SOLVED
Are vlans communicating with earth other?
What about the routing on internet router towards HPE 1950 switch?
What is the HPE 1950 switch product number?
Thanks!
It's fine if inter Vlan are working.
Can you share the config or screenshots of the interfaces connecting to internet and Vlan 1 config screenshots?
Also internet router is accessible to you if yes then can you check routing into that?
Thanks!
Sure i can, thanks for your help!.
Port 1 connected to the Draytek router
VLANS
I have full access to the router, nothing configured on it as its a basic wan & lan router, we want to use the 1950 as the routing switch. Once this switch is working with the Vlans we have anotehr 10 1950 48 port switches which will hang off this switch.
Hi @rogerp_1 !
Couple of questions:
- Could you clarify if VLAN 10 hosts can ping Router GW LAN 192.168.1.253 ?
- What is the IPv4 default gateway assigned to VLAN 10 hosts?
- Did you enable NAT for Vlan 10 192.168.10.0/24 & Vlan 20 192.168.20.0/24 subnets in your Drytek router?
- Did you set static route for Vlan 10 192.168.10.0/24 & Vlan 20 192.168.20.0/24 subnets in Drytek router to be reachable over HP 1950 Switch Vlan 1 192.168.1.247 ?
Hello @rogerp_1 ,
Vlan 1 is able to reach router because its directly connected to uplink but for other vlans routing is required.
I can see default route on HPE 1950 pointing to router but it should get reverse path in order to successful communication.
NAT is required if router is reaching to ISP in order to do private to public ip conversion for communication over itnernet.
Can you try to configure default route in router pointing to HPE 1950 vlan 1 gateway?
Thanks!
I dont under stand why VLans can communicate with each other, how do we disable this ? i'm trying to create seperate vlans for security so no point leaving this feature on?
Very simple - because it's the primary job of every router - to route between networks. VLAN is a broadcast domain, so in other words it separates hosts on Layer 2. If you need separation on Layer 3, you need firewall. The sort of firewall is packet-filtering ACL applied on Vlan-interface/-s where you need to define what traffic is allowed (permit statements) and what is not allowed (deny statements).
Every device that forwards traffic between IP networks is a router, so since you ask about routing functions of 1950 I explain you IP basics using appropriate term and call 1950 a 'router'. Sorry for the confusion. Since 1950 routes between VLANs, it is obvioulsy a router from this perspective. Layer 3 switch is more a marketing term, it describes a device that has many ports, understands VLANs, can route between IPv4 networks, may support some dynamic routing protocol etc. In modern networks the boundary between an L3 switch and a router is somewhat fuzzy. But let's put philosophical disputes aside (-:
The thing is you can't really enable inter-VLAN routing for a part of your VLANs, but keep it for the rest. Actually there is such possibility, but for that you need to delete Vlan-interface, the SVI of respective VLAN that needs to be 'isolated'. But then hosts inside that VLAN won't be able to communicate to the outside world, as they will loose the default gateway. Of course you can say "what if I just pass the traffic of such VLAN over a tagged port to my Drytek router and it will play the role of default gateway?" Sure, but in that case again you will need some kind of a firewall, this time in the Drytek router to tell it what and where can go and what is not allowed.
So, to be honest the only choice to achieve what you want is the following scheme:
1. 1950 has inter-vlan routing enabled and it cannot be disabled. Keep in mind that routing happens only between VLANs which have Vlan-interface (SVI) with IP subnet assigned.
2. Configure VLANs needed (done)
3. Configure respective Vlan-interfaces (done)
4. On the 1950 set the default static route (0.0.0.0/0) with the next-hop IP address of the Drytek in the same subnet (done)
5. Set the reverse route/-s for 1950's subnets in the Drytek router. Next-hop is 1950's address in the same VLAN (done)
6. Enable NAT for the 1950's subnets (not sure if Drytek needs it, some routers, especially small-business or home ones just NAT everything by default)
7. Allow hosts in 1950's VLANs communication with Internet, but at the same time deny them from talking to their 'neighbors' in other local VLANs. (to be done)
Point #7 is the most interesting part. If you want to block local VLANs from talking to other VLANs, then one general ACL will be enough:
rule 10 deny ip souce 192.168.0.0 0.0.255.255 destination 192.168.0.0 0.0.255.255
rule 20 permit ip
This ACL denies all traffic from the hosts in the 192.168.0.0 - 192.168.255.255 range destined to 192.168.0.0 - 192.168.255.255 range (effectively ALL traffic between hots in your VLANs) and allows everything else, like access to the Internet. You need to apply this ACL in the INBOUND direction on all Vlan-interfaces of the 1950.
If you need more granular permissions, just put something else instead this 'rule 10', but keep in mind one simple, but very important rule - more specific rules should be on the top of the ACL, more general ones should reside at its bottom. And another rule - there is an 'implicit deny' at the end of each ACL, so be sure to have at least one 'permit' statement in your ACL.
I know it may look strange to you, but in fact that's how all routers (and L3 switches) work - routing is routing, and traffic filtering is traffic filtering. Two different features, even really unrelated. That's why routing tables in general have all known networks inside (or routes how to reach them), but Vlan-interfaces than engage firewalling feature (like ACLs) to set proper permissions for traffic forwarding.