- Community Home
- >
- Networking
- >
- Legacy
- >
- Switches, Hubs, Modems
- >
- Re: VLAN beginner, 3500yl switch
Categories
Company
Local Language
Forums
Discussions
Forums
- Data Protection and Retention
- Entry Storage Systems
- Legacy
- Midrange and Enterprise Storage
- Storage Networking
- HPE Nimble Storage
Discussions
Discussions
Discussions
Forums
Forums
Discussions
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
- BladeSystem Infrastructure and Application Solutions
- Appliance Servers
- Alpha Servers
- BackOffice Products
- Internet Products
- HPE 9000 and HPE e3000 Servers
- Networking
- Netservers
- Secure OS Software for Linux
- Server Management (Insight Manager 7)
- Windows Server 2003
- Operating System - Tru64 Unix
- ProLiant Deployment and Provisioning
- Linux-Based Community / Regional
- Microsoft System Center Integration
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Community
Resources
Forums
Blogs
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО03-03-2007 09:23 AM
тАО03-03-2007 09:23 AM
VLAN beginner, 3500yl switch
i want to configure as below
01 Maestro 10.17.1.10
02 SILVERWARE 10.17.1.12
03 CRS 10.17.1.25
04 Mail 10.17.1.2
05 Firewall 10.17.1.13
06 WUS/AV 10.17.1.11
07 CIS 10.17.1.3
08 Manager PC 10.17.1.30
09 Network Disk
10 тАУ
11 тАУ
12 тАУ
13 POS Network 10.17.3.0/255
14 Accounts hub
15 Server Room hub
16 PBX Room Hub
17 LINK-IN BRIDGE
18 VPN
VLAN2 SERVERS 10.17.1.0 / 255.255.255.0
VLAN3 LAN (Mestro users) 10.17.2.0 / 255.255.255.0
VLAN4 POS 10.17.3.0 / 255.255.255.0
VLAN5 CYBER 10.17.4.0 / 255.255.255.0
VLAN6 LAN2 10.17.5.0 / 255.255.255.0
How can I configure my switch according to the following listed below.
VLAN3 have full access to VLAN2
VLAN3 cannot talk with VLAN4, VLAN5
VLAN4 can only talk with port 2 and port 6
VLAN5 can only talk with port 5 and 6
VLAN6 can talk with port 4, 5, 6 only
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО03-03-2007 03:14 PM
тАО03-03-2007 03:14 PM
Re: VLAN beginner, 3500yl switch
Hopefully you have the 3500 great switch, so...
I assume you need Vlan1 to be access by each Vlan, and i will assume Vlan1 IP: 10.17.0.1/24,
After you create your Vlans, do these ACLs:
----------Vlan3 ACL------------------------
Switch(config)#ip access-list extended Vlan3
Switch(config-nacl)#permit ip any 10.17.1.0 0.0.0.255
Switch(config-nacl)#permit ip 10.17.1.0 0.0.0.255 any
Switch(config-nacl)#permit ip any 10.17.0.0 0.0.0.255
Switch(config-nacl)#permit ip 10.17.0.0 0.0.0.255 any
Switch(config)#vlan 3 ip access-group Vlan3 out
-------------------------------------------
----------Vlan4 ACL------------------------
Switch(config)#ip access-list extended Vlan4
Switch(config-nacl)#permit ip any host 10.17.1.12
Switch(config-nacl)#permit ip host 10.17.1.12 any
Switch(config-nacl)#permit ip any host 10.17.1.11
Switch(config-nacl)#permit ip host 10.17.1.11 any
Switch(config-nacl)#permit ip any 10.17.0.0 0.0.0.255
Switch(config-nacl)#permit ip 10.17.0.0 0.0.0.255 any
Switch(config)#vlan 4 ip access-group Vlan4 out
-------------------------------------------
----------Vlan5 ACL------------------------
Switch(config)#ip access-list extended Vlan5
Switch(config-nacl)#permit ip any host 10.17.1.13
Switch(config-nacl)#permit ip host 10.17.1.13 any
Switch(config-nacl)#permit ip any host 10.17.1.11
Switch(config-nacl)#permit ip host 10.17.1.11 any
Switch(config-nacl)#permit ip any 10.17.0.0 0.0.0.255
Switch(config-nacl)#permit ip 10.17.0.0 0.0.0.255 any
Switch(config)#vlan 5 ip access-group Vlan5 out
-------------------------------------------
----------Vlan6 ACL------------------------
Switch(config)#ip access-list extended Vlan6
Switch(config-nacl)#permit ip any host 10.17.1.2
Switch(config-nacl)#permit ip host 10.17.1.2 any
Switch(config-nacl)#permit ip any host 10.17.1.13
Switch(config-nacl)#permit ip host 10.17.1.13 any
Switch(config-nacl)#permit ip any host 10.17.1.11
Switch(config-nacl)#permit ip host 10.17.1.11 any
Switch(config-nacl)#permit ip any 10.17.0.0 0.0.0.255
Switch(config-nacl)#permit ip 10.17.0.0 0.0.0.255 any
Switch(config)#vlan 6 ip access-group Vlan5 out
-------------------------------------------
I hope this is right 100% and nothing missed :)
Good Luck !!!
