Solved

Best way to segregate VLAN traffic.

Posted on 2014-12-15
19
234 Views
Last Modified: 2015-02-02
Hello,

I was wondering if anyone could assist with some VLAN questions.

I have a relatively simple business network. Redundant Gateway/Firewall, 2x Redudant Core Switches with VLAN trunks to 8 "node" switches.

We have 10 VLANs setup with their own IP subnet and they are operational; however the VLANs are purely segregating broadcast traffic and all VLANs/Subnets can see each other.

How would you approach locking the VLAN subnets down and punching holes through where required?

Thanks,
0
Comment
Question by:SimonBrook
  • 10
  • 9
19 Comments
 
LVL 11

Assisted Solution

by:rharland2009
rharland2009 earned 500 total points
ID: 40500618
If your core switches are layer 3 devices, you can build ACLs there if you want to prevent certain subnets from talking to others. Are these Cisco switches?
0
 
LVL 1

Author Comment

by:SimonBrook
ID: 40500737
HP Procurve 3800G's are the core switches. Procurve 2510G's are the node switches.
0
 
LVL 11

Assisted Solution

by:rharland2009
rharland2009 earned 500 total points
ID: 40500920
Okay. If you're running L3 on the core switches (I'm assuming you are), then ACLs there are a simple and effective way to isolate the VLANs from one another at a global level if you want to. If you're a windows shop and you want to be more granular, then I would suggest carving out your permissions at the NTFS level and granting permission by user, etc.
0
 
LVL 1

Author Comment

by:SimonBrook
ID: 40502328
Thanks for the info.

How is the easiest way to confirm I'm running l3 on the core switches?
0
 
LVL 11

Assisted Solution

by:rharland2009
rharland2009 earned 500 total points
ID: 40502474
In the CLI of the core switch, do a 'show run' command.
If 'ip routing' shows up in your config, then your core switches are in fact running as layer 3 devices. If all of your VLANs terminate here, then this is where you can make those ACLs.
It's also possible your layer 3 (IP) terminations reside on your gateway/firewalls. That's a relatively common situation as well.
If that's so, you can segregate on those devices using much the same method (it'll vary slightly depending on what those devices are). Just build firewall rules/ACLs to segregate the VLANs from talking to each other.
0
 
LVL 1

Author Comment

by:SimonBrook
ID: 40548755
Hi,

Thanks for the response and apologies for the delay. Below if output from show run. Also how comes VLAN 50 (LDN-Mus-LAN) cannot get out to the internet?

HPPROCORESW1(vlan-50)# show run

Running configuration:

; hpStack Configuration Editor; Created on release #KA.15.13.0008
; Ver #05:19.ef.ff.3f.ef:dc

