HPE Aruba Networking & ProVision-based
1830899 Members
3331 Online
110017 Solutions
New Discussion

Accessing Servers via ACL(?)

 
larry22
Advisor

Accessing Servers via ACL(?)

Okay, below is my config as it stands now and here is what I'm looking for: VLAN50 (10.5.0.0/23) is working great, no issues.  VLAN60 (10.6.0.0/23) gets DHCP, DNS, etc. but CANNOT join the domain controller (10.5.0.3/wsd.local, which is plugged into port A1 if that matters). What I want is VLAN60 clients to be able to join to the domain like VLAN50 clients.  Do I need an ACL?  Could I just do a static route?

 

; Ver #05:08.41.ff.3f.ef:63
hostname "HP-5412zl"
module 1 type j8702a
module 2 type j9536a
module 3 type j8702a
timesync sntp
sntp unicast
sntp server priority 1 10.1.2.10
time daylight-time-rule continental-us-and-canada
time timezone -300
ip route 0.0.0.0 0.0.0.0 10.9.1.1
ip routing
snmp-server community "public" unrestricted
snmp-server contact "Larry Dougher" location "WS Main Closet"
vlan 1
name "DEFAULT_VLAN"
no untagged A1-A24,B1-B22,C1-C24
no ip address
exit
vlan 9
name "Inter-School"
untagged C24
ip address 10.9.1.2 255.255.255.0
exit
vlan 13
name "WS Student WLAN"
tagged B1-B12,B21-B22
ip address 10.13.0.1 255.255.254.0
ip helper-address 10.1.2.10
exit
vlan 17
name "WS Public WLAN"
tagged B1-B12,B21-B22
ip address 10.17.0.1 255.255.254.0
ip helper-address 10.1.2.10
exit
vlan 50
name "WS LAN"
untagged A1-A24,B13-B20,C1-C23
tagged B21-B22
ip address 10.5.0.11 255.255.254.0
ip helper-address 10.1.2.10
exit
vlan 60
name "WS Staff WLAN"
untagged B1-B12
tagged A1,B21-B22
ip address 10.6.0.1 255.255.254.0
ip helper-address 10.1.2.10
exit
primary-vlan 50

 

Thanks!

3 REPLIES 3
Vince-Whirlwind
Honored Contributor

Re: Accessing Servers via ACL(?)

Can they ping any IP address in the 10.5.0.0 subnet?

Is their DHCP-assigned default GW 10.6.0.1?

 

The switch does Layer2 & Layer3.

If your devices are getting a DHCP-assigned address from your 10.1.2.0 subnet (which I can't see on the switch, presumably it's in VLAN1, but where's the router for that subnet?) then you would seem to have both layer2 & layer3 working fine.

 

I'm not sure what "can't join the domain" exactly means, but it doesn't appear to be a description of any Layer2 or Layer3 problem.

 

Perhaps you haven't added the new subnet to AD "Sites & Services"? Or perhaps there is some other kind of AD security/functionality that needs to be made aware of the new subnet?

larry22
Advisor

Re: Accessing Servers via ACL(?)

I can ping the domain controller from VLAN60, the nslookup for the domaik controller on VLAN60 works, I am getting 10.6.0.1 as my gateway for VLAN60. I simply can't join the domain. And yes, 10.6 is added as a subnet under Sites and Services.
Vince-Whirlwind
Honored Contributor

Re: Accessing Servers via ACL(?)

So, more a question for an AD forum, I suppose? Does joining a PC to the domain cause the server to do any checking about the IP address/MAC address? What MAC address is it expecting to see?

Have you tried it with the local Windows FW disabled? (By default, it drops pings between subnets).