Switches, Hubs, and Modems
cancel
Showing results for 
Search instead for 
Did you mean: 

Comfiguring Routing & ACL in 5308XL switch

Ashok K Gurung
Frequent Advisor

Comfiguring Routing & ACL in 5308XL switch

Hi

I am new to this area (VLAN,Routing&ACL) and trying to get my head around it.

We have around 300 workstations and 30 or so servers. We wanted to restructure whole network so every floor will be in its own vlan at the same time we have two (A & B) network and we do not want traffic from B network to go to A but A network should be able to get to B network.

we also came to know that we have to enable routing in Switch and use ACL to restrict the traffic but we have following question we will appreciate your input

We will have around 10-15 VLAN all together

1) Which routing protocol will be best suite for us?
2) When counting hoop for the router does all this vlans will be counted as a hoop?
3) RIP protocol sounds to be simple to configure but i am worried about the max hoop it counts what do you think about it?
4) Is there any place I can get more information about this thing?

We will really appreciate if some one could give us some suggestion in doing this. Any example, Scenarios would be greatly appreciated.

Note:- Software Version E.10.55

Thank you
20 REPLIES
Mohieddin Kharnoub
Honored Contributor

Re: Comfiguring Routing & ACL in 5308XL switch

Hi

I assume you have one or more edge switch per floor, and all these switches are connected to one or 2 (maybe more) Core switches - 5300, and all this is Network B.

And i assume you have a similar scenario for Network B.

If my assumption correct then:

1) Which routing protocol will be best suite for us?
For this kind of networks, you can use the Inter-Vlan routing feature on the 5300 Core switch(es), and no need for any other dynamic routing protocol unless its needed.

2) When counting hoop for the router does all this Vlans will be counted as a hoop?
Each Routing Switch is a Hop.

3) RIP protocol sounds to be simple to configure but i am worried about the max hoop it counts what do you think about it?
If you didnt use RIP because you have Inter-Vlan routing, then don't worry :)

4) Is there any place I can get more information about this thing?
Yes, check links down

Now, ACLs, its the easy part, you just have to make your network running, and decide what are the polices you need Like blocking A to B, and Permit B to A.
Check the ACLs examples in the links below:

5300, Routing:
ftp://ftp.hp.com/pub/networking/software/6400-5300-4200-3400-AdvTrafficMgmt-Oct2006-59906051-Chap11.pdf

5300, ACLs:
ftp://ftp.hp.com/pub/networking/software/6400-5300-4200-3400-AdvTrafficMgmt-Oct2006-59906051-Chap09.pdf

5300, IP Routing between Vlans:
http://www.hp.com/rnd/support/config_examples/5300xl_portbase.pdf

Advanced configuration for the 5300:
ftp://ftp.hp.com/pub/networking/software/6400-5300-4200-3400-AdvTrafficMgmt-Oct2006-59906051.pdf

5300, Configuration Examples:
http://www.hp.com/rnd/support/config_examples/5300xl.htm


Good Luck !!!

Science for Everyone
Ashok K Gurung
Frequent Advisor

Re: Comfiguring Routing & ACL in 5308XL switch

Hi Mohieddin

Thank you for your reply

Yes your Assumption is correct. We have edge switches (every floor) and connected to HP 5308xl switch.

1)For this kind of networks, you can use the Inter-Vlan routing feature on the 5300 Core switch(es), and no need for any other dynamic routing protocol unless its needed.
-> We have multiple sites(WAN) and user need to be able to access WAN resources as well as internet and web servers(which is in DMZ of firewall). DMZ servers also need to be able to communicate with servers for Data access(Database etc). I am sorry to ask this again but will the intervlan routing will work?

2)Each Routing Switch is a Hop
-> So just to confirm am i correct to say doesn't matter how many vlan in switch and traffic is actually going through different valn routing hoop is counted on how many physical rotuer/routing switch it has go through.


Now another question i have is we have a mix of Dell power connect Switches (layer 2&3) and Hp Procurve switches. Do any on us know if there is any compatibility issue to make them work together?

Thank you again

Mohieddin Kharnoub
Honored Contributor

Re: Comfiguring Routing & ACL in 5308XL switch

Hi

In regards your questions:

1- I assume again:) the your network will have Edge Switches, Core Switches, Firewall(s) and WAN Router(s) or maybe you have integrated Router/Firewall.