stacking
   member 1 type "J9575A" mac-address f0921c-21cd80
   member 1 priority 255
   member 2 type "J9575A" mac-address 40a8f0-9b2b80
   member 2 priority 200
   exit
hostname "HPPROCORESW1"
trunk 1/1,2/1 trk1 lacp
trunk 1/2,2/2 trk2 lacp
trunk 1/3,2/3 trk3 lacp
trunk 1/4,2/4 trk4 lacp
trunk 1/5,2/5 trk5 lacp
trunk 1/6,2/6 trk6 lacp
trunk 1/7,2/7 trk7 lacp
trunk 1/8,2/8 trk8 lacp
trunk 1/9,2/9 trk9 lacp
trunk 1/10,2/10 trk10 lacp
trunk 1/11,2/11 trk11 lacp
trunk 1/12,2/12 trk12 lacp
no telnet-server
time daylight-time-rule western-europe
ip dns domain-name "*removed*.local"
ip dns server-address priority 1 192.168.1.9
ip dns server-address priority 2 10.50.0.10
ip route 0.0.0.0 0.0.0.0 10.50.15.241
ip routing
interface 1/1
   name "To HPPROCOSSSW001 Port 45"
   exit
interface 1/2
   name "To HPPROCOSSSW002 Port 23"
   exit
interface 1/3
   name "To HPPROCOSSSW003 Port 23"
   exit
interface 1/4
   name "To HPPROCOSSSW004 Port 23"
   exit
interface 1/5
   name "To HPPROCOSSSW005 Port 23"
   exit
interface 1/6
   name "To HPPROCOSSSW006 Port 23"
   exit
interface 1/7
   name "To HPPROCOSSSW007 Port 23"
   exit
interface 1/8
   name "To HPPROCOSSSW008 Port 23"
   exit
interface 1/9
   name "To HPPROCOSSSW009 Port 23"
   exit
interface 1/10
   name "To HPPROCOSSSW010 Port 23"
   exit
interface 1/11
   name "To HPPROCOSSSW011 Port 23"
   exit
interface 1/12
   name "To HPPROCOSSSW012 Port 23"
   exit
interface 1/20
   name " "
   exit
interface 1/21
   name " "
   exit
interface 1/22
   name "LON-WAP-001"
   exit
interface 1/23
   name "To NSA5600FW1 X2 Primary"
   exit
interface 1/24
   name "To NSA5600FW1 Primary"
   exit
interface 2/1
   name "To HPPROCOSSSW001 Port 46"
   exit
interface 2/2
   name "To HPPROCOSSSW002 Port 24"
   exit
interface 2/3
   name "To HPPROCOSSSW003 Port 24"
   exit
interface 2/4
   name "To HPPROCOSSSW004 Port 24"
   exit
interface 2/5
   name "To HPPROCOSSSW005 Port 24"
   exit
interface 2/6
   name "To HPPROCOSSSW006 Port 24"
   exit
interface 2/7
   name "To HPPROCOSSSW007 Port 24"
   exit
interface 2/8
   name "To HPPROCOSSSW008 Port 24"
   exit
interface 2/9
   name "To HPPROCOSSSW009 Port 24"
   exit
interface 2/10
   name "To HPPROCOSSSW010 Port 24"
   exit
interface 2/11
   name "To HPPROCOSSSW011 Port 24"
   exit
interface 2/12
   name "To HPPROCOSSSW012 Port 24"
   exit
interface 2/19
   name "LON-WAP-003"
   exit
interface 2/20
   name "LON-WAP-002"
   exit
interface 2/22
   name "UKDJS01"
   exit
interface 2/23
   name "To NSA5600FW1 X2 Secondary"
   exit
interface 2/24
   name "To NSA5600FW1 Secondary"
   exit
snmp-server community "public" unrestricted
oobm
   ip address 10.50.15.37 255.255.255.0
   ip default-gateway 10.50.15.1
   member 1
      no ip address
      exit
   member 2
      no ip address
      exit
   exit
vlan 1
   name "DEFAULT_VLAN"
   no untagged 1/20,1/22-1/24,2/19-2/24,Trk1-Trk12
   untagged 1/13-1/19,1/21,1/25-1/26,2/13-2/18,2/25-2/26
   no ip address
   exit
vlan 5
   name "Legacy-VLAN"
   untagged Trk1
   tagged Trk7
   ip address 192.168.0.30 255.255.240.0
   exit
vlan 10
   name "LDN-SRV-LAN"
   tagged Trk7,Trk12
   ip address 10.50.0.1 255.255.255.0
   exit
vlan 11
   name "LDN-Corp-LAN"
   untagged 2/22
   tagged Trk2-Trk12
   ip address 10.50.1.1 255.255.255.0
   ip helper-address 10.50.0.10
   exit
vlan 12
   name "LDN-Corp-WLAN"
   untagged 1/20,1/22,2/19-2/21
   tagged Trk2-Trk11
   ip address 10.50.2.1 255.255.255.0
   ip helper-address 10.50.0.10
   exit
vlan 13
   name "LDN-Dev-LAN"
   tagged Trk2-Trk11
   ip address 10.50.3.1 255.255.255.0
   exit
vlan 14
   name "LDN-Ops-LAN"
   tagged Trk2-Trk12
   ip address 10.50.4.1 255.255.255.0
   exit
vlan 50
   name "LDN-Mus-LAN"
   tagged 2/19,Trk2-Trk12
   no ip address
   exit
vlan 60
   name "Trusted_Guest"
   untagged 1/23,2/23
   tagged Trk7
   no ip address
   exit
vlan 70
   name "LDN-Voice"
   tagged Trk2-Trk11
   ip address 10.50.14.1 255.255.255.0
   exit
vlan 80
   name "LDN-Mgnt-LAN"
   tagged Trk2-Trk12
   ip address 10.50.15.1 255.255.255.128
   exit
vlan 99
   name "Transit-Vlan"
   untagged 1/24,2/24
   ip address 10.50.15.242 255.255.255.240
   exit
spanning-tree
spanning-tree Trk1 priority 4
spanning-tree Trk2 priority 4
spanning-tree Trk3 priority 4
spanning-tree Trk4 priority 4
spanning-tree Trk5 priority 4
spanning-tree Trk6 priority 4
spanning-tree Trk7 priority 4
spanning-tree Trk8 priority 4
spanning-tree Trk9 priority 4
spanning-tree Trk10 priority 4
spanning-tree Trk11 priority 4
spanning-tree Trk12 priority 4
spanning-tree mode rapid-pvst
no tftp server
no autorun
no dhcp config-file-update
no dhcp image-file-update
password manager
password operator

