HPE Community
Switches, Hubs, and Modems
1752755 Members
5101 Online
108789 Solutions
New Discussion юеВ

Re: VLAN beginner, 3500yl switch

 
maldiveboy
Occasional Contributor

тАО03-03-2007 09:23 AM

тАО03-03-2007 09:23 AM

VLAN beginner, 3500yl switch

i have got a new switch, havent done any configuration yet

i want to configure as below

01 Maestro 10.17.1.10
02 SILVERWARE 10.17.1.12
03 CRS 10.17.1.25
04 Mail 10.17.1.2
05 Firewall 10.17.1.13
06 WUS/AV 10.17.1.11
07 CIS 10.17.1.3
08 Manager PC 10.17.1.30
09 Network Disk
10 тАУ
11 тАУ
12 тАУ
13 POS Network 10.17.3.0/255
14 Accounts hub
15 Server Room hub
16 PBX Room Hub
17 LINK-IN BRIDGE
18 VPN

VLAN2 SERVERS 10.17.1.0 / 255.255.255.0
VLAN3 LAN (Mestro users) 10.17.2.0 / 255.255.255.0
VLAN4 POS 10.17.3.0 / 255.255.255.0
VLAN5 CYBER 10.17.4.0 / 255.255.255.0
VLAN6 LAN2 10.17.5.0 / 255.255.255.0

How can I configure my switch according to the following listed below.
VLAN3 have full access to VLAN2
VLAN3 cannot talk with VLAN4, VLAN5
VLAN4 can only talk with port 2 and port 6
VLAN5 can only talk with port 5 and 6
VLAN6 can talk with port 4, 5, 6 only

0 Kudos
5 REPLIES 5
Mohieddin Kharnoub
Honored Contributor

тАО03-03-2007 03:14 PM

тАО03-03-2007 03:14 PM

Re: VLAN beginner, 3500yl switch

Hi

Hopefully you have the 3500 great switch, so...
I assume you need Vlan1 to be access by each Vlan, and i will assume Vlan1 IP: 10.17.0.1/24,
After you create your Vlans, do these ACLs:

----------Vlan3 ACL------------------------
Switch(config)#ip access-list extended Vlan3
Switch(config-nacl)#permit ip any 10.17.1.0 0.0.0.255
Switch(config-nacl)#permit ip 10.17.1.0 0.0.0.255 any
Switch(config-nacl)#permit ip any 10.17.0.0 0.0.0.255
Switch(config-nacl)#permit ip 10.17.0.0 0.0.0.255 any
Switch(config)#vlan 3 ip access-group Vlan3 out
-------------------------------------------

----------Vlan4 ACL------------------------
Switch(config)#ip access-list extended Vlan4
Switch(config-nacl)#permit ip any host 10.17.1.12
Switch(config-nacl)#permit ip host 10.17.1.12 any
Switch(config-nacl)#permit ip any host 10.17.1.11
Switch(config-nacl)#permit ip host 10.17.1.11 any
Switch(config-nacl)#permit ip any 10.17.0.0 0.0.0.255
Switch(config-nacl)#permit ip 10.17.0.0 0.0.0.255 any
Switch(config)#vlan 4 ip access-group Vlan4 out
-------------------------------------------

----------Vlan5 ACL------------------------
Switch(config)#ip access-list extended Vlan5
Switch(config-nacl)#permit ip any host 10.17.1.13
Switch(config-nacl)#permit ip host 10.17.1.13 any
Switch(config-nacl)#permit ip any host 10.17.1.11
Switch(config-nacl)#permit ip host 10.17.1.11 any
Switch(config-nacl)#permit ip any 10.17.0.0 0.0.0.255
Switch(config-nacl)#permit ip 10.17.0.0 0.0.0.255 any
Switch(config)#vlan 5 ip access-group Vlan5 out
-------------------------------------------

