HPE Community
Switches, Hubs, and Modems
1757003 Members
2256 Online
108858 Solutions
New Discussion юеВ

Re: Procurve 2610 + 1824 + VLAN

 
SOLVED
Go to solution
Alessandro_78
Regular Advisor

тАО07-11-2008 05:28 AM

тАО07-11-2008 05:28 AM

Procurve 2610 + 1824 + VLAN

Hi all,
i have a procurve 2610 with 24 servers connected to each.

gigabit ports 25 and 26 are in a trunk connected to two ports on the 1800-24.

On the 1800-24 there are two ports connected to a backup server with bonding enabled.

I need to put every ports in a distinct VLAN so that servers can't communicate with each other.

Only backup server needs to communicate with all other.

How can I do this?

2610 and 1800-24 haven't protected ports capabilities so I need to use VLAN.

Thanks in advance.
0 Kudos
19 REPLIES 19
Yan Henrichon
Frequent Advisor

тАО07-11-2008 05:40 PM

тАО07-11-2008 05:40 PM

Re: Procurve 2610 + 1824 + VLAN

Hi Alessandro.

On the 2610, you have the source-port filtering function that can solve your issue. You can authorize which port can communicate with another port.

See module 10 on the access and security manual for the 2610.

Here is the link:
http://cdn.procurve.com/training/Manuals/2610-Security-Dec2007-59918642.pdf

HTH... Yan
0 Kudos
Alessandro_78
Regular Advisor

тАО07-12-2008 05:28 AM

тАО07-12-2008 05:28 AM

Re: Procurve 2610 + 1824 + VLAN

Thank you very much.
But doing so I can filter only on the 2610.

I need to do something similiar:

all ports on the 2610 needs to be 'protected'. Nobody can communicate with each other.

trk1 is connected to a 1800-24G as a 'core'.

On the 1800-24G port 23 and port 23 are in a trunk connected to a backup server.

ONLY backup server can communicate with all other ports on all other switches.

So,
2610-port1 MUST communicate only with 1800-24G-trk2
2610-port2 MUST communicate only with 1800-24G-trk2
2610-port3 MUST communicate only with 1800-24G-trk2

(trk2 is the trunk with the backupserver)

Source port filtering is usefull only with server connected locally on the switch.
My server is on another switch. I can't filter like this:

2610:
filter source-port 1 drop 1-24 forward trk2

trk2 is on the 1800-24G switch.
0 Kudos
Pieter 't Hart
Honored Contributor

тАО07-13-2008 11:41 PM

тАО07-13-2008 11:41 PM

Re: Procurve 2610 + 1824 + VLAN

Maybe you can follow-up :
filter source-port 1 drop 1-24 forward trk2
on the 2610 with on the 1800 :
filter source-port trk2 drop 1-23 forward 24
? (where port 24 being the backupserver)

is may be an alternative to define on all hosts a static route only to the backupserver?
0 Kudos
Alessandro_78
Regular Advisor

тАО07-14-2008 01:57 AM

тАО07-14-2008 01:57 AM

Re: Procurve 2610 + 1824 + VLAN

But doing so I'll drop everything.
If i'll drop ports 1-24 but forward trk1 on the 2610 and i'll drop ports 1-24 but forward trk2 on the 1800, port 1 on the 2610 can't communicate with trk2 because it's dropped by a rule on the 1800...

Yes a static route is an alternative but I prefer drop on the switch, so i don't need to reconfigure all servers.
0 Kudos
Pieter 't Hart
Honored Contributor

тАО07-14-2008 03:24 AM

тАО07-14-2008 03:24 AM

Solution

Re: Procurve 2610 + 1824 + VLAN

it is a "source"-port rule.
this is physical port, not vlan!
a trunk is seen as a single port.
so :

filter source-port 1 drop 1-24 forward trk2

on the 2610
allows traffic from port1 to the connected 1800
for all ports on the 2610 you need a seperate
filter source-port 2 drop 1-24 forward trk2
...
filter source-port 24 drop 1-24 forward trk2


on the 1800 side :

filter source-port trk2 drop 1-23 forward 24

1800 forwards only the connection from the 2610 to port 24 (assumed the backupserver)
independant of the port it was on the 2610

for all ports on the 1800 you need a seperate
filter source-port 1 drop 1-23 trk2 forward 24
...
filter source-port 23 drop 1-23 trk2 forward 24

and offcourse from backupserver to any :

filter source-port 24 forward 1-24 trk2

wich is allready implicitly present, but it's mor clear to specify
Alessandro_78
Regular Advisor

тАО07-15-2008 04:55 AM

тАО07-15-2008 04:55 AM

Re: Procurve 2610 + 1824 + VLAN

Can I do the same with only VLANS?
It should be more easy to do and to understand.

Right? How can I do it with VLAN if possibile?
0 Kudos
Pieter 't Hart
Honored Contributor

тАО07-15-2008 05:35 AM

тАО07-15-2008 05:35 AM

Re: Procurve 2610 + 1824 + VLAN

it is a "source"-port rule.
this is physical port or a trunk port, not vlan!


Why do you want to use all different vlan's for a single port ?
i don't think it makes the configuration easier!

VLAN's are to seperate lan's, you must do extra things to make those lan's communicate!
Then again you want this communication very restricted!

if you really want it, it would be something like :
- for each port create a vlan
- put every single port in its own vlan
(except the switch interconnect, that must be trunk)
- for each vlan select a subnet
- assign each vlan its own ip-adress
- assign each server an ip-adress in the same subnet as the used vlan
- configure routing between all vlans
- for each vlan create accesslist to alow only the single destination

But then again you can use access-lists without using vlan's
0 Kudos
Alessandro_78
Regular Advisor

тАО07-15-2008 06:29 AM

тАО07-15-2008 06:29 AM

Re: Procurve 2610 + 1824 + VLAN

Thank you.
I don't want routing between vlans.
Servers don't need to communicate with each other.

I'll try with source port filter.
0 Kudos
Alessandro_78
Regular Advisor

тАО07-16-2008 05:20 AM

тАО07-16-2008 05:20 AM

Re: Procurve 2610 + 1824 + VLAN

Hey, Procurve 1800-24 is WEB MANAGED.
It hasn't source port filter.

I can filter on 2600, but servers connected to 1800 can communicate with each other and I don't want it.

I think that i must go with vlans.

any hint?
0 Kudos
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.