Switches, Hubs, and Modems
cancel
Showing results for 
Search instead for 
Did you mean: 

5406zl: VLAN Routing between some VLAN's but not others

SOLVED
Go to solution
Brian Albertsen
Occasional Visitor

5406zl: VLAN Routing between some VLAN's but not others

Hi,

We are considering the 5406zl-48G.

I've been studying the mauals. After enabling IP routing all VLAN can access each other.
That what we want. But wwhat to do I you don't want a VLAN to be able to see/access some of the other VLANS. Like a guest VLAN that will be handled by an external firewall/router.

Is it as simple as not assigning an IP address to that VLAN and then that VLAN isn't routed?
4 REPLIES
Jason Luckett
Frequent Advisor
Solution

Re: 5406zl: VLAN Routing between some VLAN's but not others

Hi Brian,

Access and inter-communication between VLANS can be controlled by access-lists, which are placed within the VLAN configuration context.

You can control the access and inter-communication between the VLANS like any other access-list either standard or extended, which can be configured to control inbound and outbound traffic.

an example of which is:

To permit inbound traffic to VLAN 10(192.168.10.0/24) routed from IP address 192.168.20./24(VLAN20).

Procurve 5406xl(config)#ip access-list extended test1
Procurve 5406xl(config-ext-nacl)#10 permit ip 192.168.10.0 0.0.0.255 0.0.0.0 255.255.255.255

Procurve 5406xl(config)#vlan 10
Procurve 5406xl(vlan-10)#ip address 192.168.10.1/24
Procurve 5406xl(vlan-10)#ip access-group test1 in

Procurve 5406xl(config)#vlan 20
Procurve 5406xl(vlan-10)#ip address 192.168.20.1/24

Procurve 5406xl(config)#ip routing

I hope this helps.

Jase
Jason Luckett
Frequent Advisor

Re: 5406zl: VLAN Routing between some VLAN's but not others

Hi Brian,

for further info on the configuration of ACL's for VLANS see module/chapter 7 of the following document;

ftp://ftp.hp.com/pub/networking/software/3500_5400_6200_AdvTrfGde-July2006-59913827.pdf

Regards,

Jase

P.S. if you have any more questions on the 5400zl just post them under this thread.

But I highly recommend the 5400zl, this is an excellent Layer3/4 switch, with a mass of features.
Matt Hobbs
Honored Contributor

Re: 5406zl: VLAN Routing between some VLAN's but not others

As you've suggested, the most simple method is actually not assigning an IP address to that VLAN.
OLARU Dan
Trusted Contributor

Re: 5406zl: VLAN Routing between some VLAN's but not others

Or if you would like to enter that VLAN from time to time (for administrative tasks performed on PCs in that VLAN) you could assign IP, but shutdown the VLAN interface.

The IP of the router that allows internet access for the clients in that VLAN should be the default gateway for these PCs. One link untagged in that VLAN sould go to the router, and the inside interface of the router should have IP in the same subnet with the PCs. That router should not be connected to any other VLAN, so it can't perform inter-VLAN routing.