----------Vlan6 ACL------------------------
Switch(config)#ip access-list extended Vlan6
Switch(config-nacl)#permit ip any host 10.17.1.2
Switch(config-nacl)#permit ip host 10.17.1.2 any
Switch(config-nacl)#permit ip any host 10.17.1.13
Switch(config-nacl)#permit ip host 10.17.1.13 any
Switch(config-nacl)#permit ip any host 10.17.1.11
Switch(config-nacl)#permit ip host 10.17.1.11 any
Switch(config-nacl)#permit ip any 10.17.0.0 0.0.0.255
Switch(config-nacl)#permit ip 10.17.0.0 0.0.0.255 any
Switch(config)#vlan 6 ip access-group Vlan5 out
-------------------------------------------

I hope this is right 100% and nothing missed :)

Good Luck !!!
Science for Everyone
0 Kudos
maldiveboy
Occasional Contributor

тАО03-05-2007 12:20 PM

тАО03-05-2007 12:20 PM

Re: VLAN beginner, 3500yl switch

here is my runnin config

max-vlans 20
ip access-list extended "vlan3"
10 permit ip 0.0.0.0 255.255.255.255 10.17.1.0 0.0.0.255
20 permit ip 10.17.1.0 0.0.0.255 0.0.0.0 255.255.255.255
30 permit ip 0.0.0.0 255.255.255.255 10.17.0.0 0.0.0.255
40 permit ip 10.17.0.0 0.0.0.255 0.0.0.0 255.255.255.255
exit
ip access-list extended "vlan4"
10 permit ip 0.0.0.0 255.255.255.255 10.17.1.12 0.0.0.0
20 permit ip 10.17.1.12 0.0.0.0 0.0.0.0 255.255.255.255
30 permit ip 0.0.0.0 255.255.255.255 10.17.1.11 0.0.0.0
40 permit ip 10.17.1.11 0.0.0.0 0.0.0.0 255.255.255.255
50 permit ip 0.0.0.0 255.255.255.255 10.17.0.0 0.0.0.255
60 permit ip 10.17.0.0 0.0.0.255 0.0.0.0 255.255.255.255
exit
ip access-list extended "vlan5"
10 permit ip 0.0.0.0 255.255.255.255 10.17.1.13 0.0.0.0
20 permit ip 10.17.1.13 0.0.0.0 0.0.0.0 255.255.255.255
30 permit ip 0.0.0.0 255.255.255.255 10.17.1.11 0.0.0.0
40 permit ip 10.17.1.11 0.0.0.0 0.0.0.0 255.255.255.255
50 permit ip 0.0.0.0 255.255.255.255 10.17.0.0 0.0.0.255
60 permit ip 10.17.0.0 0.0.0.255 0.0.0.0 255.255.255.255
exit
ip access-list extended "vlan6"
10 permit ip 0.0.0.0 255.255.255.255 10.17.1.2 0.0.0.0
20 permit ip 10.17.1.2 0.0.0.0 0.0.0.0 255.255.255.255
30 permit ip 0.0.0.0 255.255.255.255 10.17.1.13 0.0.0.0
40 permit ip 10.17.1.13 0.0.0.0 0.0.0.0 255.255.255.255
50 permit ip 0.0.0.0 255.255.255.255 10.17.1.11 0.0.0.0
60 permit ip 10.17.1.11 0.0.0.0 0.0.0.0 255.255.255.255
70 permit ip 0.0.0.0 255.255.255.255 10.17.1.25 0.0.0.0
80 permit ip 10.17.1.25 0.0.0.0 0.0.0.0 255.255.255.255
90 permit ip 0.0.0.0 255.255.255.255 10.17.0.0 0.0.0.255
100 permit ip 10.17.0.0 0.0.0.255 0.0.0.0 255.255.255.255
exit
ip access-list extended "vlan7"
10 permit ip 0.0.0.0 255.255.255.255 10.17.1.2 0.0.0.0
20 permit ip 10.17.1.2 0.0.0.0 0.0.0.0 255.255.255.255
30 permit ip 0.0.0.0 255.255.255.255 10.17.1.13 0.0.0.0
40 permit ip 10.17.1.13 0.0.0.0 0.0.0.0 255.255.255.255
50 permit ip 0.0.0.0 255.255.255.255 10.17.1.11 0.0.0.0
60 permit ip 10.17.1.11 0.0.0.0 0.0.0.0 255.255.255.255
70 permit ip 0.0.0.0 255.255.255.255 10.17.1.25 0.0.0.0
80 permit ip 10.17.1.25 0.0.0.0 0.0.0.0 255.255.255.255