HPPROCORESW1(vlan-50)#

Open in new window


HPPROCORESW1(vlan-50)# show ip route

                                                                                IP Route Entries

  Destination        Gateway         VLAN Type      Sub-Type   Metric     Dist.
  ------------------ --------------- ---- --------- ---------- ---------- -----
  0.0.0.0/0          10.50.15.241    99   static               1          1
  10.50.0.0/24       LDN-SRV-LAN     10   connected            1          0
  10.50.1.0/24       LDN-Corp-LAN    11   connected            1          0
  10.50.2.0/24       LDN-Corp-WLAN   12   connected            1          0
  10.50.3.0/24       LDN-Dev-LAN     13   connected            1          0
  10.50.4.0/24       LDN-Ops-LAN     14   connected            1          0
  10.50.14.0/24      LDN-Voice       70   connected            1          0
  10.50.15.0/25      LDN-Mgnt-LAN    80   connected            1          0
  10.50.15.240/28    Transit-Vlan    99   connected            1          0
  127.0.0.0/8        reject               static               0          0
  127.0.0.1/32       lo0                  connected            1          0
  192.168.0.0/20     Legacy-VLAN     5    connected            1          0


HPPROCORESW1(vlan-50)#

Open in new window

0
 
LVL 11

Assisted Solution

by:rharland2009
rharland2009 earned 500 total points
ID: 40548849
First the VLAN 50 question:

There's no IP defined for VLAN 50 on the switch - this means that your gateway for that VLAN exists elsewhere. What subnet is VLAN 50 and where does the L3 gateway for that VLAN reside?

Segregation of VLANs question:

You'll build access-lists (similar to Cisco) where you'll specify what IPs can communicate with other IPs, and then assign those access-lists to the VLAN interfaces to block unwanted traffic at the ingress of the VLAN.

Here's a guide straight from HP that walks you through the whole process - pretty easy.

http://www.hp.com/rnd/support/manuals/pdf/release_06628_07110/Bk2_Ch3_ACL.pdf
0
 
LVL 1

Author Comment

by:SimonBrook
ID: 40549004
THank you for the doc ref ACLs. As the switches (2xcore and multiple user) are stacked I can run the ACLS just from the core? What about different VLAN traffic on the same switch; will that not traverse without heading back up the trunk to the core switch?

VLAN 50 is 10.50.16.0/24
0
 
LVL 11

Assisted Solution

by:rharland2009
rharland2009 earned 500 total points
ID: 40549313
ACLs are a layer 3 function, so they only need exist at your layer 3 switch.

A computer talking to another computer on another VLAN is still a layer 3 conversation. Traffic on the same switch is still just layer 2 traffic until it reaches the core and a layer 3 routing decision/ACL action is made.

Again, VLAN 50 has no gateway defined on your core switch. That means from the perspective of the switch it is a pure layer 2 situation, and the IP gateway for that network resides elsewhere. Where does it reside?
0
Better Security Awareness With Threat Intelligence

See how one of the leading financial services organizations uses Recorded Future as part of a holistic threat intelligence program to promote security awareness and proactively and efficiently identify threats.

 
LVL 1

Author Comment

by:SimonBrook
ID: 40549340
Thanks for the info ref Layer 2/3. I think I understand. Is there anyway all switches (core and user) might be layer 3 and therefore core level ACL's might not accomplish the segregation requirement?

The gateway should be the same as all the other VLANs, whats the best way of checking those and then applying to VLAN 50?

Really appreciate all your help on this.
0
 
LVL 11

Assisted Solution

by:rharland2009
rharland2009 earned 500 total points
ID: 40549536
It would be uncommon to have multiple layer 3 switches in a smaller setup, unless you had requirements of terminating the layer 3 connections for your VLANs in different places. It's possible, sure - but unless your shop is huge, unlikely.

Re VLAN 50 - by gateway, I mean the layer 3 termination for the VLAN. Looking at your configuration, do you see where most of the VLAN interfaces have an IP address? Think of those as the terminations for those VLANs/subnets.

For example, look at VLAN 14 in your config. The IP address for that interface is 10.50.4.1/24. I'll wager the computers/servers/devices on that VLAN have 10.50.4.1 as their default gateway.