DMZ is an area located (from the security point of view) between the WAN Router and the Firewall, (or interface from the firewall) so servers can be accessed from outside.
So it has nothing to do with inter-vlan routing located on the core switch, because it isolated on a Firewall or Router/Firewall, so the only thing is missing here adding route back to these Vlans on the Router/Firewall and the life will be good :)

2- its a good question and i think the answer is easy,
Say you are connected to a Core switch has multiple Vlans and inter-vlan routing enabled, and you are in Vlan 10 and your gateway is VLan10 IP Address, and you want to reach a printer located in Vlan 20 somewhere.

If you trace the route, you will see that your gateway is the starting point, then next hop will be the Vlan 20 IP address of the core switch.

So Vlans are included in the hop count.

3- As long as your Dell switches are Standard Compatible (i assume they are), then i think no problems at all.

Good Luck !!!
Science for Everyone
Ashok K Gurung
Frequent Advisor

Re: Comfiguring Routing & ACL in 5308XL switch

Thanks for your reply again

Now it seems like routing part is working. we can browse internet and ping all the other sever in different vlan but when i try browsing files and mapping drives we get error message "The network path was not found"

our understanding was once we inable routing we should be able to access resources across vlan but now it is not working. attached is our config files see if you can make any sense out of it. we would like all resources like printers, share folders etc to be accessible


We are testing it from VLAN203 to access vlan3 and visa versa

We are not sure what else we need to do to make this work.

We will be using ACL to prevent some vlan talking to each others but firstly we would like our test vlan to be talking and working.

Thank you

Matt Hobbs
Honored Contributor

Re: Comfiguring Routing & ACL in 5308XL switch

It sounds maybe like you're not using fully qualified domain names which are not resolving the IP address. Instead they maybe using NetBIOS.

Instead of connecting to a name resource, try connecting to the IP address instead:

e.g.
\\10.24.3.10\sharename

Ashok K Gurung
Frequent Advisor

Re: Comfiguring Routing & ACL in 5308XL switch

Yes we tried with both name and ip address and doesn't work. Did you find any unusual in our config file?


Thank you
Mohieddin Kharnoub
Honored Contributor

Re: Comfiguring Routing & ACL in 5308XL switch

Hi

It seems like what Matt said, its a DNS issue.
To test that, try ping a host from Vlan203 to Vlan3 and you should be able to.

My question is, what is the DNS defined by your DHCP server 172.16.32.3, this DNS is one of the keys to resolve this issue.

Good Luck !!!
Science for Everyone
Ashok K Gurung
Frequent Advisor

Re: Comfiguring Routing & ACL in 5308XL switch

Hi

that is what i thought and I checked IP Address for DNS server and it is giving correct ip address(172.16.32.2).
I also tried ping -a 172.16.32.5 Gets Pinging AF-Server.internal.mitacademy[172.16.32.5] with 32 bytes of data:

I can ping with name or with the IP address to other vlan without any problem.

I am running out of ideas what might be problem.

thank you
Mohieddin Kharnoub
Honored Contributor

Re: Comfiguring Routing & ACL in 5308XL switch

Hi

I have some questions that may help you with some ideas:

- Can PCs in the same Vlan access each other's shared resources,
so PC1 can open \\PC2\shares for example and same for PC2 can open \\PC1\shares ...

- Can PC1, PC2 open shared resources by the use of IP addresses of each other?

- If you have PC3 and PC4 both not on the domain and no DNS configured, only static IP Addresses and under the default windows workgroup, can they open their shared resources ?

- Try above from Vlan 3 to another Vlan.

- I checked the configuration and i didn't see any ACLs in place, did you configure any ACLs on the 5300 ?

- Can you do nslookup www.google.com ? can you ping it also ?

Good Luck !!!
Science for Everyone
Ashok K Gurung
Frequent Advisor

Re: Comfiguring Routing & ACL in 5308XL switch

- Yes both pcs from same vlan can do so(connect to shared resources)
-Yes They can even if they are not a domain member
-Yes we did tried some acl but we thought we have deleted/disable all of them
-C:>nslookup www.google.com
Server: pokhara.internal.mitacademy
Address: 172.16.32.2

Non-authoritative answer:
Name: www.l.google.com
Addresses: 72.14.253.104, 72.14.253.99, 72.14.253.147, 72.14.253.103
Aliases: www.google.com

Just a thought how do we delete acl that were not suppose to be there parmanently?

