Switches, Hubs, and Modems
cancel
Showing results for 
Search instead for 
Did you mean: 

VLANs with 2 Procurve 5412zl

Jacob D Dixon
Occasional Advisor

VLANs with 2 Procurve 5412zl

I am having a little bit of a problem. Now I will tell you right now that I am not much of a switch administrator but I am the switch administrator.

Let me start by explaining what we have.

We have two 5412zl Procurve switches that are linked together by fiber. On both of those switches there is a DEFAULT VLAN and a EOC VLAN (EOC just stands for Emergency Operations Center).

So:
Default: 10.10.0.0 255.255.0.0 (firewall for route ip 10.10.2.1)
EOC: 10.11.0.0 255.255.0.0 (firewall for route ip 10.11.2.1)

There is one tagged port on each vlan that matches (I am assuming this is how the vlans are connected, also the switches).

So what I am trying to do is create another VLAN for Internet Access only. I basically want this VLAN not to be able to access ANYTHING on our network but able to get out to the internet. You might ask why don't I use another switch because it would be more secure... well I can't connect another cable from our Cisco Firewall to it.

Anyways so I created this new vlan called PUBLIC with no tagged ports and one untagged port. This is a 10.9.0.0 255.255.0.0 vlan. The problem is it can still access the other vlans. (I added in the firewall a route for it.

Both 10.11.0.0 and 10.9.0.0 point to the switch at 10.10.2.1. The Default vlan is 10.10.0.0 255.255.0.0. Should I of pointed my PUBLIC route to 10.9.2.1? That is the IP of the switch for that VLAN

I hope what I was trying to explain makes sense. Thank you!

11 REPLIES
Ralf Krause
Frequent Advisor

Re: VLANs with 2 Procurve 5412zl

Hi Jacob,

did I get you right that your 5400zl switch has a local IP address configured on each of the three VLANs?

If so, I am wondering if "ip routing" is configured on that switch.
In this case the 5400zl would do the routing (at least the routing for the threee directly connected IP subnets) locally, bypassing all firewall filters.
Jacob D Dixon
Occasional Advisor

Re: VLANs with 2 Procurve 5412zl

Well here is what I have:

vlan 1
name "DEFAULT_VLAN"
untagged A1-A24,B1-B24,C1-C24,D1-D24,E1-E24,F1-F24,G1-G24,H1-H24,I1-I23,J1-J2
4,K1-K19,K21-K24,L4,Trk1-Trk2
ip helper-address 10.10.50.1
ip address 10.10.2.1 255.255.0.0
tagged I24
no untagged K20
exit
vlan 10
name "EOC"
ip helper-address 10.10.50.1
ip address 10.11.2.1 255.255.0.0
tagged I24
exit
vlan 20
name "Public"
untagged K20
ip address 10.9.2.1 255.255.0.0
exit


The trunks in the default VLAN are for our 10gb/s connection ports. So my public is the VLAN 20 (Public). Right now I can plug into K20, assign it a ip (10.9.6.1) and I can get out to the internet AND I can connect oeverything on the internal network.

I just don't want to seeing everything on the internet network.

Here is route on the switch:
ip route 0.0.0.0 0.0.0.0 10.10.0.1

Now on our Cisco ASA Firewall:
route ADEM_Outside 0.0.0.0 0.0.0.0 170.94.176.129 1
route ADEM_Inside 10.11.0.0 255.255.0.0 10.10.2.1 1
route ADEM_Inside 10.9.0.0 255.255.0.0 10.10.2.1 1

The rotue for 10.11.0.0 is the EOC VLAN (10) and the route I put in there for Public is the 10.9.0.0
Ralf Krause
Frequent Advisor

Re: VLANs with 2 Procurve 5412zl

Would it be possible to see the complete switch config?

Worth trying:
If possible, isolate this switch from the rest of the network and check, if you can reach "foreign" IP subnets.
This would either pinpoint to the switch or eliminate the switch a root cause.
Jacob D Dixon
Occasional Advisor

Re: VLANs with 2 Procurve 5412zl

Sure! Well I cannot do to much with this switch because it is online. Our entire network plugs into it...

Basically we have this switch, another one right below it, and then a 3rd that goes upstairs (fiber connecting each of them).

10.10.2.1 is the MAIN switch which I am tryign to work on. This config is from that switch:

Running configuration:

