Switches, Hubs, and Modems
cancel
Showing results for 
Search instead for 
Did you mean: 

Inter-VLAN routing and prohibiting certain VLANs

KCollinson
Advisor

Inter-VLAN routing and prohibiting certain VLANs

Morning All,

What is the prefurred way to stop certain VLANs from communicating with other VLANs once IP routing is enabled.

I have 4 VLANs, one of those VLAN's (Open 2 Public access) should not be able to route to the other 3 VLANs?

Thanks,
Karl.
11 REPLIES
cenk sasmaztin
Honored Contributor

Re: Inter-VLAN routing and prohibiting certain VLANs

yes it is possible
you can use acl or source port filter

2610,3500,3400,5400 switch able acl config
sperate route trafic between vlan

but all other hp switch unable acl in this case you can use source port filter feature

source port filter feature deny or permit between switch port comminication
cenk

KCollinson
Advisor

Re: Inter-VLAN routing and prohibiting certain VLANs

Hi Cenk,

Lets say im using a 2610.

- 4 x VLANS
- Default route forwarding to the WAN router.
- 3 Static routes on router supporting VLAN to WAN traffic

4th static route is not required as router resides on the 4th VLAN

All VLANs require WAN connectivity, but one of the VLANs is NOT to be able to Route to the 3 over VLANs.

What is really the best way to do so?

Thanks.
Karl.
cenk sasmaztin
Honored Contributor

Re: Inter-VLAN routing and prohibiting certain VLANs

http://forums11.itrc.hp.com/service/forums/questionanswer.do?threadId=1283116

please read

if you want sperate between vlan routing
must be use access control list

2610 switch support acl
cenk

cenk sasmaztin
Honored Contributor

Re: Inter-VLAN routing and prohibiting certain VLANs

for example

vlan 1 ip address 192.168.1.1/24
vlan 2 ip address 192.168.2.1/24
vlan 3 ip address 192.168.3.1/24
vlan 4 ip address 192.168.4.1/24

you write default route to internet router on switch
0.0.0.0 0.0.0.0 192.168.1.2(interent router connect vlan 1 and ip address 1.2)

after you can write only one static route on internet router to switch
192.168.0.0 255.255.0.0 192.168.1.1
;)









cenk

cenk sasmaztin
Honored Contributor

Re: Inter-VLAN routing and prohibiting certain VLANs

no any way 4th vlan connect to internet

write four static route to switch on internet router or one static route on internet router (including all network subnet)
cenk

KCollinson
Advisor

Re: Inter-VLAN routing and prohibiting certain VLANs

Hi Cenk.

I need WAN connectivity for all 4 VLANs.

One of the 4 VLANS is for public WiFi (Hotspot) lets call it VID 4.

VID 4 needs to access the WAN but not be able to speak to End points on VID 1,2,3.

The Router for all the WAN connectivity will reside on VID 4 for DHCP reasons.
----------------

Ive not used ACL's before, if i stop traffic from VID 1-3 to VID 4 and the WAN router is located on VID 4 will i not encounter WAN connectivity problems?
Thanks!!!
Karl.
cenk sasmaztin
Honored Contributor

Re: Inter-VLAN routing and prohibiting certain VLANs

hi Karl may be use filter port feature on switch

for example

config)# filter source-port 1 drop 2-10
command with not connection port 1 with 2,3,4,5,6,7,8,9,10

you can isolation vlan 4 member port with other vlan port
cenk

cenk sasmaztin
Honored Contributor

Re: Inter-VLAN routing and prohibiting certain VLANs

vlan 4 member ports isolation all other vlan ports only connected with internet router port

in this way isolation vlan 4 traffic all other vlan's
cenk

KCollinson
Advisor

Re: Inter-VLAN routing and prohibiting certain VLANs

Morning,

I have enclosed a diagram of what im trying to do.

The only Inter-VLAN routing i want is from VID 3 to VID 2 and all VLANs to have WAN access.


Sorry to be a pain,
Thanks and best regards,
Karl.
cenk sasmaztin
Honored Contributor

Re: Inter-VLAN routing and prohibiting certain VLANs

ok Karl I can understand plese sh run print your switch
cenk

KCollinson
Advisor

Re: Inter-VLAN routing and prohibiting certain VLANs

Running configuration:


hostname "HP ProCurve Switch 2610"

ip default-gateway 192.168.4.253
ip routing
snmp-server community "public" Unrestricted
vlan 1
name "DEFAULT_VLAN"
no untagged 1-28
ip address 192.168.1.254 255.255.255.0
exit
vlan 2
name "Private"
ip address 192.168.2.254 255.255.255.0
exit
vlan 3
name "Voice"
ip address 192.168.3.254 255.255.255.0
exit
vlan 4
name "Public"
ip address 192.168.4.254 255.255.255.0
qos dscp 101110
voice
exit
ip route 0.0.0.0 0.0.0.0 192.168.4.253
spanning-tree