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО03-05-2007 12:20 PM
тАО03-05-2007 12:20 PM
Re: VLAN beginner, 3500yl switch
max-vlans 20
ip access-list extended "vlan3"
10 permit ip 0.0.0.0 255.255.255.255 10.17.1.0 0.0.0.255
20 permit ip 10.17.1.0 0.0.0.255 0.0.0.0 255.255.255.255
30 permit ip 0.0.0.0 255.255.255.255 10.17.0.0 0.0.0.255
40 permit ip 10.17.0.0 0.0.0.255 0.0.0.0 255.255.255.255
exit
ip access-list extended "vlan4"
10 permit ip 0.0.0.0 255.255.255.255 10.17.1.12 0.0.0.0
20 permit ip 10.17.1.12 0.0.0.0 0.0.0.0 255.255.255.255
30 permit ip 0.0.0.0 255.255.255.255 10.17.1.11 0.0.0.0
40 permit ip 10.17.1.11 0.0.0.0 0.0.0.0 255.255.255.255
50 permit ip 0.0.0.0 255.255.255.255 10.17.0.0 0.0.0.255
60 permit ip 10.17.0.0 0.0.0.255 0.0.0.0 255.255.255.255
exit
ip access-list extended "vlan5"
10 permit ip 0.0.0.0 255.255.255.255 10.17.1.13 0.0.0.0
20 permit ip 10.17.1.13 0.0.0.0 0.0.0.0 255.255.255.255
30 permit ip 0.0.0.0 255.255.255.255 10.17.1.11 0.0.0.0
40 permit ip 10.17.1.11 0.0.0.0 0.0.0.0 255.255.255.255
50 permit ip 0.0.0.0 255.255.255.255 10.17.0.0 0.0.0.255
60 permit ip 10.17.0.0 0.0.0.255 0.0.0.0 255.255.255.255
exit
ip access-list extended "vlan6"
10 permit ip 0.0.0.0 255.255.255.255 10.17.1.2 0.0.0.0
20 permit ip 10.17.1.2 0.0.0.0 0.0.0.0 255.255.255.255
30 permit ip 0.0.0.0 255.255.255.255 10.17.1.13 0.0.0.0
40 permit ip 10.17.1.13 0.0.0.0 0.0.0.0 255.255.255.255
50 permit ip 0.0.0.0 255.255.255.255 10.17.1.11 0.0.0.0
60 permit ip 10.17.1.11 0.0.0.0 0.0.0.0 255.255.255.255
70 permit ip 0.0.0.0 255.255.255.255 10.17.1.25 0.0.0.0
80 permit ip 10.17.1.25 0.0.0.0 0.0.0.0 255.255.255.255
90 permit ip 0.0.0.0 255.255.255.255 10.17.0.0 0.0.0.255
100 permit ip 10.17.0.0 0.0.0.255 0.0.0.0 255.255.255.255
exit
ip access-list extended "vlan7"
10 permit ip 0.0.0.0 255.255.255.255 10.17.1.2 0.0.0.0
20 permit ip 10.17.1.2 0.0.0.0 0.0.0.0 255.255.255.255
30 permit ip 0.0.0.0 255.255.255.255 10.17.1.13 0.0.0.0
40 permit ip 10.17.1.13 0.0.0.0 0.0.0.0 255.255.255.255
50 permit ip 0.0.0.0 255.255.255.255 10.17.1.11 0.0.0.0
60 permit ip 10.17.1.11 0.0.0.0 0.0.0.0 255.255.255.255
70 permit ip 0.0.0.0 255.255.255.255 10.17.1.25 0.0.0.0
80 permit ip 10.17.1.25 0.0.0.0 0.0.0.0 255.255.255.255
90 permit ip 0.0.0.0 255.255.255.255 10.17.0.0 0.0.0.255
100 permit ip 10.17.0.0 0.0.0.255 0.0.0.0 255.255.255.255
exit
ip access-list extended "vlan8"
10 permit ip 0.0.0.0 255.255.255.255 10.17.1.2 0.0.0.0
20 permit ip 10.17.1.2 0.0.0.0 0.0.0.0 255.255.255.255
