Switches, Hubs, and Modems
Showing results for 
Search instead for 
Did you mean: 

Vlan Routing Issue

Mike Hyslop
Occasional Visitor

Vlan Routing Issue

Hi All.

I'm setting up a 5300xl switch for a shared environment, where each vlan must NOT be able to see any other vlan apart from the vlan with the router in it.

Config is as follows:

Running configuration:

; J4819A Configuration Editor; Created on release #E.10.37

hostname "HP ProCurve Switch 5308xl"
module 2 type J4820B
module 3 type J4820B
module 4 type J4820B
module 5 type J4820B
module 7 type J4820B
module 8 type J4820B
ip routing
snmp-server community "public" Unrestricted
vlan 1
untagged B1-B24,C1-C24,D1-D24,E5-E24,G1-G24,H1-H14
ip address
no untagged E1-E4,H15-H24
vlan 2
name "systemcore"
untagged H15-H23
ip address
vlan 3
name "dirtyserve"
untagged H24
ip address
vlan 4
name "rm212-213"
untagged E1-E4
ip address
ip helper-address
ip route
password manager

a sh ip route shows:

HP ProCurve Switch 5308xl# sh ip route

IP Route Entries

Destination Gateway VLAN Type Sub-Type Metric Dist.
------------------ --------------- ---- --------- ---------- ---------- ----- 3 static 1 1 reject static 0 250 lo0 connected 0 0 dirtyserve 3 connected 0 0 systemcore 2 connected 0 0 rm212-213 4 connected 0 0

now ideally I would like it that each vlan can see the internet, but the vlans cannot see each other (obviously with the exception of IP helpers)

I'm sure I'm missing something really simple with the config I have.

I have tried removing the IP address from the vlan, but that also stops internet access.

all ideas appreciated.
Matt Hobbs
Honored Contributor

Re: Vlan Routing Issue

You'll need to create some access control lists to do this. I would deny the other VLANs IP address ranges and permit ip any any to allow Internet access, and then apply it incoming to each VLAN.

deny ip any
permit ip any any

That's not complete but it should get you started.