; J8698A Configuration Editor; Created on release #K.14.47

hostname "Sw1_5412zl_1stFL"
time timezone -6
module 1 type J8702A
module 2 type J8702A
module 3 type J8702A
module 4 type J8702A
module 5 type J8702A
module 6 type J8702A
module 7 type J8702A
module 8 type J8702A
module 9 type J8705A
module 10 type J8702A
module 11 type J8705A
module 12 type J8707A
trunk L2-L3 Trk1 LACP
trunk L1 Trk2 Trunk
ip default-gateway 10.10.0.1
ip routing
vlan 1
name "DEFAULT_VLAN"
untagged A1-A24,B1-B24,C1-C24,D1-D24,E1-E24,F1-F24,G1-G24,H1-H24,I1-I23,J1-J2
4,K1-K19,K21-K24,L4,Trk1-Trk2
ip helper-address 10.10.50.1
ip address 10.10.2.1 255.255.0.0
tagged I24
no untagged K20
exit
vlan 10
name "EOC"
ip helper-address 10.10.50.1
ip address 10.11.2.1 255.255.0.0
tagged I24
exit
vlan 20
name "Public"
untagged K20
ip address 10.9.2.1 255.255.0.0
exit
fault-finder bad-driver sensitivity high
fault-finder bad-transceiver sensitivity high
fault-finder bad-cable sensitivity high
fault-finder too-long-cable sensitivity high
fault-finder over-bandwidth sensitivity high
fault-finder broadcast-storm sensitivity high
fault-finder loss-of-link sensitivity high
fault-finder duplex-mismatch-HDx sensitivity high
fault-finder duplex-mismatch-FDx sensitivity high
qos device-priority 10.10.80.1/0 priority 7
qos device-priority 10.10.80.3/0 priority 7
qos device-priority 10.10.50.5/0 priority 7
qos device-priority 10.10.50.7/0 priority 7
qos device-priority 10.10.50.9/0 priority 7
qos device-priority 10.10.50.11/0 priority 7
qos device-priority 10.10.50.55/0 priority 7
qos device-priority 10.10.50.53/0 priority 7
qos tcp-port ipv4 25 priority 4
web-management ssl
ip timep manual 10.10.50.1
ip route 0.0.0.0 0.0.0.0 10.10.0.1
snmp-server community "public" unrestricted
snmp-server contact "System Admins" location "First Floor Camp Robinson"
spanning-tree Trk1 priority 4
spanning-tree Trk2 priority 4
no autorun
Ralf Krause
Frequent Advisor

Re: VLANs with 2 Procurve 5412zl

Hi Jacob,
just as expected ...

"ip routing" is enabled (you find that line between the modules' and the vlans' configurations.

This makes the switch routing between all known networks/routes.

If you do a "sho ip route", you will see routing entries to the following networks/routes:
- 10.10.0.0/16 (locally connected: VLAN 1)
- 10.11.0.0/16 (locally connected: VLAN 10)
- 10.9.0.0/16 (locally connected: VLAN 20)
- 0.0.0.0/0 (default route)

This means:
If the switch receives a packet destined for 10.10.x.y, 10.11.x.y, or 10.9.x.y, it will locally route the packet to its destination subnet.
This bypasses your firewall !!!

All other destinations will be sent to 10.10.0.1, which is your firewall if I'm not wrong.

So, disabling "ip routing" should solve this issue.
But be careful, it may be enabled by purpose. ;-)

Hope that helps,
Ralf
Jacob D Dixon
Occasional Advisor

Re: VLANs with 2 Procurve 5412zl

Ahhh ok..

But now I do want the EOC vlan to be able to talk to the DEFAULT vlan. I am assuming that disabling the ip route will stop this from occurring correct?

You are correct about the 10.10.0.1 being my firewall.

I'm just wondering if I turn off the IP Route if it will take my network down. You will notice that I have some trunks that are for the 10gb/s modules.
Jacob D Dixon
Occasional Advisor

Re: VLANs with 2 Procurve 5412zl

This is the "sh ip route"

Destination Gateway VLAN Type Sub-Type Metric Dist.
------------------ --------------- ---- --------- ---------- ---------- -----
0.0.0.0/0 10.10.0.1 1 static 1 1
10.9.0.0/16 Public 20 connected 1 0
10.10.0.0/16 DEFAULT_VLAN 1 connected 1 0
10.11.0.0/16 EOC 10 connected 1 0
127.0.0.0/8 reject static 0 0
127.0.0.1/32 lo0 connected 1 0
Ralf Krause
Frequent Advisor

Re: VLANs with 2 Procurve 5412zl

Hi Jacob,
it definitively will disable all (!) of you routing on this switch, if you say "no ip routing".

The only way to get out of this "mess" is to use ACLs ...


Since this is your productive network, I highly recommend to play with ACLs on a seperate testbed. ;-)

Best regards,
Ralf
Jacob D Dixon
Occasional Advisor

Re: VLANs with 2 Procurve 5412zl

Ahhh! Do you happen to know any good tutorials on ip routing? I found another switch that I just put in my office and I'm going to pretty much create a couple vlans and try to get two of them talking but one that is seperate.

I figure its better than working on the production switch! lol
mortalwombat
Advisor

Re: VLANs with 2 Procurve 5412zl

I would leave IP routing enabled. It will make this transition easier. Keep it enabled, then selectively allow traffic with Access lists. Look up the documentation from HP regarding your router and Access Control Lists. It is long and cumbersome, but very informative. Here is a brief rundown though.

You will first create an ACL. Each ACL is made up of ACEs (Access Control Entries).

to create an ACL, use a command like:
ip access-list extended 100 (100 is just the number of the list)

Then, create your entries. It is important to note, that as soon as you create an entry, an implicet deny is added. So if you allow traffic between vlan1 and vlan2, all other traffic will be blocked. Your entries may look like:
10 permit ip 10.10.0.0 0.0.255.255 10.11.0.0 0.0.255.255
11 permit ip 10.11.0.0 0.0.255.255 10.10.0.0 0.0.255.255

Notice I allow traffic to go from 10.10.0.0 to 10.11.0.0 and visa versa. This allows two way communication of ip traffic. Now, because of the implicit deny, 10.9.0.0 will not be able to communicate with any of the other VLANS.

My one question for someone more experienced than myself: How secure are these ACLS? Does this effectively stop vlan hopping or any other cross-vlan attacks?
mortalwombat
Advisor

Re: VLANs with 2 Procurve 5412zl

I forgot to mention that you will also have to apply the ACL to your interfaces.

interface 1-48 (assuming a 48 port switch)
ip access-group 100 in