30 permit ip 0.0.0.0 255.255.255.255 10.17.1.13 0.0.0.0
40 permit ip 10.17.1.13 0.0.0.0 0.0.0.0 255.255.255.255
50 permit ip 0.0.0.0 255.255.255.255 10.17.1.11 0.0.0.0
60 permit ip 10.17.1.11 0.0.0.0 0.0.0.0 255.255.255.255
70 permit ip 0.0.0.0 255.255.255.255 10.17.1.25 0.0.0.0
80 permit ip 10.17.1.25 0.0.0.0 0.0.0.0 255.255.255.255
90 permit ip 0.0.0.0 255.255.255.255 10.17.0.0 0.0.0.255
100 permit ip 10.17.0.0 0.0.0.255 0.0.0.0 255.255.255.255
exit
ip access-list extended "vlan9"
10 permit ip 0.0.0.0 255.255.255.255 10.17.1.2 0.0.0.0
20 permit ip 10.17.1.2 0.0.0.0 0.0.0.0 255.255.255.255
30 permit ip 0.0.0.0 255.255.255.255 10.17.1.13 0.0.0.0
40 permit ip 10.17.1.13 0.0.0.0 0.0.0.0 255.255.255.255
50 permit ip 0.0.0.0 255.255.255.255 10.17.1.11 0.0.0.0
60 permit ip 10.17.1.11 0.0.0.0 0.0.0.0 255.255.255.255
70 permit ip 0.0.0.0 255.255.255.255 10.17.1.25 0.0.0.0
80 permit ip 10.17.1.25 0.0.0.0 0.0.0.0 255.255.255.255
90 permit ip 0.0.0.0 255.255.255.255 10.17.0.0 0.0.0.255
100 permit ip 10.17.0.0 0.0.0.255 0.0.0.0 255.255.255.255
exit
ip access-list extended "vlan10"
10 permit ip 0.0.0.0 255.255.255.255 10.17.1.2 0.0.0.0
20 permit ip 10.17.1.2 0.0.0.0 0.0.0.0 255.255.255.255
30 permit ip 0.0.0.0 255.255.255.255 10.17.1.13 0.0.0.0
40 permit ip 10.17.1.13 0.0.0.0 0.0.0.0 255.255.255.255
50 permit ip 0.0.0.0 255.255.255.255 10.17.1.11 0.0.0.0
60 permit ip 10.17.1.11 0.0.0.0 0.0.0.0 255.255.255.255
70 permit ip 0.0.0.0 255.255.255.255 10.17.1.25 0.0.0.0
80 permit ip 10.17.1.25 0.0.0.0 0.0.0.0 255.255.255.255
90 permit ip 0.0.0.0 255.255.255.255 10.17.0.0 0.0.0.255
100 permit ip 10.17.0.0 0.0.0.255 0.0.0.0 255.255.255.255
exit
ip default-gateway 10.17.1.2
sntp server 10.17.1.2
ip routing
snmp-server community "public" Operator
vlan 1
name "DEFAULT_VLAN"
untagged 1-24
ip address 10.17.0.1 255.255.255.0
exit
vlan 2
name "SERVERS"
ip address 10.17.1.1 255.255.255.0
exit
vlan 3
name "ADMIN"
ip address 10.17.2.1 255.255.255.0
ip access-group "vlan3" out
exit
vlan 4
name "POS"
ip address 10.17.3.1 255.255.255.0
ip access-group "vlan4" out
exit
vlan 5
name "CYBER"
ip address 10.17.4.1 255.255.255.0
ip access-group "vlan5" out
exit
vlan 6
name "ACC"
ip address 10.17.5.1 255.255.255.0
ip access-group "vlan6" out
exit
vlan 7
name "BACKISLAND"
ip address 10.17.6.1 255.255.255.0
ip access-group "vlan7" out
exit
vlan 8
name "FRONTOFF"
ip address 10.17.7.1 255.255.255.0
ip access-group "vlan8" out
exit
vlan 9
name "OTHERS"
ip address 10.17.8.1 255.255.255.0
