HPE Community
Switches, Hubs, and Modems
1752586 Members
4730 Online
108788 Solutions
New Discussion

Vlan Routing Issue

 
Mike Hyslop
New Member

‎06-04-2008 05:52 AM

‎06-04-2008 05:52 AM

Vlan Routing Issue

Hi All.

I'm setting up a 5300xl switch for a shared environment, where each vlan must NOT be able to see any other vlan apart from the vlan with the router in it.

Config is as follows:

Running configuration:

; J4819A Configuration Editor; Created on release #E.10.37

hostname "HP ProCurve Switch 5308xl"
module 2 type J4820B
module 3 type J4820B
module 4 type J4820B
module 5 type J4820B
module 7 type J4820B
module 8 type J4820B
ip routing
snmp-server community "public" Unrestricted
vlan 1
name "DEFAULT_VLAN"
untagged B1-B24,C1-C24,D1-D24,E5-E24,G1-G24,H1-H14
ip address 192.168.1.2 255.255.255.0
no untagged E1-E4,H15-H24
exit
vlan 2
name "systemcore"
untagged H15-H23
ip address 172.20.1.30 255.255.255.224
exit
vlan 3
name "dirtyserve"
untagged H24
ip address 172.20.0.253 255.255.255.248
exit
vlan 4
name "rm212-213"
untagged E1-E4
ip address 172.20.2.254 255.255.255.0
ip helper-address 172.20.1.1
exit
ip route 0.0.0.0 0.0.0.0 172.20.0.254
password manager

a sh ip route shows:

HP ProCurve Switch 5308xl# sh ip route

IP Route Entries

Destination Gateway VLAN Type Sub-Type Metric Dist.
------------------ --------------- ---- --------- ---------- ---------- -----
0.0.0.0/0 172.20.0.254 3 static 1 1
127.0.0.0/8 reject static 0 250
127.0.0.1/32 lo0 connected 0 0
172.20.0.248/29 dirtyserve 3 connected 0 0
172.20.1.0/27 systemcore 2 connected 0 0
172.20.2.0/24 rm212-213 4 connected 0 0

now ideally I would like it that each vlan can see the internet, but the vlans cannot see each other (obviously with the exception of IP helpers)

I'm sure I'm missing something really simple with the config I have.

I have tried removing the IP address from the vlan, but that also stops internet access.

all ideas appreciated.
0 Kudos
1 REPLY 1
Matt Hobbs
Honored Contributor

‎06-04-2008 06:55 AM

‎06-04-2008 06:55 AM

Re: Vlan Routing Issue

You'll need to create some access control lists to do this. I would deny the other VLANs IP address ranges and permit ip any any to allow Internet access, and then apply it incoming to each VLAN.

e.g.
deny ip any 192.168.1.0/24
permit ip any any

That's not complete but it should get you started.
0 Kudos
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.