HPE Community
Switches, Hubs, and Modems
1752489 Members
5579 Online
108788 Solutions
New Discussion

HP Procurve 2848 - ip route between vLan's - the problem

 
SOLVED
Go to solution
Efim Kushnir
Frequent Advisor

‎06-29-2005 12:57 AM

‎06-29-2005 12:57 AM

HP Procurve 2848 - ip route between vLan's - the problem

Dear Sirs,
I'm beginner in network technologies and need help with setting of routing between vLans by some rules.

I create 12 vLans and need for some vLans has access to other vLans and need for some vLans not has access to other vLans.

For example:
vLan 2, ID 2, ip 10.2.0.251, mask 255.255.255.0
vLan 3, ID 3, ip 10.2.1.251, mask 255.255.255.0
...
vLan 13, ID 13, ip 10.2.11.251, mask 255.255.255.0

Rules for vLan's:
vLan 2 must see all vLans;
vLan 3 must see all vLans;
vLan 4 must not see the any of the vLans;
vLan 5-13 must see vLan 2 and vLan 4 only.

In Security Manual for it device is some information about Security Filters for Multinetted vLan's but I'm not understand how I can do it properly.
May be I read not right document.

If possible please help me resolve my problem.

BR,
Efim.
Look for the answers, do not stop !
0 Kudos
1 REPLY 1
André Beck
Honored Contributor

‎06-29-2005 08:52 PM

‎06-29-2005 08:52 PM

Solution

Re: HP Procurve 2848 - ip route between vLan's - the problem

Hi,

first of all, as soon as you create an IP interface to a VLAN (let's call it a switch virtual interface), this interface will implicate a connected route. If you do your setup as you describe, the box will already route between all the VLANs, given you activate "ip routing". The way to *reduce* that routing later is by ACLs that control which traffic can pass, but AFAIK the 28xx has no ACLs as it is positioned a L2 switch which just by luck can do some routing.

If you have VLANs that should not be seen on L3 at all (like your VL4), just don't give them an IP interface, thus no connected route, thus no routing.

BTW, your "must (not) see" rules are inconsistent. If VL4 is not to "see" any other VLAN, how are VL5-13 supposed to "see" VL4? Either you have more complicated rules to implement here (like 80/tcp must be possible from VL5 to VL4, but the other direction should only allow the answer segments to this traffic, not the TCP connection start). For this you will need IP ACLs and to apply them to the ports in question. And for that you need a 3400cl or 5300xl class plattform if it's going to be a ProCurve that should do the routing. You could of course offload the routing to some external router on a stick (real hardware router or Linux box or Firewall) if the reduced performance of such setup is no problem for your network. Using a modern PC server with let's say four 1000BaseTX interfaces on CSA, PCI-X, PCIe or such buses, Linux, iptables and running it as a router on four sticks is probably the cheapest and most flexible solution you can get here and it will not even perform that bad.

HTH,
Andre.
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.