ip access-group "vlan9" out
exit
vlan 10
name "3RDPARTY"
ip address 10.17.9.1 255.255.255.0
ip access-group "vlan10" out
exit
i configure client with
10.17.5.2, mask 255.255.255.0
gateway 10.17.5.1
i cant ping to the gateway or switch
wat might be wrong
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО03-05-2007 06:41 PM
тАО03-05-2007 06:41 PM
Re: VLAN beginner, 3500yl switch
"VLAN3 have full access to VLAN2
VLAN3 cannot talk with VLAN4, VLAN5
VLAN4 can only talk with port 2 and port 6
VLAN5 can only talk with port 5 and 6
VLAN6 can talk with port 4, 5, 6 only"
In order to properly design the access control lists and to properly assign them to the interfaces, some more info is needed:
Q1: What is connected to ports 5 and 6 of your 3500yl?
Q2: What is connected to ports 2 and 4 of your 3500yl?
Q3: VLAN2 needs also full access to VLAN3?
Q4: VLANs 4 and 5 are allowed to request data from VLAN3, and get answers from there?
Q5: Are you using both TCP and UDP?
Maybe you should rephrase your requirements in terms of client-server access requirements; I mean who needs data from where (source and destination of the IP packets), since the ACLs allows you to filter the protocols, not only IP addresses. Also keep in mind that ACLs can be applied inbound and outbound to any VLAN interface, and so they are directional.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО03-05-2007 06:47 PM
тАО03-05-2007 06:47 PM
Re: VLAN beginner, 3500yl switch
Q7: Why not having the firewall (10.17.1.13) as your gateway of last resort?
Q8: What is the output of the "show ip route"?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО03-05-2007 06:53 PM
тАО03-05-2007 06:53 PM
Re: VLAN beginner, 3500yl switch
Lines (10, 20), (30,40) ... cannot be in the same ACL! ACLs can be either inbound or outbound, and are applied to interfaces either "out" or "in", but not both at the same time!
ip access-list extended "vlan6"
10 permit ip 0.0.0.0 255.255.255.255 10.17.1.2 0.0.0.0
20 permit ip 10.17.1.2 0.0.0.0 0.0.0.0 255.255.255.255
30 permit ip 0.0.0.0 255.255.255.255 10.17.1.13 0.0.0.0
40 permit ip 10.17.1.13 0.0.0.0 0.0.0.0 255.255.255.255
50 permit ip 0.0.0.0 255.255.255.255 10.17.1.11 0.0.0.0
60 permit ip 10.17.1.11 0.0.0.0 0.0.0.0 255.255.255.255
70 permit ip 0.0.0.0 255.255.255.255 10.17.1.25 0.0.0.0
80 permit ip 10.17.1.25 0.0.0.0 0.0.0.0 255.255.255.255
90 permit ip 0.0.0.0 255.255.255.255 10.17.0.0 0.0.0.255
100 permit ip 10.17.0.0 0.0.0.255 0.0.0.0 255.255.255.255