FBRemote
asked on
Help with VLAN
Hi. New HP 5412zl switch. Wanted just two port-based VLANs (data/voice). We're experiencing that broadcasting is still being passed "across" the VLANs. Can someone look at this config and tell me what we're doing wrong?
Running configuration:
; J8698A Configuration Editor; Created on release #K.15.06.0017
; Ver #02:10.0d:1f
hostname "HP-E5412zl"
module 1 type J9550A
module 2 type J9550A
module 3 type J9550A
module 4 type J9550A
module 5 type J9550A
module 6 type J9550A
module 11 type J9546A
ip default-gateway 192.168.10.1
ip routing
vlan 1
name "DEFAULT_VLAN"
untagged K1-K8
no untagged A1-A24,B1-B24,C1-C24,D1-D2
no ip address
exit
vlan 110
name "VLAN110_VoIP"
untagged A1,A5,C22-C24
ip address 192.168.110.254 255.255.255.0
exit
vlan 10
name "VLAN10_PROD"
untagged A2-A4,A6-A24,B1-B24,C1-C21
ip address 192.168.10.254 255.255.255.0
exit
ip route 0.0.0.0 0.0.0.0 192.168.10.2
ip route 10.0.0.0 255.0.0.0 192.168.10.1
ip route 192.168.0.0 255.255.0.0 192.168.10.1
snmp-server community "public" unrestricted
Running configuration:
; J8698A Configuration Editor; Created on release #K.15.06.0017
; Ver #02:10.0d:1f
hostname "HP-E5412zl"
module 1 type J9550A
module 2 type J9550A
module 3 type J9550A
module 4 type J9550A
module 5 type J9550A
module 6 type J9550A
module 11 type J9546A
ip default-gateway 192.168.10.1
ip routing
vlan 1
name "DEFAULT_VLAN"
untagged K1-K8
no untagged A1-A24,B1-B24,C1-C24,D1-D2
no ip address
exit
vlan 110
name "VLAN110_VoIP"
untagged A1,A5,C22-C24
ip address 192.168.110.254 255.255.255.0
exit
vlan 10
name "VLAN10_PROD"
untagged A2-A4,A6-A24,B1-B24,C1-C21
ip address 192.168.10.254 255.255.255.0
exit
ip route 0.0.0.0 0.0.0.0 192.168.10.2
ip route 10.0.0.0 255.0.0.0 192.168.10.1
ip route 192.168.0.0 255.255.0.0 192.168.10.1
snmp-server community "public" unrestricted
Adrian Cantrill
What have you done to determine that broadcast is crossing the vlans ?
Theres nothing inherently wrong with your config. Isolation should be maintained. Default VLAN is essentially bound to nothing, vlans are all using untagged (non 801.1Q traffic) and using seperate ports.
I note your switch is layer 3 capable, AND you have IP addresses bound to the VLANS meaning IP routing between the VLANS will be allowed... is that what traffic you're seeing crossing maybe ? if so, you could consider NOT having the switch doing the L3 by removing the IP address statements, and adding an extra layer3 firewall to do inter vlan routing.
Can you define what you mean by being "broadcast across VLANs?"
You have multiple VLAN's on some ports, which if that is what you want is O.K. However any device on those ports will see traffic from both (all) VLAN's defined to that port.
Example: Ports C22-24 have both VLAN1 and VLAN110, so any device on those port will see both VLAN1 and VLAN 110.
You have multiple VLAN's on some ports, which if that is what you want is O.K. However any device on those ports will see traffic from both (all) VLAN's defined to that port.
Example: Ports C22-24 have both VLAN1 and VLAN110, so any device on those port will see both VLAN1 and VLAN 110.
@glitjr Example: Ports C22-24 have both VLAN1 and VLAN110, so any device on those port will see both VLAN1 and VLAN 110.
How so ? vlan 1 specifically says 'no untagged A1-A24,B1-B24,C1-C24,D1-D2
How so ? vlan 1 specifically says 'no untagged A1-A24,B1-B24,C1-C24,D1-D2
ASKER
Here's a diagram. The Merakis, for instance, are PoE switches used for the VoIP clients. They have 192.168.10.x addresses. They are able to access the internet, but they shouldn't be able to as configured. They are in ports designated as VOIP ports.
Drawing1.jpg
Drawing1.jpg
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
they will be able to, as your switch is routing layer 3... both vlans have IP addresses and your switch with route traffic between them (and the internet).
assuming you have a VOIP endpoint (server) in the same VLAN as the phones ? then you could drop the IP address from the VOIP vlan and they wouldnt have internet access then, as there would be no L3 routing between that vlan and the internet connection.
If you dont have your VOIP endpoint on the same vlan, then you need some filtering between the voip vlan and the rest of your network.
If you dont have your VOIP endpoint on the same vlan, then you need some filtering between the voip vlan and the rest of your network.
The key thing to remember, as your network is, your 5412 'switch' is acting as an intervlan router.
ASKER
How is a device that is on the PROD (110) vlan with a .10 address and a 10.1 d/g able to ping past .10 without a proper d/g? It would need a .110 ip and a 110.x d/g?
Im not sure i understand your point ? you're confusing me on your VLANS, you say above VOIP devices have .10 but .10 is your PROD vlan ?
and this has changed from broadcast, to devices are able to access the internet. Can you reply with as much detail as possible WHAT your problem is that you want resolved.
ASKER
If a device has a .10 address on the VOIP network (which it should not), it should not be able to ping .10 devices on the PROD network. The IP presented to VOIP is .110.254. So if I am configured as .10.6 with a d/g of 10.1 and on the VOIP VLAN, I shouldn't be able to ping anything, let alone devices on the PROD network.
but if a device gets a .10.. then its in the PROD vlan no ? how else does it get the IP .. so you either have VLAN misconfiguration, or a DHCP misconfiguration.
is the device (the one supposed to get a VOIP address) connected to the 5412 or one of the other switches ?
If its one of the other switches, how are they connected to your 5412 ? access ports (untagged) or trunk (tagged)
whats the config on the other switches.
If its one of the other switches, how are they connected to your 5412 ? access ports (untagged) or trunk (tagged)
whats the config on the other switches.
I would try doing some tracert / traceroute to find out the way packets are beeing routed.
fx from client 'configured as .10.6 with a d/g of 10.1 and on the VOIP VLAN' do a TRACERT <ip of google>
Could you provide details of routing going on at 192.168.10.1?
-by all means including netmasks!
Could you provide details of routing going on at 192.168.10.2?
fx from client 'configured as .10.6 with a d/g of 10.1 and on the VOIP VLAN' do a TRACERT <ip of google>
Could you provide details of routing going on at 192.168.10.1?
-by all means including netmasks!
Could you provide details of routing going on at 192.168.10.2?
ASKER
Need to close out issue. Resolved via other means.