HPE Community
Switches, Hubs, and Modems
1752786 Members
5944 Online
108789 Solutions
New Discussion юеВ

Routing security multiple VLANs

 
Torkjell Dahl
New Member

тАО02-21-2006 11:08 PM

тАО02-21-2006 11:08 PM

Routing security multiple VLANs

Hi,

I'm trying to configure a HP2626 switch, with the following:

VLAN 2 (domain one - for admins etc)
VLAN 20 (domain two - for students etc)
VLAN 100 (segment of domain 2 - ip helper-address in VLAN 2)
VLAN 101 (segment of domain 20 - ip helper-address in VLAN 20)

Heres the configuration:

max-vlans 99
ip routing
vlan 2
name "admin"
untagged 25
ip address 32.54.20.223 255.255.240.0
tagged 26
exit
vlan 20
name "student"
ip address 172.16.128.55 255.255.240.0
tagged 26
exit
vlan 100
name "local-admin"
untagged 19-24
ip address 192.168.136.1 255.255.255.0
ip helper-address 32.54.20.101
exit
vlan 101
name "local-student"
untagged 1-18
ip address 172.16.136.1 255.255.255.0
ip helper-address 172.16.128.50
exit

What i can't figure out is how to stop routing, so the switch only routes between VLAN 2 and 100, and between VLAN 20 and 101
-
Meaning traffic should NOT be allowed from VLAN and to the following VLANS:
20 to 2 and 2 to 20
20 to 100 and 100 to 20
101 to 100 and 100 to 101
101 to 2 and 2 to 101

Any suggestions?
0 Kudos
6 REPLIES 6
Matt Hobbs
Honored Contributor

тАО02-21-2006 11:29 PM

тАО02-21-2006 11:29 PM

Re: Routing security multiple VLANs

Generally speaking, you need Access Control Lists to achieve what you're trying to do. The 2600 does not support ACL's.
0 Kudos
Sergej Gurenko
Trusted Contributor

тАО02-22-2006 07:15 AM

тАО02-22-2006 07:15 AM

Re: Routing security multiple VLANs

You can completly stop routing to one VLAN by defining it like a "management vlan" http://forums1.itrc.hp.com/service/forums/questionanswer.do?threadId=999567

Tou can disable IP Routing on the switch (i'm not sure ip-helper packets will be routed then.

I advise you to join valns 2+100 and 20+101. Disable routing on the switch or did not set ip addreses and you will have two non overlaping subnets.
In any way you must have internet connection and intwernet router. Trunk bouth joined VLANs there and nat each one separatly. You need to setup access lists on the router to block routing bitween VLANs also (you can leave management vlan, management traffic will not hit the WAN router performance).
0 Kudos
claramunt_1
Advisor

тАО02-22-2006 06:58 PM

тАО02-22-2006 06:58 PM

Re: Routing security multiple VLANs

U can't do that with 2626
0 Kudos
Torkjell Dahl
New Member

тАО03-02-2006 02:51 AM

тАО03-02-2006 02:51 AM

Re: Routing security multiple VLANs

Thanks for you're time and help here. I have found a solution to this issue - there might be smarter ones out there, but i've found i can do what im after with the use of 3 switches, witch actually is'nt too bad, since i need the ports.

I'll attach a simplified drawing of my solution. If anyone want more information or like to ask a question, please reply to this post.
0 Kudos
Sergej Gurenko
Trusted Contributor

тАО03-02-2006 03:34 AM

тАО03-02-2006 03:34 AM

Re: Routing security multiple VLANs

Some server network cards support VLANs. You can connect this server to both VLANS at the same time via Q-trunk. Enable Firewall on the student VLAN connected interface, or you students hack you server in a minutes :)
0 Kudos
Torkjell Dahl
New Member

тАО03-02-2006 04:01 AM

тАО03-02-2006 04:01 AM

Re: Routing security multiple VLANs

Yea, i'm thinking of maybe making one DHCP server for the whole net :).

I feel a little sidenote is in order too tho, the net got 20-30 servers in both administrative and student sone, and there are 18 locations who have their own local vlan with dhcp forwarded. We are excited and happy, at least at the moment because it works as intended aka much less broadcasts between the wireless nodes and we got central administration of both nets. Before we actually had 2 communicationlines to solve it.
0 Kudos
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.