Solved

Help with VLAN

Posted on 2013-06-01
18
256 Views
Last Modified: 2013-12-02
Hi.  New HP 5412zl switch.  Wanted just two port-based VLANs (data/voice).  We're experiencing that broadcasting is still being passed "across" the VLANs.  Can someone look at this config and tell me what we're doing wrong?

Running configuration:

; J8698A Configuration Editor; Created on release #K.15.06.0017
; Ver #02:10.0d:1f

hostname "HP-E5412zl"
module 1 type J9550A
module 2 type J9550A
module 3 type J9550A
module 4 type J9550A
module 5 type J9550A
module 6 type J9550A
module 11 type J9546A
ip default-gateway 192.168.10.1
ip routing
vlan 1
   name "DEFAULT_VLAN"
   untagged K1-K8
   no untagged A1-A24,B1-B24,C1-C24,D1-D24,E1-E24,F1-F24
   no ip address
   exit
vlan 110
   name "VLAN110_VoIP"
   untagged A1,A5,C22-C24
   ip address 192.168.110.254 255.255.255.0
   exit
vlan 10
   name "VLAN10_PROD"
   untagged A2-A4,A6-A24,B1-B24,C1-C21,D1-D24,E1-E24,F1-F24
   ip address 192.168.10.254 255.255.255.0
   exit
ip route 0.0.0.0 0.0.0.0 192.168.10.2
ip route 10.0.0.0 255.0.0.0 192.168.10.1
ip route 192.168.0.0 255.255.0.0 192.168.10.1
snmp-server community "public" unrestricted
0
Comment
Question by:FBRemote
18 Comments
 
LVL 20

Expert Comment

by:woolnoir
ID: 39213731
What have you done to determine that broadcast is crossing the vlans ?
0
 
LVL 20

Expert Comment

by:woolnoir
ID: 39213735
Theres nothing inherently wrong with your config. Isolation should be maintained. Default VLAN is essentially bound to nothing, vlans are all using untagged (non 801.1Q traffic) and using seperate ports.
0
 
LVL 20

Expert Comment

by:woolnoir
ID: 39213738
I note your switch is layer 3 capable, AND you have IP addresses bound to the VLANS meaning IP routing between the VLANS will be allowed... is that what traffic you're seeing crossing maybe ? if so, you could consider NOT having the switch doing the L3 by removing the IP address statements, and adding an extra layer3 firewall to do inter vlan routing.
0
 
LVL 57

Expert Comment

by:giltjr
ID: 39213746
Can you define what you mean by being "broadcast across VLANs?"

You have multiple VLAN's on some ports, which if that is what you want is O.K.  However any device on those ports will see traffic from both (all) VLAN's defined to that port.

Example: Ports C22-24 have both VLAN1 and VLAN110, so any device on those port will see both VLAN1 and VLAN 110.
0
 
LVL 20

Expert Comment

by:woolnoir
ID: 39213762
@glitjr Example: Ports C22-24 have both VLAN1 and VLAN110, so any device on those port will see both VLAN1 and VLAN 110.

How so ? vlan 1 specifically says 'no untagged A1-A24,B1-B24,C1-C24,D1-D24,E1-E24,F1-F24'  which includes the C22-24 range
0
 

Author Comment

by:FBRemote
ID: 39213763
Here's a diagram.  The Merakis, for instance, are PoE switches used for the VoIP clients.  They have 192.168.10.x addresses.  They are able to access the internet, but they shouldn't be able to as configured.  They are in ports designated as VOIP ports.
Drawing1.jpg
0
 

Accepted Solution

by:
FBRemote earned 0 total points
ID: 39213765
Also, we wound up putting 2 DHCP servers in (we wanted to just use one and use IP helper.  Clients on the PROD Vlan are getting assigned DHCP addresses from the .110 DHCP server.
0
 
LVL 20

Expert Comment

by:woolnoir
ID: 39213767
they will be able to, as your switch is routing layer 3... both vlans have IP addresses and your switch with route traffic between them (and the internet).
0
 
LVL 20

Expert Comment

by:woolnoir
ID: 39213769
assuming you have a VOIP endpoint (server) in the same VLAN as the phones ? then you could drop the IP address from the VOIP vlan and they wouldnt have internet access then, as there would be no L3 routing between that vlan and the internet connection.

If you dont have your VOIP endpoint on the same vlan, then you need some filtering between the voip vlan and the rest of your network.
0
6 Surprising Benefits of Threat Intelligence

All sorts of threat intelligence is available on the web. Intelligence you can learn from, and use to anticipate and prepare for future attacks.

 
LVL 20

Expert Comment

by:woolnoir
ID: 39213770
The key thing to remember, as your network is, your 5412 'switch' is acting as an intervlan router.
0
 

Author Comment

by:FBRemote
ID: 39213773
How is a device that is on the PROD (110) vlan with a .10 address and a 10.1 d/g able to ping past .10 without a proper d/g?  It would need a .110 ip and a 110.x d/g?
0
 
LVL 20

Expert Comment

by:woolnoir
ID: 39213777
Im not sure i understand your point ? you're confusing me on your VLANS, you say above VOIP devices have .10 but .10 is your PROD vlan ?
0
 
LVL 20

Expert Comment

by:woolnoir
ID: 39213780
and this has changed from broadcast, to devices are able to access the internet. Can you reply with as much detail as possible WHAT your problem is that you want resolved.
0
 

Author Comment

by:FBRemote
ID: 39213791
If a device has a .10 address on the VOIP network (which it should not), it should not be able to ping .10 devices on the PROD network.  The IP presented to VOIP is .110.254.  So if I am configured as .10.6 with a d/g of 10.1 and on the VOIP VLAN, I shouldn't be able to ping anything, let alone devices on the PROD network.
0
 
LVL 20

Expert Comment

by:woolnoir
ID: 39213794
but if a device gets a .10.. then its in the PROD vlan no ? how else does it get the IP .. so you either have VLAN misconfiguration, or a DHCP misconfiguration.
0
 
LVL 20

Expert Comment

by:woolnoir
ID: 39213796
is the device (the one supposed to get a VOIP address) connected to the 5412 or one of the other switches ?

If its one of the other switches, how are they connected to your 5412 ? access ports (untagged) or trunk (tagged)

whats the config on the other switches.
0
 
LVL 17

Expert Comment

by:jburgaard
ID: 39216419
I would try doing some tracert / traceroute to find out the way packets are beeing routed.
fx from client 'configured as .10.6 with a d/g of 10.1 and on the VOIP VLAN' do a TRACERT <ip of google>
Could you provide details of routing going on at 192.168.10.1?
-by all means including netmasks!
Could you provide details of routing going on at 192.168.10.2?
0
 

Author Closing Comment

by:FBRemote
ID: 39689451
Need to close out issue. Resolved via other means.
0

Featured Post

What Should I Do With This Threat Intelligence?

Are you wondering if you actually need threat intelligence? The answer is yes. We explain the basics for creating useful threat intelligence.

Join & Write a Comment

Suggested Solutions

We recently endured a series of broadcast storms that caused our ISP to shut us down for brief periods of time. After going through a multitude of tests, we determined that the issue was related to Intel NIC drivers on some new HP desktop computers …
Configuring network clients can be a chore, especially if there are a large number of them or a lot of itinerant users.  DHCP dynamically manages this process, much to the relief of users and administrators alike!
Viewers will learn how to connect to a wireless network using the network security key. They will also learn how to access the IP address and DNS server for connections that must be done manually. After setting up a router, find the network security…
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…

746 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now