HPE Community
Switches, Hubs, and Modems
1752815 Members
5994 Online
108789 Solutions
New Discussion юеВ

Re: Comfiguring Routing & ACL in 5308XL switch

 
Ashok K Gurung
Frequent Advisor

тАО04-23-2007 01:51 PM

тАО04-23-2007 01:51 PM

Comfiguring Routing & ACL in 5308XL switch

Hi

I am new to this area (VLAN,Routing&ACL) and trying to get my head around it.

We have around 300 workstations and 30 or so servers. We wanted to restructure whole network so every floor will be in its own vlan at the same time we have two (A & B) network and we do not want traffic from B network to go to A but A network should be able to get to B network.

we also came to know that we have to enable routing in Switch and use ACL to restrict the traffic but we have following question we will appreciate your input

We will have around 10-15 VLAN all together

1) Which routing protocol will be best suite for us?
2) When counting hoop for the router does all this vlans will be counted as a hoop?
3) RIP protocol sounds to be simple to configure but i am worried about the max hoop it counts what do you think about it?
4) Is there any place I can get more information about this thing?

We will really appreciate if some one could give us some suggestion in doing this. Any example, Scenarios would be greatly appreciated.

Note:- Software Version E.10.55

Thank you
0 Kudos
20 REPLIES 20
Mohieddin Kharnoub
Honored Contributor

тАО04-23-2007 07:40 PM

тАО04-23-2007 07:40 PM

Re: Comfiguring Routing & ACL in 5308XL switch

Hi

I assume you have one or more edge switch per floor, and all these switches are connected to one or 2 (maybe more) Core switches - 5300, and all this is Network B.

And i assume you have a similar scenario for Network B.

If my assumption correct then:

1) Which routing protocol will be best suite for us?
For this kind of networks, you can use the Inter-Vlan routing feature on the 5300 Core switch(es), and no need for any other dynamic routing protocol unless its needed.

2) When counting hoop for the router does all this Vlans will be counted as a hoop?
Each Routing Switch is a Hop.

3) RIP protocol sounds to be simple to configure but i am worried about the max hoop it counts what do you think about it?
If you didnt use RIP because you have Inter-Vlan routing, then don't worry :)

4) Is there any place I can get more information about this thing?
Yes, check links down

Now, ACLs, its the easy part, you just have to make your network running, and decide what are the polices you need Like blocking A to B, and Permit B to A.
Check the ACLs examples in the links below:

5300, Routing:
ftp://ftp.hp.com/pub/networking/software/6400-5300-4200-3400-AdvTrafficMgmt-Oct2006-59906051-Chap11.pdf

5300, ACLs:
ftp://ftp.hp.com/pub/networking/software/6400-5300-4200-3400-AdvTrafficMgmt-Oct2006-59906051-Chap09.pdf

5300, IP Routing between Vlans:
http://www.hp.com/rnd/support/config_examples/5300xl_portbase.pdf

Advanced configuration for the 5300:
ftp://ftp.hp.com/pub/networking/software/6400-5300-4200-3400-AdvTrafficMgmt-Oct2006-59906051.pdf

5300, Configuration Examples:
http://www.hp.com/rnd/support/config_examples/5300xl.htm


Good Luck !!!

Science for Everyone
0 Kudos
Ashok K Gurung
Frequent Advisor

тАО04-28-2007 03:48 PM

тАО04-28-2007 03:48 PM

Re: Comfiguring Routing & ACL in 5308XL switch

Hi Mohieddin

Thank you for your reply

Yes your Assumption is correct. We have edge switches (every floor) and connected to HP 5308xl switch.

1)For this kind of networks, you can use the Inter-Vlan routing feature on the 5300 Core switch(es), and no need for any other dynamic routing protocol unless its needed.
-> We have multiple sites(WAN) and user need to be able to access WAN resources as well as internet and web servers(which is in DMZ of firewall). DMZ servers also need to be able to communicate with servers for Data access(Database etc). I am sorry to ask this again but will the intervlan routing will work?

2)Each Routing Switch is a Hop
-> So just to confirm am i correct to say doesn't matter how many vlan in switch and traffic is actually going through different valn routing hoop is counted on how many physical rotuer/routing switch it has go through.


Now another question i have is we have a mix of Dell power connect Switches (layer 2&3) and Hp Procurve switches. Do any on us know if there is any compatibility issue to make them work together?

Thank you again

0 Kudos
Mohieddin Kharnoub
Honored Contributor

тАО05-01-2007 05:26 PM

тАО05-01-2007 05:26 PM

Re: Comfiguring Routing & ACL in 5308XL switch

Hi

In regards your questions:

1- I assume again:) the your network will have Edge Switches, Core Switches, Firewall(s) and WAN Router(s) or maybe you have integrated Router/Firewall.

