HPE Community
HPE Aruba Networking & ProVision-based
1833183 Members
3067 Online
110051 Solutions
New Discussion

Re: Is this VLAN setup correct?

 
Gerrard Shaw
Occasional Contributor

‎01-24-2011 04:11 AM - last edited on ‎06-16-2014 08:05 PM by

‎01-24-2011 04:11 AM - last edited on ‎06-16-2014 08:05 PM by

Is this VLAN setup correct?

I've been reading a lot of threads and sites about setting up VLANs and ACLs as we're looking to go towards this setup in the next few months.

I've set up a test lab scenario with a spare 2810-24 switch (in production it would be a 5406zl) that's aiming to emulate the following setup...

VLAN1 - default VLAN for switch management
VLAN100 - standard servers e.g. DHCP, DNS
VLAN200 - restricted servers
VLAN3 - standard workstations (access to all)
VLAN4 - restricted workstations (can't access VLAN200 or VLAN3)
VLAN5 - printers
VLAN6 - guest wireless, no access to any VLAN, only to get to Internet gateway
VLAN7 - internet gateway of firewall

* DHCP server is 192.168.100.250
* A10-A15 would be fiber connections to satellite cabinets

So with that in mind I've come up with this sample config...



ip access-list standard "PUBLIC_WIFI_ISOLATION"

remark "BLOCKS GUEST WIRELESS TO ALL OTHER VLANS, ALLOWS INTERNET ACCESS ONLY"

remark "ALLOW ACCESS TO DHCP SERVER 192.168.100.250"
10 permit ip 192.168.6.0 0.0.0.255 192.168.100.250 0.0.0.0
remark "ALLOW ACCESS TO FIREWALL GREEN INTERFACE"
20 permit ip 192.168.6.0 0.0.0.255 192.168.7.10 0.0.0.0
30 deny any any



ip access-list standard "RESTRICTED_SERVER_ACCESS"

remark "BLOCKS RESTRICTED MACHINES ACCESS TO RESTRICTED SERVER VLAN AND STANDARD WORKSTATION VLAN, ALLOWS ALL OTHER TRAFFIC"

10 deny ip 192.168.4.0 0.0.0.255 192.168.200.0 0.0.0.255
20 deny ip 192.168.4.0 0.0.0.255 192.168.3.0 0.0.0.255
20 permit any any




CORE SWITCH CONFIGURATION
=========================

hostname "CORE"

dhcp-relay
ip routing
ip route 0.0.0.0 0.0.0.0 192.168.7.10

vlan 1
name "DEFAULT_VLAN"
no untagged A11-A20
tagged A10-A15
ip address 192.168.1.254 255.255.255.0
exit

vlan 100
name "SVR_STANDARD"
untagged A1-A10
ip address 192.168.100.254 255.255.255.0

vlan 200
name "SVR_RESTRICT"
untagged A11-A19
tagged A10-A15
ip address 192.168.200.254 255.255.255.0
exit

vlan 3
name "STANDARD_WKS"
tagged A10-A15
ip helper-address 192.168.100.250
ip address 192.168.3.254 255.255.255.0
exit

vlan 4
name "RESTRICT_WKS"
tagged A10-A15
ip helper-address 192.168.100.250
ip address 192.168.4.254 255.255.255.0
vlan 4 ip access-group "RESTRICTED_SERVER_ACCESS" in
exit

vlan 5
name "PRINT"
tagged A10-A15 (fiber trunk ports to edge switches)
ip helper-address 192.168.100.250
ip address 192.168.5.254 255.255.255.0
exit

vlan 6
name "WLAN_GUEST"
tagged A10-A15
ip address 192.168.6.254 255.255.255.0
vlan 6 ip access-group "PUBLIC_WIFI_ISOLATION" in
exit

vlan 7
name "FIREWALL_GREEN"
untagged A20
tagged A10-A15
ip address 192.168.7.254 255.255.255.0
exit


EDGE SWITCH CONFIGURATION
=========================

hostname "CAB_A_SW01"

vlan1
name "DEFAULT_VLAN"
ip address 192.168.1.2 255.255.255.0
no untagged 1-22
tagged 24
exit

vlan 3
name "STANDARD_WKS"
untagged 1-10
tagged 24
exit

vlan 4
name "RESTRICT_WKS"
untagged 11-20
tagged 24
exit

vlan 5
name "PRINT"
untagged 21
tagged 24
exit

vlan 7
name "WLAN_GUEST"
untagged 22
tagged 24
exit



The main thing I've been trying to make sure is correct is that I've understood the ACL setup correctly in terms of "in" and where the restriction is defined. It seems to be working on the test switch so hopefully all is correct...

 

 

P.S. This thread has been moved from Switches, Hubs, Modems (Legacy ITRC forum) to ProCurve / ProVision-Based. -HP Forum Moderator

0 Kudos
1 REPLY 1
Gerrard Shaw
Occasional Contributor

‎03-09-2011 09:10 AM

‎03-09-2011 09:10 AM

Re: Is this VLAN setup correct?

Anyone able to confirm this? Also wondering if I need default gateway setting on the edge switch pointing back to the core switch primary IP address?
0 Kudos
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.