HPE Community
LAN Routing
1752550 Members
4828 Online
108788 Solutions
New Discussion

HP switch 5800, segmentation

 
SOLVED
Go to solution
FelipeSangiorge
Occasional Advisor

‎06-29-2015 10:38 AM

‎06-29-2015 10:38 AM

HP switch 5800, segmentation

Hello Folks, 

 

I'm here with a problem, I have on my work 2 switch 5800 ( Core) and 7 1910 access, and I need to segment my local network: 

 

Here is my configuration : 

 

  VLANS              REDE                              Switch Acesso            Switch Core

---------------------------------------------------------------------------------

1°    Vlan 100      172.16.1.0/24                 172.16.1.252          172.16.1.253

2°    Vlan 200      172.16.2.0/24                 172.16.2.252          172.16.2.253

3°    Vlan 300      172.16.3.0/24                 172.16.3.252          172.16.3.253

4°    Vlan 400      172.16.4.0/24                 172.16.4.252          172.16.4.253

5°    Vlan 500      172.16.5.0/24                 172.16.5.252          172.16.5.253

6°    Vlan 600      172.16.6.0/24                 172.16.6.252          172.16.6.253

7°    Vlan 700      172.16.7.0/24                 172.16.7.252          172.16.7.253

 

I need only one floor comunicate with himself, and hp 5800 is routing all of other VLANS, can sameone help-me with this issue ? Thanks all of us ! 

0 Kudos
8 REPLIES 8
Vince-Whirlwind
Honored Contributor

‎06-29-2015 05:59 PM

‎06-29-2015 05:59 PM

Re: HP switch 5800, segmentation

 

The basic design principle for the segmentation you are describing is to match up the logical segmentation with the physical network:

VLAN100 is used on AccessSwitch1 only

VLAN200 is used on AccessSwitch2 only

etc...

 

The core switch has all 7 VLANs, with an IP address on each. That IP address is the default gateway for hosts that reside within that VLAN/subnet.

 

Each VLAN is trunked to a single switch, and each trunk contains a single VLAN.

 

Your core interface configuration should look like:

interface GigabitEthernet1/0/1

description Link to AccessSwitch1
port link-mode bridge
port link-type trunk
port trunk permit vlan 100

 

etc...

 

On each 1910 switch you configure it equivalently.

0 Kudos
FelipeSangiorge
Occasional Advisor

‎06-30-2015 06:56 AM

‎06-30-2015 06:56 AM

Re: HP switch 5800, segmentation

Nowadays i use this configuration: 

 

All interfaces Trk1 in trunk mode ( Access Switch ) , and Core switch BridgeAgregation 1 pass only VLAN 100 , VLAN 1 , however i think switch core is routing all packages with inter vlan routing, i will attach my routing table on this answer  

0 Kudos
Vince-Whirlwind
Honored Contributor

‎06-30-2015 04:50 PM

‎06-30-2015 04:50 PM

Re: HP switch 5800, segmentation

By default, with IP routing enabled, the 5800 will route packets between any subnet in which it has an IP address.

 

If you do not want inter-VLAN routing, you can either:

1/ remove all IP addresses from the 5800 (except a management address) and trunk all VLANs to a firewall (or similar) which can properly control access between VLANs.

or

2/ implement access lists on the 5800 to prevent inter-VLAN routing.

 

If you need proper security, access-lists on a switch aren't the best way to do it.

0 Kudos
FelipeSangiorge
Occasional Advisor

‎07-01-2015 05:53 AM

‎07-01-2015 05:53 AM

Re: HP switch 5800, segmentation

Thanks for the answer!

 

Does you have a tutorial to help me how to make this configurations ?

I can do it in graphical web ?

I can't use a firewall to routing all packages, I just bought 5800 to do it, because it is a core switch.

Why can i implement access list ?  

0 Kudos
Vince-Whirlwind
Honored Contributor

‎07-01-2015 04:35 PM

‎07-01-2015 04:35 PM

Solution

Re: HP switch 5800, segmentation

Maybe something like:

 

acl number 100
rule 20 deny ip source 172.16.1.0 0.0.0.255 destination 172.16.2.0 0.0.0.255
rule 30 deny ip source 172.16.1.0 0.0.0.255 destination 172.16.3.0 0.0.0.255
rule 40 deny ip source 172.16.1.0 0.0.0.255 destination 172.16.4.0 0.0.0.255
rule 50 deny ip source 172.16.1.0 0.0.0.255 destination 172.16.5.0 0.0.0.255
rule 60 deny ip source 172.16.1.0 0.0.0.255 destination 172.16.6.0 0.0.0.255
rule 70 deny ip source 172.16.1.0 0.0.0.255 destination 172.16.7.0 0.0.0.255
rule 100 permit ip

interface VLAN100
packet-filter 100 inbound

acl number 200
rule 10 deny ip source 172.16.2.0 0.0.0.255 destination 172.16.1.0 0.0.0.255
rule 30 deny ip source 172.16.2.0 0.0.0.255 destination 172.16.3.0 0.0.0.255
rule 40 deny ip source 172.16.2.0 0.0.0.255 destination 172.16.4.0 0.0.0.255
rule 50 deny ip source 172.16.2.0 0.0.0.255 destination 172.16.5.0 0.0.0.255
rule 60 deny ip source 172.16.2.0 0.0.0.255 destination 172.16.6.0 0.0.0.255
rule 70 deny ip source 172.16.2.0 0.0.0.255 destination 172.16.7.0 0.0.0.255
rule 100 permit ip

interface VLAN200
packet-filter 200 inbound

etc..

0 Kudos
FelipeSangiorge
Occasional Advisor

‎07-02-2015 09:55 AM

‎07-02-2015 09:55 AM

Re: HP switch 5800, segmentation

Thanks,

 

But Acl block is the only way to segment my network with layer 3 switch ? 

Does i have the other way ? 

 

however I understood layer 3 switchs cant "Stop" routing all packages and vlans ? 

 

I'm Glad with your help Thank you so much.

0 Kudos
Vince-Whirlwind
Honored Contributor

‎07-02-2015 07:15 PM

‎07-02-2015 07:15 PM

Re: HP switch 5800, segmentation

I guess you could use:

 - Super VLAN

 - Private VLANs

 - VRFs

to achieve separation between VLAN subnets as an alternative to using ACLs.

 

 

0 Kudos
FelipeSangiorge
Occasional Advisor

‎07-06-2015 05:11 AM

‎07-06-2015 05:11 AM

Re: HP switch 5800, segmentation

Ok I will try something, if someone know how to segment layer 3 switch by using only vlan, post here the solution

 

Thanks so much Vince ! 

0 Kudos
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.