HPE Community read-only access December 15, 2018
This is a maintenance upgrade. You will be able to read articles and posts, but not post or reply.
Hours:
Dec 15, 4:00 am to 10:00 am UTC
Dec 14, 10:00 pm CST to Dec 15, 4:00 am CST
Dec 14, 8:00 pm PST to Dec 15, 2:00 am PST
Web and Unmanaged
cancel
Showing results for 
Search instead for 
Did you mean: 

prevent inter-vlan routing hp 1920

 
SOLVED
Go to solution
NetManMikeLogic
Occasional Contributor

prevent inter-vlan routing hp 1920

 

Hi  All,

I have created two network and want to isolate - however it it routing between networks.

Any advise?

Michael

 version 5.20.99, Release 1108

 sysname lon-sw-01

 dhcp relay server-group 1 ip 172.30.70.1
 dhcp relay server-group 2 ip 192.168.0.1

 domain default enable system

 ipv6

 telnet server enable

 password-recovery enable

vlan 1
 description default

vlan 10
 description guest wifi

domain system
 access-limit disable
 state active
 idle-cut disable
 self-service-url disable

traffic classifier class1 operator and

user-group system
 group-attribute allow-guest

local-user admin
 authorization-attribute level 3
 service-type lan-access
 service-type ssh telnet terminal
 service-type web

 stp mode rstp
 stp enable

interface NULL0

interface Vlan-interface1
 ip address 172.31.70.2 255.255.255.0
 dhcp select relay
 dhcp relay server-select 1

interface Vlan-interface10
 ipv6 address auto link-local
 ip address 192.168.0.2 255.255.255.0
 dhcp select relay
 dhcp relay server-select 2

interface GigabitEthernet1/0/1
 port auto-power-down
 poe enable
 stp edged-port enable

interface GigabitEthernet1/0/2
 port auto-power-down
 poe enable
 stp edged-port enable

interface GigabitEthernet1/0/3
 port auto-power-down
 poe enable
 stp edged-port enable

interface GigabitEthernet1/0/4

interface GigabitEthernet1/0/5
 port link-type hybrid
 port hybrid vlan 10 tagged
 port hybrid vlan 1 untagged
 port auto-power-down
 poe enable
 stp edged-port enable

interface GigabitEthernet1/0/6
 port access vlan 10
 port auto-power-down
 poe enable
 stp edged-port enable

interface GigabitEthernet1/0/7
 port link-type hybrid
 port hybrid vlan 10 tagged
 port hybrid vlan 1 untagged
 port auto-power-down
 poe enable
 stp edged-port enable

interface GigabitEthernet1/0/8
 port auto-power-down
 poe enable
 stp edged-port enable

interface GigabitEthernet1/0/9
 stp edged-port enable

interface GigabitEthernet1/0/10
 stp edged-port enable

 ip route-static 0.0.0.0 0.0.0.0 Vlan-interface1 172.31.70.1

 dhcp enable

 load xml-configuration

user-interface aux 0
 authentication-mode scheme
user-interface vty 0 15
 authentication-mode scheme

return

 

 

Michael Tint
2 REPLIES
Pete W
Valued Contributor

Re: prevent inter-vlan routing hp 1920

Michael,

 

As you are not using a VRF capable switch, you cannot actually stop traffic from routing between these VLANs. What you can do however, is write an ACL to drop traffic that would otherwise be routed in this way.

 

Out of interest - do guests in VLAN 10 route via VLAN 1 for their Internet access?

 

Regards,

 

Peter

HPE MASE
Aruba ACMP
Fortinet NSE 1-7
Cisco CCNP
NetManMikeLogic
Occasional Contributor
Solution

Re: prevent inter-vlan routing hp 1920

Hi Pete,

 

yes ACL below does the job. Guest network goes out via port 6 - untagged to vlan 10 and into different FW i/f.

 

received some help from HP Support and got it working.

 

Vlan1 :172.31.70.0/24

Vlan10 : 192.168.10.0/24

 

Created a vlan interface :

 

interface Vlan-interface10

ip address 192.168.10.1 255.255.255.0

 

interface Vlan-interface1

ip address 172.31.70.1 255.255.255.0

 

 acl :

 

acl number 3001 name ASH3

rule 0 deny ip source 192.168.10.0 0.0.0.255 destination 172.31.70.0 0.0.0.255

rule 5 permit ip source any destination any

 

Map the acl in the interface where the AP is connected to as inbound.

 

interface GigabitEthernet1/0/2

port auto-power-down

poe enable

 packet-filter 3001 inbound

stp edged-port enable

Michael Tint