90 permit ip 0.0.0.0 255.255.255.255 10.17.0.0 0.0.0.255
100 permit ip 10.17.0.0 0.0.0.255 0.0.0.0 255.255.255.255
exit
ip access-list extended "vlan8"
10 permit ip 0.0.0.0 255.255.255.255 10.17.1.2 0.0.0.0
20 permit ip 10.17.1.2 0.0.0.0 0.0.0.0 255.255.255.255
30 permit ip 0.0.0.0 255.255.255.255 10.17.1.13 0.0.0.0
40 permit ip 10.17.1.13 0.0.0.0 0.0.0.0 255.255.255.255
50 permit ip 0.0.0.0 255.255.255.255 10.17.1.11 0.0.0.0
60 permit ip 10.17.1.11 0.0.0.0 0.0.0.0 255.255.255.255
70 permit ip 0.0.0.0 255.255.255.255 10.17.1.25 0.0.0.0
80 permit ip 10.17.1.25 0.0.0.0 0.0.0.0 255.255.255.255
90 permit ip 0.0.0.0 255.255.255.255 10.17.0.0 0.0.0.255
100 permit ip 10.17.0.0 0.0.0.255 0.0.0.0 255.255.255.255
exit
ip access-list extended "vlan9"
10 permit ip 0.0.0.0 255.255.255.255 10.17.1.2 0.0.0.0
20 permit ip 10.17.1.2 0.0.0.0 0.0.0.0 255.255.255.255
30 permit ip 0.0.0.0 255.255.255.255 10.17.1.13 0.0.0.0
40 permit ip 10.17.1.13 0.0.0.0 0.0.0.0 255.255.255.255
50 permit ip 0.0.0.0 255.255.255.255 10.17.1.11 0.0.0.0
60 permit ip 10.17.1.11 0.0.0.0 0.0.0.0 255.255.255.255
70 permit ip 0.0.0.0 255.255.255.255 10.17.1.25 0.0.0.0
80 permit ip 10.17.1.25 0.0.0.0 0.0.0.0 255.255.255.255
90 permit ip 0.0.0.0 255.255.255.255 10.17.0.0 0.0.0.255
100 permit ip 10.17.0.0 0.0.0.255 0.0.0.0 255.255.255.255
exit
ip access-list extended "vlan10"
10 permit ip 0.0.0.0 255.255.255.255 10.17.1.2 0.0.0.0
20 permit ip 10.17.1.2 0.0.0.0 0.0.0.0 255.255.255.255
30 permit ip 0.0.0.0 255.255.255.255 10.17.1.13 0.0.0.0
40 permit ip 10.17.1.13 0.0.0.0 0.0.0.0 255.255.255.255
50 permit ip 0.0.0.0 255.255.255.255 10.17.1.11 0.0.0.0
60 permit ip 10.17.1.11 0.0.0.0 0.0.0.0 255.255.255.255
70 permit ip 0.0.0.0 255.255.255.255 10.17.1.25 0.0.0.0
80 permit ip 10.17.1.25 0.0.0.0 0.0.0.0 255.255.255.255
90 permit ip 0.0.0.0 255.255.255.255 10.17.0.0 0.0.0.255
100 permit ip 10.17.0.0 0.0.0.255 0.0.0.0 255.255.255.255
exit
ip default-gateway 10.17.1.2
sntp server 10.17.1.2
ip routing
snmp-server community "public" Operator
vlan 1
name "DEFAULT_VLAN"
untagged 1-24
ip address 10.17.0.1 255.255.255.0
exit
vlan 2
name "SERVERS"
ip address 10.17.1.1 255.255.255.0
exit
vlan 3
name "ADMIN"
ip address 10.17.2.1 255.255.255.0
ip access-group "vlan3" out
exit
vlan 4
name "POS"
ip address 10.17.3.1 255.255.255.0
ip access-group "vlan4" out
exit
vlan 5
name "CYBER"
ip address 10.17.4.1 255.255.255.0
ip access-group "vlan5" out
exit
vlan 6
name "ACC"
ip address 10.17.5.1 255.255.255.0
ip access-group "vlan6" out
exit
vlan 7
name "BACKISLAND"
ip address 10.17.6.1 255.255.255.0
ip access-group "vlan7" out
exit
vlan 8
name "FRONTOFF"
ip address 10.17.7.1 255.255.255.0
ip access-group "vlan8" out
exit
vlan 9
name "OTHERS"
ip address 10.17.8.1 255.255.255.0
ip access-group "vlan9" out
exit
vlan 10
name "3RDPARTY"
ip address 10.17.9.1 255.255.255.0
ip access-group "vlan10" out
exit


