresses through the network gateway.
    - OK.

  • Clients on VLAN-10 can NOT ping any addresses on VLAN-90.
    - OK.

  • Clients on VLAN-90 can ping addresses on VLAN-90.
    - OK. 

  • Clients on VLAN-90 can ping both VLAN addresses on both switches.
    - OK.

  • Clients on VLAN-90 can NOT ping Clients on VLAN-10 and thus not ping external addresses via the network gateway.
    - PROBLEM.


---------------
Need to resolve
---------------

 

  • How to allow Clients on VLAN-90 to access Clients on VLAN-10, and hence access the internet (if allowed by gateway policies).

    I believe that I can resolve this at the A5830 switch, using a static route, but I'm lost at this point.

 

I'd appreciate any guidance on this from people who understand this better than I do (which is probably everyone).

4 REPLIES 4
SalaDin2014
Frequent Visitor

Re: Inter-VLAN routing on A5830

Hi MB99,

I am new in HP, but, Please try the below:

 

on A5830 

=======

 

IP ROUTE-STATIC  192.168.0.0 255.255.0.0 192.168.10.202 

ip route 0.0.0.0 0.0.0.0 192.168.10.254 (G.W)

 

 

on E2910

========

ip route

 

ip route 0.0.0.0 0.0.0.0 192.168.10.201 (MNGMT VLAN10 of A5830 )

 

 

VLAN10 | Clients:

IP: 192.168.10.x

MASK : 255.255.255.0

G.W:192.168.10.201 (vlan 10)

 

 

VLAN90| Clients:

IP: 192.168.90.x

MASK : 255.255.255.0

G.W:192.168.10.202 (vlan 90)

 

 

Hope it will work , especially the first route :)

 

MB99
Occasional Contributor

Re: Inter-VLAN routing on A5830

Hi,

 

Thanks for taking the time, but unfortunately, it didn't seem to help.

 

Using my IP Addressing

 

A5830

VLAN-10: (Clients) 192.168.10.201

VLAN-90: (Mgmt)   192.168.90.201

 

E2910

VLAN-10: (Clients) 192.168.10.202

VLAN-90: (Mgmt)   192.168.90.202

 

Then I read this:

 

"IP ROUTE-STATIC  192.168.0.0 255.255.0.0 192.168.10.202"

 

as meaning:  

 

Route all 192.168.x.x subnets  to the Clients VLAN on E2910

 

and that didn't seem to help.

 

----

 

The guys responsible for the main network are reasonably co-operative, but are baulking a bit at me messing with their main switch, just so I can get my new infrastructure equipment to work.  I thought that this should be quite simple to do on the A5830, but I'm starting to fear that I'm going to need to introduce my own "router-on-a-stick" just so that I can get the equipment on the management VLAN to have full access to the network.

Ian Vaughan
Honored Contributor

Re: Inter-VLAN routing on A5830

Howdy,
1) Make sure that routing is disabled on the 2910 (saves problems later)
2) Change the VLAN 10 clients gateway IP to 192.168.10.201 (the switch rather than the upstream TMG address) this will allow routing between VLAN10 & VLAN90 as the L3 switch has a directly connected interface in both subnets - no static route needed.
3) put a packet-filter ACL on the VLAN90 VLAN interface of the 5830 to deny traffic into VLAN90 originating from 192.168.10.0 /24
HTH
Ian
Hope that helps - please click "Thumbs up" for Kudos if it does
## ---------------------------------------------------------------------------##
Which is the only cheese that is made backwards?
Edam!
Tweets: @2techie4me
SalaDin2014
Frequent Visitor

Re: Inter-VLAN routing on A5830

A5830:

Trunking between A5830 and E2910:

int x (connected to E2910)
port link-type Trunk
port permit vlan all (or whatever vlans you need)
quit
save

 

int vlan-inter|k (Connected to your G.W)
ip address 192.168.10.3 255.255.255.0 .............. (same subnet as your G.W interface ip address)

 

int y (CONNECTED TO G.W)

port link-type access
port access vlan k
quit

save

 

 

Routing:


ip route-static 0.0.0.0 0.0.0.0 192.168.10.3 {IP-OF-INTERFACE VLAN-INTERFACE|K (route to G.W)}

Please Note:
DONOT FORGET THE ROUTE BACK ON YOUR G.W, to your network (192.168.0.0 255.255.0.0)

 

 

======================


E2810:

int|w--- connected to your A5910

SHOULD BE TAGGED INSIDE YOUR PERMITTED VLANS

vlan 10
tag intW


vlan90
tag intW

 

ROUTING

ip route (FOR INTER-VLAN)

ip route 0.0.0.0 0.0.0.0 192.168.90.201 (ip add of A5830 - FOR INTERNET)

WR MEM

 

-----------
-----------


G.W

IP ROUTE 192.168.0.0 255.255.0.0 192.168.10.3 (IP ADD OF THE INTERFAVE VLAN K)

Int H (CONNECTED TO A5830)
ip add 192.168.10.4 255.255.255.0

(this configuration debending on type of your G.W, i.e if it is a switch then do that configuration - A OR E
SERIES | IF it is a firewall then configure static route to your network 192.168.0.0 on firewall as well as the
ip address of the interface connected your A5830)


-------------------
CLIENTS

VLAN10 | Clients:
IP: 192.168.10.x
MASK : 255.255.255.0
G.W:192.168.10.201 (vlan 10)


VLAN90| Clients:
IP: 192.168.90.x
MASK : 255.255.255.0
G.W:192.168.10.202 (vlan 90)

----------
hope it will work, and do not forget to upgrade your switches (just in case)