- Community Home
- >
- Networking
- >
- Legacy
- >
- Switches, Hubs, Modems
- >
- Re: 2910al vlan/routing help
Switches, Hubs, and Modems
1752777
Members
6188
Online
108789
Solutions
Forums
Categories
Company
Local Language
юдл
back
Forums
Discussions
Forums
- Data Protection and Retention
- Entry Storage Systems
- Legacy
- Midrange and Enterprise Storage
- Storage Networking
- HPE Nimble Storage
Discussions
Discussions
Discussions
Forums
Forums
Discussions
юдл
back
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
- BladeSystem Infrastructure and Application Solutions
- Appliance Servers
- Alpha Servers
- BackOffice Products
- Internet Products
- HPE 9000 and HPE e3000 Servers
- Networking
- Netservers
- Secure OS Software for Linux
- Server Management (Insight Manager 7)
- Windows Server 2003
- Operating System - Tru64 Unix
- ProLiant Deployment and Provisioning
- Linux-Based Community / Regional
- Microsoft System Center Integration
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Blogs
Information
Community
Resources
Community Language
Language
Forums
Blogs
Topic Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО08-25-2010 08:50 AM
тАО08-25-2010 08:50 AM
2910al vlan/routing help
Howdy,
We have a new 2910al-24g that I am attempting to get up and running. The plan is to break up the ports into several VLANs, that are all unable to communicate with each other, but can reach the primary vlan which will feed into our internet router (Untangle). Since the internet router does not handle VLANs well I want the routing to be handled by the switch.
I have never setup VLANs on an HP before (only a couple times on Cisco) and am running into a couple issues.
1. Devices on the different vlans can ping the static IPs of the different vlans. If possible I would like to prevent all traffic completely unless it is going to the primary vlan to reach the router.
2. From all VLANs (except the primary) I cannot ping the static IP assigned to the primary vlan (10.254.254.253).
I have attached the config if anyone could assist or point me in the right direction.
Thanks!
Alan
We have a new 2910al-24g that I am attempting to get up and running. The plan is to break up the ports into several VLANs, that are all unable to communicate with each other, but can reach the primary vlan which will feed into our internet router (Untangle). Since the internet router does not handle VLANs well I want the routing to be handled by the switch.
I have never setup VLANs on an HP before (only a couple times on Cisco) and am running into a couple issues.
1. Devices on the different vlans can ping the static IPs of the different vlans. If possible I would like to prevent all traffic completely unless it is going to the primary vlan to reach the router.
2. From all VLANs (except the primary) I cannot ping the static IP assigned to the primary vlan (10.254.254.253).
I have attached the config if anyone could assist or point me in the right direction.
Thanks!
Alan
5 REPLIES 5
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО08-26-2010 01:16 AM
тАО08-26-2010 01:16 AM
Re: 2910al vlan/routing help
Hi,
The default behaviour on Procurve switches is to route between any subnets it is has an address on if "ip routing" is enabled.
You have a couple of options for restricting access between VLANs. As you are using a single switch I'd suggest taking a look at port-filters here:
http://cdn.procurve.com/training/Manuals/2910-ASG-Feb09-11-TrafficSecFilters.pdf
These however don't scale well when using multiple switches.
The other option is to create ACLs for each VLAN on the switch.
http://cdn.procurve.com/training/Manuals/2910-ASG-Feb09-9-ACLs.pdf
With regards to the routing, you're running RIP but don't have it enabled in VLAN 1.
If your router at 10.254.254.254 is RIP aware you'll want to enable in VLAN 1 and set it to redistribute connected networks: "redistributed connected"
If 10.254.254.254 is not RIP aware you don't need to be running RIP and you can just set a default route on your 2910 to 10.254.254.254 "ip route 0.0.0.0 0.0.0.0 10.254.254.254"
Also if you're not using RIP, 10.254.254.254 needs to have a route back for all your 192.168. networks, pointing to 10.254.254.253.
The default behaviour on Procurve switches is to route between any subnets it is has an address on if "ip routing" is enabled.
You have a couple of options for restricting access between VLANs. As you are using a single switch I'd suggest taking a look at port-filters here:
http://cdn.procurve.com/training/Manuals/2910-ASG-Feb09-11-TrafficSecFilters.pdf
These however don't scale well when using multiple switches.