i configure client with
10.17.5.2, mask 255.255.255.0
gateway 10.17.5.1

i cant ping to the gateway or switch
wat might be wrong
0 Kudos
OLARU Dan
Trusted Contributor

тАО03-05-2007 06:41 PM

тАО03-05-2007 06:41 PM

Re: VLAN beginner, 3500yl switch

Your requirements specify this:

"VLAN3 have full access to VLAN2
VLAN3 cannot talk with VLAN4, VLAN5
VLAN4 can only talk with port 2 and port 6
VLAN5 can only talk with port 5 and 6
VLAN6 can talk with port 4, 5, 6 only"

In order to properly design the access control lists and to properly assign them to the interfaces, some more info is needed:

Q1: What is connected to ports 5 and 6 of your 3500yl?

Q2: What is connected to ports 2 and 4 of your 3500yl?

Q3: VLAN2 needs also full access to VLAN3?

Q4: VLANs 4 and 5 are allowed to request data from VLAN3, and get answers from there?

Q5: Are you using both TCP and UDP?

Maybe you should rephrase your requirements in terms of client-server access requirements; I mean who needs data from where (source and destination of the IP packets), since the ACLs allows you to filter the protocols, not only IP addresses. Also keep in mind that ACLs can be applied inbound and outbound to any VLAN interface, and so they are directional.
0 Kudos
OLARU Dan
Trusted Contributor

тАО03-05-2007 06:47 PM

тАО03-05-2007 06:47 PM

Re: VLAN beginner, 3500yl switch

Q6: Why do you use this: "ip default-gateway 10.17.1.2", which is your e-mail server?

Q7: Why not having the firewall (10.17.1.13) as your gateway of last resort?

Q8: What is the output of the "show ip route"?
0 Kudos
OLARU Dan
Trusted Contributor

тАО03-05-2007 06:53 PM

тАО03-05-2007 06:53 PM

Re: VLAN beginner, 3500yl switch

Your IP access lists are TOTALLY wrong. You basically combined outbound and inbound ACLs into one ACL and applied it outbound!!!

Lines (10, 20), (30,40) ... cannot be in the same ACL! ACLs can be either inbound or outbound, and are applied to interfaces either "out" or "in", but not both at the same time!

ip access-list extended "vlan6"
10 permit ip 0.0.0.0 255.255.255.255 10.17.1.2 0.0.0.0
20 permit ip 10.17.1.2 0.0.0.0 0.0.0.0 255.255.255.255
30 permit ip 0.0.0.0 255.255.255.255 10.17.1.13 0.0.0.0
40 permit ip 10.17.1.13 0.0.0.0 0.0.0.0 255.255.255.255
50 permit ip 0.0.0.0 255.255.255.255 10.17.1.11 0.0.0.0
60 permit ip 10.17.1.11 0.0.0.0 0.0.0.0 255.255.255.255
70 permit ip 0.0.0.0 255.255.255.255 10.17.1.25 0.0.0.0
80 permit ip 10.17.1.25 0.0.0.0 0.0.0.0 255.255.255.255
90 permit ip 0.0.0.0 255.255.255.255 10.17.0.0 0.0.0.255
100 permit ip 10.17.0.0 0.0.0.255 0.0.0.0 255.255.255.255
0 Kudos
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.