Switches, Hubs, and Modems
cancel
Showing results for 
Search instead for 
Did you mean: 

Vlan Routing Issue

Mike Hyslop
Occasional Visitor

Vlan Routing Issue

Hi All.

I'm setting up a 5300xl switch for a shared environment, where each vlan must NOT be able to see any other vlan apart from the vlan with the router in it.

Config is as follows:

Running configuration:

; J4819A Configuration Editor; Created on release #E.10.37

hostname "HP ProCurve Switch 5308xl"
module 2 type J4820B
module 3 type J4820B
module 4 type J4820B
module 5 type J4820B
module 7 type J4820B
module 8 type J4820B
ip routing
snmp-server community "public" Unrestricted
vlan 1
name "DEFAULT_VLAN"
untagged B1-B24,C1-C24,D1-D24,E5-E24,G1-G24,H1-H14
ip address 192.168.1.2 255.255.255.0
no untagged E1-E4,H15-H24
exit
vlan 2
name "systemcore"
untagged H15-H23
ip address 172.20.1.30 255.255.255.224
exit
vlan 3
name "dirtyserve"
untagged H24
ip address 172.20.0.253 255.255.255.248
exit
vlan 4
name "rm212-213"
untagged E1-E4
ip address 172.20.2.254 255.255.255.0
ip helper-address 172.20.1.1
exit
ip route 0.0.0.0 0.0.0.0 172.20.0.254
password manager

a sh ip route shows:

HP ProCurve Switch 5308xl# sh ip route

IP Route Entries

Destination Gateway VLAN Type Sub-Type Metric Dist.
------------------ --------------- ---- --------- ---------- ---------- -----
0.0.0.0/0 172.20.0.254 3 static 1 1
127.0.0.0/8 reject static 0 250
127.0.0.1/32 lo0 connected 0 0
172.20.0.248/29 dirtyserve 3 connected 0 0
172.20.1.0/27 systemcore 2 connected 0 0
172.20.2.0/24 rm212-213 4 connected 0 0

now ideally I would like it that each vlan can see the internet, but the vlans cannot see each other (obviously with the exception of IP helpers)

I'm sure I'm missing something really simple with the config I have.

I have tried removing the IP address from the vlan, but that also stops internet access.

all ideas appreciated.
1 REPLY
Matt Hobbs
Honored Contributor

Re: Vlan Routing Issue

You'll need to create some access control lists to do this. I would deny the other VLANs IP address ranges and permit ip any any to allow Internet access, and then apply it incoming to each VLAN.

e.g.
deny ip any 192.168.1.0/24
permit ip any any

That's not complete but it should get you started.