Solved

Help with VLAN

Posted on 2013-06-01
18
259 Views
Last Modified: 2013-12-02
Hi.  New HP 5412zl switch.  Wanted just two port-based VLANs (data/voice).  We're experiencing that broadcasting is still being passed "across" the VLANs.  Can someone look at this config and tell me what we're doing wrong?

Running configuration:

; J8698A Configuration Editor; Created on release #K.15.06.0017
; Ver #02:10.0d:1f

hostname "HP-E5412zl"
module 1 type J9550A
module 2 type J9550A
module 3 type J9550A
module 4 type J9550A
module 5 type J9550A
module 6 type J9550A
module 11 type J9546A
ip default-gateway 192.168.10.1
ip routing
vlan 1
   name "DEFAULT_VLAN"
   untagged K1-K8
   no untagged A1-A24,B1-B24,C1-C24,D1-D24,E1-E24,F1-F24
   no ip address
   exit
vlan 110
   name "VLAN110_VoIP"
   untagged A1,A5,C22-C24
   ip address 192.168.110.254 255.255.255.0
   exit
vlan 10
   name "VLAN10_PROD"
   untagged A2-A4,A6-A24,B1-B24,C1-C21,D1-D24,E1-E24,F1-F24
   ip address 192.168.10.254 255.255.255.0
   exit
ip route 0.0.0.0 0.0.0.0 192.168.10.2
ip route 10.0.0.0 255.0.0.0 192.168.10.1
ip route 192.168.0.0 255.255.0.0 192.168.10.1
snmp-server community "public" unrestricted
0
Comment
Question by:FBRemote
18 Comments
 
LVL 20

Expert Comment

by:woolnoir
ID: 39213731
What have you done to determine that broadcast is crossing the vlans ?
0
 
LVL 20

Expert Comment

by:woolnoir
ID: 39213735
Theres nothing inherently wrong with your config. Isolation should be maintained. Default VLAN is essentially bound to nothing, vlans are all using untagged (non 801.1Q traffic) and using seperate ports.
0
 
LVL 20

Expert Comment

by:woolnoir
ID: 39213738
I note your switch is layer 3 capable, AND you have IP addresses bound to the VLANS meaning IP routing between the VLANS will be allowed... is that what traffic you're seeing crossing maybe ? if so, you could consider NOT having the switch doing the L3 by removing the IP address statements, and adding an extra layer3 firewall to do inter vlan routing.
0
 
LVL 57

Expert Comment

by:giltjr
ID: 39213746
Can you define what you mean by being "broadcast across VLANs?"

You have multiple VLAN's on some ports, which if that is what you want is O.K.  However any device on those ports will see traffic from both (all) VLAN's defined to that port.

Example: Ports C22-24 have both VLAN1 and VLAN110, so any device on those port will see both VLAN1 and VLAN 110.
0
 
LVL 20

Expert Comment

by:woolnoir
ID: 39213762
@glitjr Example: Ports C22-24 have both VLAN1 and VLAN110, so any device on those port will see both VLAN1 and VLAN 110.

How so ? vlan 1 specifically says 'no untagged A1-A24,B1-B24,C1-C24,D1-D24,E1-E24,F1-F24'  which includes the C22-24 range
0
 

Author Comment

by:FBRemote
ID: 39213763
Here's a diagram.  The Merakis, for instance, are PoE switches used for the VoIP clients.  They have 192.168.10.x addresses.  They are able to access the internet, but they shouldn't be able to as configured.  They are in ports designated as VOIP ports.
Drawing1.jpg
0
 

Accepted Solution

by:
FBRemote earned 0 total points
ID: 39213765
Also, we wound up putting 2 DHCP servers in (we wanted to just use one and use IP helper.  Clients on the PROD Vlan are getting assigned DHCP addresses from the .110 DHCP server.
0
 
LVL 20

Expert Comment

by:woolnoir
ID: 39213767
they will be able to, as your switch is routing layer 3... both vlans have IP addresses and your switch with route traffic between them (and the internet).
0
 
LVL 20

Expert Comment

by:woolnoir
ID: 39213769
assuming you have a VOIP endpoint (server) in the same VLAN as the phones ? then you could drop the IP address from the VOIP vlan and they wouldnt have internet access then, as there would be no L3 routing between that vlan and the internet connection.

