Switches, Hubs, and Modems
cancel
Showing results for 
Search instead for 
Did you mean: 

HP 2626 vlan routing problem

Rune Ettrup
Occasional Visitor

HP 2626 vlan routing problem

Hi
I have been working a bit with my hp 2626 switch trying to have ip-helper address working but also deny traffic between some vlans and allow between others. My configuration looks as following:
-------------------------------------------
Running configuration:

; J4900B Configuration Editor; Created on release #H.08.106

hostname "ProCurve Switch 2626"
max-vlans 10
ip default-gateway 10.0.254.1
ip routing
snmp-server community "public" Unrestricted
snmp-server host 10.0.1.253 "public"
vlan 1
name "DEFAULT_VLAN"
untagged 25-26
ip address 10.0.254.201 255.255.0.0
ip helper-address 10.0.254.1
no untagged 1-24
exit
vlan 2
name "private"
untagged 1-8
ip address 172.16.0.1 255.255.255.0
ip helper-address 10.0.254.1
tagged 25-26
exit
vlan 3
name "lanparty"
untagged 15-22
ip address 172.16.1.1 255.255.255.0
ip helper-address 10.0.254.1
tagged 25-26
exit
vlan 4
name "servernet"
untagged 9-14
ip address 172.16.3.1 255.255.255.0
ip helper-address 10.0.254.1
tagged 25-26
exit
vlan 5
name "wireless"
untagged 23-24
ip address 172.16.2.1 255.255.255.0
ip helper-address 10.0.254.1
tagged 25-26
exit
ip route 0.0.0.0 0.0.0.0 10.0.254.1
no ip icmp unreachable
no ip icmp echo broadcast-request
spanning-tree
password manager
password operator
---------------------------------------------

The problem is when i deactivate "ip routing" the ip-helper stops working and no dhcp comes out to the clients. Currently i am looking for a way to deny all access from and to the "vlan 5" (wireless) and deny all access to the "vlan 2" (private) and allow access between the others. Any idea on how i get this done ?

Thanks in advance
Rune Ettrup
6 REPLIES
Thomas Joebstl
Frequent Advisor

Re: HP 2626 vlan routing problem

Easiest way to disable routing for particular vlans is to not specify an ip address for them but of course that will prevent the dhcp relaying service from working as well meaning you'd have to put a separate dhcp server in that vlan (or create a vlan subinterface on your dhcp server..).
Another option on the 26xx series would be source-port filters as described in ftp://ftp.hp.com/pub/networking/software/Security-Oct2005-59906024-Chap10-Traf-Security-Filts.pdf to prevent the ports in those 2 vlans from communicating with any other port except the one which is connected to the dhcp server.
AFAIK you'd need at least a 3500 series switch to be able to use ACL's based on IP ports/addresses.
Rune Ettrup
Occasional Visitor

Re: HP 2626 vlan routing problem

Thanks, that worked on my system, a bit of a time thief but it works :)

Rune Ettrup
Occasional Visitor

Re: HP 2626 vlan routing problem

Hmm looks like i was a bit to quick there.
i wrote
filter source-port 1-8 drop 9-24
filter source port 23-24 drop 1-22

port 1-8 is my vlan (private) and port 23-24 is my vlan (wireless). If i understand this correct it should deny all access from any vlan to these two vlans (port 26 is my uplink). But i can still ping computers inside both networks from other vlans, but i can also ping from private til wireless. Any idea what to do

Thanks in advance
Rune Ettrup
Rune Ettrup
Occasional Visitor

Re: HP 2626 vlan routing problem

when i do a tracert from one windows machine to an other it gives:
----------------------------------------------
C:\Documents and Settings\Administrator>tracert 172.16.0.253

Rute spores til 172.16.0.253 over et maksimum af 30 hop

1 <1 ms <1 ms <1 ms 172.16.1.1
2 <1 ms <1 ms <1 ms 172.16.0.253

Sporing fuldført.

---------------------------------------------
That is from lanparty vlan to private vlan
Thomas Joebstl
Frequent Advisor

Re: HP 2626 vlan routing problem

Unfortunately I dont have experience with the filtering stuff nor access to a 26xx to try it out. The manual is a bit unclear to me as well, states on page 10-2
"With routing enabled on the switch, source-port filtering can operate on traffic moving between VLANs as well as within the same VLAN."
first and a few lines below
"Source-port filters have no effect on traffic being routed across VLANs."
so I'm not even sure if it is supposed to work or not.
I hope someone else can shed some more light into that.
Matt Hobbs
Honored Contributor

Re: HP 2626 vlan routing problem

Unfortunately source-port filtering does not work as you'd like on the 2600 series when ip routing is enabled.

It is only the 2600 that behaves this way - other ProCurve switches with source-port filtering are not affected. I suspect it's a limitation of the chipset used in the 2600.