Thank you
Ashok K Gurung
Frequent Advisor

Re: Comfiguring Routing & ACL in 5308XL switch

Hi

Looks like its ACL which suppose to be off but some how its on. I tried with another vlan and that works without any problem.

Now is there any way of cleaning out all those hidden acls?

Will really appreciate if there any suggestion.


thank you
Mohieddin Kharnoub
Honored Contributor

Re: Comfiguring Routing & ACL in 5308XL switch

Hi

If you can post the configuration it will be helpful for us to give you the correct suggestion to remove the ACLs.

Anyway, assume you have an extended ACL applied to one Vlan, then

- remove the ACL from the Vlan:
Switch(config)#no vlan ip access-group

- Remove the ACL:
if its a named one
Switch(config)#no ip access-list extended NAME

if its a standard or extended, then you have to remove line by line, and that will be easy if you run: show run command, then stop on the ACL entries, copy one by one and run no before each one.

Good Luck !!!
Science for Everyone
Ashok K Gurung
Frequent Advisor

Re: Comfiguring Routing & ACL in 5308XL switch

Thanks for the reply again

Config file we have posted earlier is what we have. Reason I was saying in our previous post that it could be the old ACL we had created.

We had deleted that ACL using command "no ip access-list extended NAME" vlan that was assigned vlan is now has been deleted

we used following command to see if we have any acls but all answer is no

HP ProCurve Switch 5308xl(config)# show access-list

Access Control Lists

Type Appl Name
---- ---- ----------------------------------------------------------------

HP ProCurve Switch 5308xl(config)# show access-list config
No access control lists are actively configured.

Other command like show access-list vlan all shows no acl configure.

just didn't understand what is blocking traffic like share/browse going to certain vlan(vlan3) we can ping, we can tracerout whate etc but not share, can not join computer to domain etc etc.

Thank you again



Ashok K Gurung
Frequent Advisor

Re: Comfiguring Routing & ACL in 5308XL switch

Hi its me again

Yes we finally know what was our problem and its working (it was default gateway setup). Now we are working on acl part and as you know we have admin and student network, we do not want any IP traffic from student network to admin network apart from some of tcp traffic e.g. smtp, ftp

We were wondering if there is another way of wrting acl apart from going line by line. e.g. we have 4 subnet in admin and 6 subnet in student now if we were created acl that blocks all traffic from student subnet to admin subnet and allow selected traffic across than we are looking at long list in acl. e.g. of acl is attached

We were wondering if there is better way of writing this acls.

We will appreciate if you have any ideas

Thank you
Mohieddin Kharnoub
Honored Contributor

Re: Comfiguring Routing & ACL in 5308XL switch

Hi

Good that your problem is over, gateway is the first thing to think and ping :)

Anyway, Named ACLs is better because of ease of use and edit or update.

SW(config)#ip access-list
SW(config-ext-nacl)# ----- here you start creating your ACL, and add a string number for each entry (better to use increase by 10 so you can insert in between later).

Check this for more info and examples:
ftp://ftp.hp.com/pub/networking/software/6400-5300-4200-3400-AdvTrafficMgmt-Oct2006-59906051-Chap09.pdf

Good Luck !!!
Science for Everyone
Ashok K Gurung
Frequent Advisor

Re: Comfiguring Routing & ACL in 5308XL switch

Hi

we have compile acl and we are not quite sure if that will do what we would like that to do. what we want to achieve here is we would like
1) traffic from all student workstation to admin network to be blocked (172.16.36.0/24 ++)
2) Traffic from student Servers (172.16.32.0/24) and admin network (10 netwok) are allowed to any where.

we were wondering if you could comment on attached acl before we go and apply to our switch.

Thank you
Ashok K Gurung
Frequent Advisor

Re: Comfiguring Routing & ACL in 5308XL switch

Sorry Attached ACL here first time didn't work
Mohieddin Kharnoub
Honored Contributor

Re: Comfiguring Routing & ACL in 5308XL switch

Hi

My comments is why you create one ACL that includes all the Vlans IP Addresses 101, 102, 103, 104.