If you dont have your VOIP endpoint on the same vlan, then you need some filtering between the voip vlan and the rest of your network.
0
VMware Disaster Recovery and Data Protection

In this expert guide, you’ll learn about the components of a Modern Data Center. You will use cases for the value-added capabilities of Veeam®, including combining backup and replication for VMware disaster recovery and using replication for data center migration.

 
LVL 20

Expert Comment

by:woolnoir
ID: 39213770
The key thing to remember, as your network is, your 5412 'switch' is acting as an intervlan router.
0
 

Author Comment

by:FBRemote
ID: 39213773
How is a device that is on the PROD (110) vlan with a .10 address and a 10.1 d/g able to ping past .10 without a proper d/g?  It would need a .110 ip and a 110.x d/g?
0
 
LVL 20

Expert Comment

by:woolnoir
ID: 39213777
Im not sure i understand your point ? you're confusing me on your VLANS, you say above VOIP devices have .10 but .10 is your PROD vlan ?
0
 
LVL 20

Expert Comment

by:woolnoir
ID: 39213780
and this has changed from broadcast, to devices are able to access the internet. Can you reply with as much detail as possible WHAT your problem is that you want resolved.
0
 

Author Comment

by:FBRemote
ID: 39213791
If a device has a .10 address on the VOIP network (which it should not), it should not be able to ping .10 devices on the PROD network.  The IP presented to VOIP is .110.254.  So if I am configured as .10.6 with a d/g of 10.1 and on the VOIP VLAN, I shouldn't be able to ping anything, let alone devices on the PROD network.
0
 
LVL 20

Expert Comment

by:woolnoir
ID: 39213794
but if a device gets a .10.. then its in the PROD vlan no ? how else does it get the IP .. so you either have VLAN misconfiguration, or a DHCP misconfiguration.
0
 
LVL 20

Expert Comment

by:woolnoir
ID: 39213796
is the device (the one supposed to get a VOIP address) connected to the 5412 or one of the other switches ?

If its one of the other switches, how are they connected to your 5412 ? access ports (untagged) or trunk (tagged)

whats the config on the other switches.
0
 
LVL 17

Expert Comment

by:jburgaard
ID: 39216419
I would try doing some tracert / traceroute to find out the way packets are beeing routed.
fx from client 'configured as .10.6 with a d/g of 10.1 and on the VOIP VLAN' do a TRACERT <ip of google>
Could you provide details of routing going on at 192.168.10.1?
-by all means including netmasks!
Could you provide details of routing going on at 192.168.10.2?
0
 

Author Closing Comment

by:FBRemote
ID: 39689451
Need to close out issue. Resolved via other means.
0

Featured Post

Network it in WD Red

There's an industry-leading WD Red drive for every compatible NAS system to help fulfill your data storage needs. With drives up to 8TB, WD Red offers a wide array of solutions for customers looking to build the biggest, best-performing NAS storage solution.  

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

If your business is like most, chances are you still need to maintain a fax infrastructure for your staff. It’s hard to believe that a communication technology that was thriving in the mid-80s could still be an essential part of your team’s modern I…
Most of the applications these days are on Cloud. Cloud is ubiquitous with many service providers in the market. Since it has many benefits such as cost reduction, software updates, remote access, disaster recovery and much more.
Viewers will learn how to properly install and use Secure Shell (SSH) to work on projects or homework remotely. Download Secure Shell: Follow basic installation instructions: Open Secure Shell and use "Quick Connect" to enter credentials includi…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

863 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

22 Experts available now in Live!

Get 1:1 Help Now