Now compare that to VLAN 50. There isn't an IP address defined for that interface, which means the VLAN is still a layer 2 environment - there are no *routing* decisions being made by your core switch for traffic on VLAN 50. There may be *switching* (Layer 2) decisions being made, but that still won't route IP datagrams. The gateway exists elsewhere (on the other end of one of those trunk interfaces, most likely). Now, if there is no other device that acts as the gateway for VLAN 50's IP traffic, you're going to have a hard time getting to the Internet - or anywhere else, for that matter.
0
 
LVL 1

Author Comment

by:SimonBrook
ID: 40550814
thanks for the comprehensive explanation.

So I just need to add a gateway for VLAN 50 for example 10.50.16.1 on the core switch?

Thanks,
0
 
LVL 11

Assisted Solution

by:rharland2009
rharland2009 earned 500 total points
ID: 40551084
If the gateway for VLAN 50 does not in fact exist elsewhere, then that's all you need to do. Then, as long as your firewall/perimeter device has a route to get *back* to VLAN 50, you'll be good to go.
0
 
LVL 1

Author Comment

by:SimonBrook
ID: 40551255
Great. That worked! Just the ACLs on the core switch to try.

Thanks.
0
 
LVL 11

Assisted Solution

by:rharland2009
rharland2009 earned 500 total points
ID: 40551322
Excellent. I think you'll find the ACLs very straightforward. Follow the guide I posted and you should experience success.
0
 
LVL 1

Author Comment

by:SimonBrook
ID: 40566088
Hello,

So I've configured my first ACL on the core switch.

HPPROCORESW1(config)# ip access-list extended "No LDN-MUS-LAN to LDN-SRV-LAN"
HPPROCORESW1(config-ext-nacl)# deny ip 10.50.16.0/24 10.50.0.0/24 log
HPPROCORESW1(config-ext-nacl)# show access-list

Access Control Lists

 Type  Appl  Name
 ----  ----  ----------------------------------------------------------------
  ext   no    No LDN-MUS-LAN to LDN-SRV-LAN

HPPROCORESW1(config-ext-nacl)# show access-list "No LDN-MUS-LAN to LDN-SRV-LAN"

Access Control Lists

  Name: No LDN-MUS-LAN to LDN-SRV-LAN
  Type: Extended
  Applied: No

 SEQ  Entry
-----------------------------------------------------------------------------
 10   Action: deny (log)
      Src IP: 10.50.16.0        Mask: 0.0.0.255         Port(s):
      Dst IP: 10.50.0.0         Mask: 0.0.0.255         Port(s):
      Proto : IP
      TOS   : -                 Precedence: -


HPPROCORESW1(config-ext-nacl)#

Open in new window


How do I go about applying it and I've read to apply ACLs you need to assign them to ports? I don't really want to assign to ports (big overhead when people move etc). Can I assign to trunks?


VLAN 50 (10.50.16.0) -> VLAN 10 (10.50.0.0)

Dual core switches (redundancy 1/1-24 and 2/1-24) both have a trunk to each user switch (8 switches).

How can I apply the ACL and where?

Thanks,
0
 
LVL 11

Accepted Solution

by:
rharland2009 earned 500 total points
ID: 40566249
You apply ACLs at your layer 3 devices - core switch, router, etc. An ACL is a layer 3 mechanism, remember. In other words, your layer 2 ports (user access/trunk ports that carry switched traffic only) don't know anything about layer 3 (IP). This makes it nice and simple - you segregate via ACL at the VLAN layer 3 interface on your routing device, and then you don't have to touch your layer 2 devices with regard to ACLs.
0
 
LVL 1

Author Comment

by:SimonBrook
ID: 40583863
Thanks for all your help, two of my VLANS now have ACLs setup and working! I also found this very helpful from a scenario based point of view.

Procurve ACLs - a little help?
0
 
LVL 1

Author Closing Comment

by:SimonBrook
ID: 40583866
Very helpful user and patient!
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

Suggested Solutions

Article by: rfc1180
The Maximum Segment size (MSS) is an important consideration when troubleshooting connectivity via the Internet/Intranet. As the packets are routed via the Internet/Intranet, the packets must traverse through multiple routers in the path between two…
Data center, now-a-days, is referred as the home of all the advanced technologies. In-fact, most of the businesses are now establishing their entire organizational structure around the IT capabilities.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

760 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

22 Experts available now in Live!

Get 1:1 Help Now