If you need to block one Vlan from going somewhere, you create an extended ACL and apply it on the Source which is the Vlan deny/permit it from going to wherever you want.

Check the following ACLs, i played with the Wildcards to minimize the ACL entries:

---------------------------------------------
;Extended named ACL for Vlan 101
;------------------------------
ip access-list extended "101"
; blocking Vlan 101 going to admin vlan
deny ip 172.16.36.0 0.0.0.255 10.0.0.0 0.0.3.255
deny ip 172.16.36.0 0.0.0.255 10.0.10.0 0.0.1.255
deny ip 172.16.36.0 0.0.0.255 10.0.12.0 0.0.1.255
deny ip 172.16.36.0 0.0.0.255 10.0.14.0 0.0.0.255

; Permiting all other traffic
permit ip 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255

exit

; Applying to VLAN 101
vlan 101 ip access-group "101" out

;Extended named ACL for Vlan 102
;------------------------------
ip access-list extended "102"
; blocking Vlan 102 going to admin vlan
deny ip 172.16.37.0 0.0.0.255 10.0.0.0 0.0.3.255
deny ip 172.16.37.0 0.0.0.255 10.0.10.0 0.0.1.255
deny ip 172.16.37.0 0.0.0.255 10.0.12.0 0.0.1.255
deny ip 172.16.37.0 0.0.0.255 10.0.14.0 0.0.0.255

; Permiting all other traffic
permit ip 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255

exit

; Applying to VLAN 102
vlan 102 ip access-group "102" out

;Extended named ACL for Vlan 103
;------------------------------
ip access-list extended "103"
; blocking Vlan 103 going to admin vlan
deny ip 172.16.38.0 0.0.0.255 10.0.0.0 0.0.3.255
deny ip 172.16.38.0 0.0.0.255 10.0.10.0 0.0.1.255
deny ip 172.16.38.0 0.0.0.255 10.0.12.0 0.0.1.255
deny ip 172.16.38.0 0.0.0.255 10.0.14.0 0.0.0.255

; Permiting all other traffic
permit ip 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255

exit

; Applying to VLAN 103
vlan 103 ip access-group "103" out

;Extended named ACL for Vlan 104
;------------------------------
ip access-list extended "104"
; blocking Vlan 104 going to admin vlan
deny ip 172.16.39.0 0.0.0.255 10.0.0.0 0.0.3.255
deny ip 172.16.39.0 0.0.0.255 10.0.10.0 0.0.1.255
deny ip 172.16.39.0 0.0.0.255 10.0.12.0 0.0.1.255
deny ip 172.16.39.0 0.0.0.255 10.0.14.0 0.0.0.255

; Permiting all other traffic
permit ip 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255

exit

; Applying to VLAN 104
vlan 104 ip access-group "104" out

;Extended named ACL for Vlan 105 - Wireless
;------------------------------
ip access-list extended "105"
; blocking Vlan 105 going to admin vlan
deny ip 172.16.51.0 0.0.0.255 10.0.0.0 0.0.3.255
deny ip 172.16.51.0 0.0.0.255 10.0.10.0 0.0.1.255
deny ip 172.16.51.0 0.0.0.255 10.0.12.0 0.0.1.255
deny ip 172.16.51.0 0.0.0.255 10.0.14.0 0.0.0.255

; Permiting all other traffic
permit ip 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255

exit

; Applying to VLAN 105
vlan 105 ip access-group "105" out
---------------------------------------------

Hope that helps you.

Thanks in this Forum means assign points to all the posts that helped (or even not helped because still the guys tried to help)
:)

Good Luck !!!
Science for Everyone
Ashok K Gurung
Frequent Advisor

Re: Comfiguring Routing & ACL in 5308XL switch

Hi Guys

Thanks for intruducing us to Wildcards we have to start learning it and that is what my previous post was regarding as if we do not use some sort of wildcard or references acl will have long long list.

After couple of modification your acl works for us and thank you again.
Ashok K Gurung
Frequent Advisor

Re: Comfiguring Routing & ACL in 5308XL switch

thanks again guys