DMZ is an area located (from the security point of view) between the WAN Router and the Firewall, (or interface from the firewall) so servers can be accessed from outside.
So it has nothing to do with inter-vlan routing located on the core switch, because it isolated on a Firewall or Router/Firewall, so the only thing is missing here adding route back to these Vlans on the Router/Firewall and the life will be good :)

2- its a good question and i think the answer is easy,
Say you are connected to a Core switch has multiple Vlans and inter-vlan routing enabled, and you are in Vlan 10 and your gateway is VLan10 IP Address, and you want to reach a printer located in Vlan 20 somewhere.

If you trace the route, you will see that your gateway is the starting point, then next hop will be the Vlan 20 IP address of the core switch.

So Vlans are included in the hop count.

3- As long as your Dell switches are Standard Compatible (i assume they are), then i think no problems at all.

Good Luck !!!
Science for Everyone
0 Kudos
Ashok K Gurung
Frequent Advisor

тАО05-02-2007 01:34 PM

тАО05-02-2007 01:34 PM

Re: Comfiguring Routing & ACL in 5308XL switch

Thanks for your reply again

Now it seems like routing part is working. we can browse internet and ping all the other sever in different vlan but when i try browsing files and mapping drives we get error message "The network path was not found"

our understanding was once we inable routing we should be able to access resources across vlan but now it is not working. attached is our config files see if you can make any sense out of it. we would like all resources like printers, share folders etc to be accessible


We are testing it from VLAN203 to access vlan3 and visa versa

We are not sure what else we need to do to make this work.

We will be using ACL to prevent some vlan talking to each others but firstly we would like our test vlan to be talking and working.

Thank you

0 Kudos
Matt Hobbs
Honored Contributor

тАО05-02-2007 02:36 PM

тАО05-02-2007 02:36 PM

Re: Comfiguring Routing & ACL in 5308XL switch

It sounds maybe like you're not using fully qualified domain names which are not resolving the IP address. Instead they maybe using NetBIOS.

Instead of connecting to a name resource, try connecting to the IP address instead:

e.g.
\\10.24.3.10\sharename

0 Kudos
Ashok K Gurung
Frequent Advisor

тАО05-02-2007 04:50 PM

тАО05-02-2007 04:50 PM

Re: Comfiguring Routing & ACL in 5308XL switch

Yes we tried with both name and ip address and doesn't work. Did you find any unusual in our config file?


Thank you
0 Kudos
Mohieddin Kharnoub
Honored Contributor

тАО05-02-2007 06:22 PM

тАО05-02-2007 06:22 PM

Re: Comfiguring Routing & ACL in 5308XL switch

Hi

It seems like what Matt said, its a DNS issue.
To test that, try ping a host from Vlan203 to Vlan3 and you should be able to.

My question is, what is the DNS defined by your DHCP server 172.16.32.3, this DNS is one of the keys to resolve this issue.

Good Luck !!!
Science for Everyone
0 Kudos
Ashok K Gurung
Frequent Advisor

тАО05-02-2007 06:48 PM

тАО05-02-2007 06:48 PM

Re: Comfiguring Routing & ACL in 5308XL switch

Hi

that is what i thought and I checked IP Address for DNS server and it is giving correct ip address(172.16.32.2).
I also tried ping -a 172.16.32.5 Gets Pinging AF-Server.internal.mitacademy[172.16.32.5] with 32 bytes of data:

I can ping with name or with the IP address to other vlan without any problem.

I am running out of ideas what might be problem.

thank you
0 Kudos
Mohieddin Kharnoub
Honored Contributor

тАО05-03-2007 02:28 AM

тАО05-03-2007 02:28 AM

Re: Comfiguring Routing & ACL in 5308XL switch

Hi

I have some questions that may help you with some ideas:

- Can PCs in the same Vlan access each other's shared resources,
so PC1 can open \\PC2\shares for example and same for PC2 can open \\PC1\shares ...

- Can PC1, PC2 open shared resources by the use of IP addresses of each other?

- If you have PC3 and PC4 both not on the domain and no DNS configured, only static IP Addresses and under the default windows workgroup, can they open their shared resources ?

- Try above from Vlan 3 to another Vlan.

- I checked the configuration and i didn't see any ACLs in place, did you configure any ACLs on the 5300 ?

- Can you do nslookup www.google.com ? can you ping it also ?

Good Luck !!!
Science for Everyone
0 Kudos
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.