- Community Home
- >
- Networking
- >
- Legacy
- >
- Switches, Hubs, Modems
- >
- HP Procurve 2848 - ip route between vLan's - the p...
Switches, Hubs, and Modems
1752489
Members
5579
Online
108788
Solutions
Forums
Categories
Company
Local Language
back
Forums
Discussions
Forums
- Data Protection and Retention
- Entry Storage Systems
- Legacy
- Midrange and Enterprise Storage
- Storage Networking
- HPE Nimble Storage
Discussions
Discussions
Discussions
Forums
Discussions
back
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
- BladeSystem Infrastructure and Application Solutions
- Appliance Servers
- Alpha Servers
- BackOffice Products
- Internet Products
- HPE 9000 and HPE e3000 Servers
- Networking
- Netservers
- Secure OS Software for Linux
- Server Management (Insight Manager 7)
- Windows Server 2003
- Operating System - Tru64 Unix
- ProLiant Deployment and Provisioning
- Linux-Based Community / Regional
- Microsoft System Center Integration
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Blogs
Information
Community
Resources
Community Language
Language
Forums
Blogs
Go to solution
Topic Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
06-29-2005 12:57 AM
06-29-2005 12:57 AM
Dear Sirs,
I'm beginner in network technologies and need help with setting of routing between vLans by some rules.
I create 12 vLans and need for some vLans has access to other vLans and need for some vLans not has access to other vLans.
For example:
vLan 2, ID 2, ip 10.2.0.251, mask 255.255.255.0
vLan 3, ID 3, ip 10.2.1.251, mask 255.255.255.0
...
vLan 13, ID 13, ip 10.2.11.251, mask 255.255.255.0
Rules for vLan's:
vLan 2 must see all vLans;
vLan 3 must see all vLans;
vLan 4 must not see the any of the vLans;
vLan 5-13 must see vLan 2 and vLan 4 only.
In Security Manual for it device is some information about Security Filters for Multinetted vLan's but I'm not understand how I can do it properly.
May be I read not right document.
If possible please help me resolve my problem.
BR,
Efim.
I'm beginner in network technologies and need help with setting of routing between vLans by some rules.
I create 12 vLans and need for some vLans has access to other vLans and need for some vLans not has access to other vLans.
For example:
vLan 2, ID 2, ip 10.2.0.251, mask 255.255.255.0
vLan 3, ID 3, ip 10.2.1.251, mask 255.255.255.0
...
vLan 13, ID 13, ip 10.2.11.251, mask 255.255.255.0
Rules for vLan's:
vLan 2 must see all vLans;
vLan 3 must see all vLans;
vLan 4 must not see the any of the vLans;
vLan 5-13 must see vLan 2 and vLan 4 only.
In Security Manual for it device is some information about Security Filters for Multinetted vLan's but I'm not understand how I can do it properly.
May be I read not right document.
If possible please help me resolve my problem.
BR,
Efim.
Look for the answers, do not stop !
Solved! Go to Solution.
1 REPLY 1
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
06-29-2005 08:52 PM
06-29-2005 08:52 PM
Solution
Hi,
first of all, as soon as you create an IP interface to a VLAN (let's call it a switch virtual interface), this interface will implicate a connected route. If you do your setup as you describe, the box will already route between all the VLANs, given you activate "ip routing". The way to *reduce* that routing later is by ACLs that control which traffic can pass, but AFAIK the 28xx has no ACLs as it is positioned a L2 switch which just by luck can do some routing.
If you have VLANs that should not be seen on L3 at all (like your VL4), just don't give them an IP interface, thus no connected route, thus no routing.
BTW, your "must (not) see" rules are inconsistent. If VL4 is not to "see" any other VLAN, how are VL5-13 supposed to "see" VL4? Either you have more complicated rules to implement here (like 80/tcp must be possible from VL5 to VL4, but the other direction should only allow the answer segments to this traffic, not the TCP connection start). For this you will need IP ACLs and to apply them to the ports in question. And for that you need a 3400cl or 5300xl class plattform if it's going to be a ProCurve that should do the routing. You could of course offload the routing to some external router on a stick (real hardware router or Linux box or Firewall) if the reduced performance of such setup is no problem for your network. Using a modern PC server with let's say four 1000BaseTX interfaces on CSA, PCI-X, PCIe or such buses, Linux, iptables and running it as a router on four sticks is probably the cheapest and most flexible solution you can get here and it will not even perform that bad.
HTH,
Andre.
first of all, as soon as you create an IP interface to a VLAN (let's call it a switch virtual interface), this interface will implicate a connected route. If you do your setup as you describe, the box will already route between all the VLANs, given you activate "ip routing". The way to *reduce* that routing later is by ACLs that control which traffic can pass, but AFAIK the 28xx has no ACLs as it is positioned a L2 switch which just by luck can do some routing.
If you have VLANs that should not be seen on L3 at all (like your VL4), just don't give them an IP interface, thus no connected route, thus no routing.
BTW, your "must (not) see" rules are inconsistent. If VL4 is not to "see" any other VLAN, how are VL5-13 supposed to "see" VL4? Either you have more complicated rules to implement here (like 80/tcp must be possible from VL5 to VL4, but the other direction should only allow the answer segments to this traffic, not the TCP connection start). For this you will need IP ACLs and to apply them to the ports in question. And for that you need a 3400cl or 5300xl class plattform if it's going to be a ProCurve that should do the routing. You could of course offload the routing to some external router on a stick (real hardware router or Linux box or Firewall) if the reduced performance of such setup is no problem for your network. Using a modern PC server with let's say four 1000BaseTX interfaces on CSA, PCI-X, PCIe or such buses, Linux, iptables and running it as a router on four sticks is probably the cheapest and most flexible solution you can get here and it will not even perform that bad.
HTH,
Andre.
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.
News and Events
Support
© Copyright 2024 Hewlett Packard Enterprise Development LP