The other option is to create ACLs for each VLAN on the switch.
http://cdn.procurve.com/training/Manuals/2910-ASG-Feb09-9-ACLs.pdf
With regards to the routing, you're running RIP but don't have it enabled in VLAN 1.
If your router at 10.254.254.254 is RIP aware you'll want to enable in VLAN 1 and set it to redistribute connected networks: "redistributed connected"
If 10.254.254.254 is not RIP aware you don't need to be running RIP and you can just set a default route on your 2910 to 10.254.254.254 "ip route 0.0.0.0 0.0.0.0 10.254.254.254"
Also if you're not using RIP, 10.254.254.254 needs to have a route back for all your 192.168. networks, pointing to 10.254.254.253.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО08-26-2010 06:41 AM
тАО08-26-2010 06:41 AM
Re: 2910al vlan/routing help
Thanks for the info! I appreciate it.
I removed the rip as the static routes should be enough in our setup.
I added the default route to 10.254.254.254.
I started looking into the ACL method to block traffic between the VLANs. I created a simple test one:
ip access-list extended "101"
10 permit ip 192.168.254.0 0.0.0.255 10.254.254.0 0.0.0.255
20 deny ip 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255
exit
I would like to assign this to vlan 2 so that it can only access vlan 1 (10.254.254.0/24). However, when I try to apply the ACL to vlan 2 I keep getting "invalid input: access-group". The command I have been trying is "ip access-group 101 in".
Any thoughts?
I removed the rip as the static routes should be enough in our setup.
I added the default route to 10.254.254.254.
I started looking into the ACL method to block traffic between the VLANs. I created a simple test one:
ip access-list extended "101"
10 permit ip 192.168.254.0 0.0.0.255 10.254.254.0 0.0.0.255
20 deny ip 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255
exit
I would like to assign this to vlan 2 so that it can only access vlan 1 (10.254.254.0/24). However, when I try to apply the ACL to vlan 2 I keep getting "invalid input: access-group". The command I have been trying is "ip access-group 101 in".
Any thoughts?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО08-26-2010 06:51 AM
тАО08-26-2010 06:51 AM
Re: 2910al vlan/routing help
I don't believe the 2910 series support ACLs at the VLAN level (you need something that uses the 5400 series code), only at the port level.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО08-27-2010 08:18 AM
тАО08-27-2010 08:18 AM
Re: 2910al vlan/routing help
Thanks Mohammed!
I was able to get the ACLs working correctly after I assigned them to ports.
A couple things though:
The Switch itself can ping the IP of our Internet router (10.254.254.254).
The switch can ping the other VLANs and devices within them.
Our Internet router can ping the Switches static IPs of each VLAN (10.254.254.253, 192.168.254.254, etc).
Issues:
The devices in each VLAN cannot ping past 10.254.254.253.
The internet router cannot ping devices within each VLAN.
I have static routes setup on the router for each address space of the vlans with its gateway as the router's internet interface (10.254.254.254).
I am not sure if the problem lies with the switch or the router at this point. I have attached the current config if someone would not mind glancing at it and providing any input.
Thanks!
I was able to get the ACLs working correctly after I assigned them to ports.
A couple things though:
The Switch itself can ping the IP of our Internet router (10.254.254.254).
The switch can ping the other VLANs and devices within them.
Our Internet router can ping the Switches static IPs of each VLAN (10.254.254.253, 192.168.254.254, etc).
Issues:
The devices in each VLAN cannot ping past 10.254.254.253.
The internet router cannot ping devices within each VLAN.
I have static routes setup on the router for each address space of the vlans with its gateway as the router's internet interface (10.254.254.254).
I am not sure if the problem lies with the switch or the router at this point. I have attached the current config if someone would not mind glancing at it and providing any input.
Thanks!
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО08-27-2010 01:57 PM
тАО08-27-2010 01:57 PM
Re: 2910al vlan/routing help
Nevermind I was able to figure out the issue and it was router related.
I appreciate your help!
I appreciate your help!
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.
News and Events
Support
© Copyright 2024 Hewlett Packard Enterprise Development LP