SimonBrook
asked on
Best way to segregate VLAN traffic.
Hello,
I was wondering if anyone could assist with some VLAN questions.
I have a relatively simple business network. Redundant Gateway/Firewall, 2x Redudant Core Switches with VLAN trunks to 8 "node" switches.
We have 10 VLANs setup with their own IP subnet and they are operational; however the VLANs are purely segregating broadcast traffic and all VLANs/Subnets can see each other.
How would you approach locking the VLAN subnets down and punching holes through where required?
Thanks,
I was wondering if anyone could assist with some VLAN questions.
I have a relatively simple business network. Redundant Gateway/Firewall, 2x Redudant Core Switches with VLAN trunks to 8 "node" switches.
We have 10 VLANs setup with their own IP subnet and they are operational; however the VLANs are purely segregating broadcast traffic and all VLANs/Subnets can see each other.
How would you approach locking the VLAN subnets down and punching holes through where required?
Thanks,
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thanks for the info.
How is the easiest way to confirm I'm running l3 on the core switches?
How is the easiest way to confirm I'm running l3 on the core switches?
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Hi,
Thanks for the response and apologies for the delay. Below if output from show run. Also how comes VLAN 50 (LDN-Mus-LAN) cannot get out to the internet?
Thanks for the response and apologies for the delay. Below if output from show run. Also how comes VLAN 50 (LDN-Mus-LAN) cannot get out to the internet?
HPPROCORESW1(vlan-50)# show run
Running configuration:
; hpStack Configuration Editor; Created on release #KA.15.13.0008
; Ver #05:19.ef.ff.3f.ef:dc
stacking
member 1 type "J9575A" mac-address f0921c-21cd80
member 1 priority 255
member 2 type "J9575A" mac-address 40a8f0-9b2b80
member 2 priority 200
exit
hostname "HPPROCORESW1"
trunk 1/1,2/1 trk1 lacp
trunk 1/2,2/2 trk2 lacp
trunk 1/3,2/3 trk3 lacp
trunk 1/4,2/4 trk4 lacp
trunk 1/5,2/5 trk5 lacp
trunk 1/6,2/6 trk6 lacp
trunk 1/7,2/7 trk7 lacp
trunk 1/8,2/8 trk8 lacp
trunk 1/9,2/9 trk9 lacp
trunk 1/10,2/10 trk10 lacp
trunk 1/11,2/11 trk11 lacp
trunk 1/12,2/12 trk12 lacp
no telnet-server
time daylight-time-rule western-europe
ip dns domain-name "*removed*.local"
ip dns server-address priority 1 192.168.1.9
ip dns server-address priority 2 10.50.0.10
ip route 0.0.0.0 0.0.0.0 10.50.15.241
ip routing
interface 1/1
name "To HPPROCOSSSW001 Port 45"
exit
interface 1/2
name "To HPPROCOSSSW002 Port 23"
exit
interface 1/3
name "To HPPROCOSSSW003 Port 23"
exit
interface 1/4
name "To HPPROCOSSSW004 Port 23"
exit
interface 1/5
name "To HPPROCOSSSW005 Port 23"
exit
interface 1/6
name "To HPPROCOSSSW006 Port 23"
exit
interface 1/7
name "To HPPROCOSSSW007 Port 23"
exit
interface 1/8
name "To HPPROCOSSSW008 Port 23"
exit
interface 1/9
name "To HPPROCOSSSW009 Port 23"
exit
interface 1/10
name "To HPPROCOSSSW010 Port 23"
exit
interface 1/11
name "To HPPROCOSSSW011 Port 23"
exit
interface 1/12
name "To HPPROCOSSSW012 Port 23"
exit
interface 1/20
name " "
exit
interface 1/21
name " "
exit
interface 1/22
name "LON-WAP-001"
exit
interface 1/23
name "To NSA5600FW1 X2 Primary"
exit
interface 1/24
name "To NSA5600FW1 Primary"
exit
interface 2/1
name "To HPPROCOSSSW001 Port 46"
exit
interface 2/2
name "To HPPROCOSSSW002 Port 24"
exit
interface 2/3
name "To HPPROCOSSSW003 Port 24"
exit
interface 2/4
name "To HPPROCOSSSW004 Port 24"
exit
interface 2/5
name "To HPPROCOSSSW005 Port 24"
exit
interface 2/6
name "To HPPROCOSSSW006 Port 24"
exit
interface 2/7
name "To HPPROCOSSSW007 Port 24"
exit
interface 2/8
name "To HPPROCOSSSW008 Port 24"
exit
interface 2/9
name "To HPPROCOSSSW009 Port 24"
exit
interface 2/10
name "To HPPROCOSSSW010 Port 24"
exit
interface 2/11
name "To HPPROCOSSSW011 Port 24"
exit
interface 2/12
name "To HPPROCOSSSW012 Port 24"
exit
interface 2/19
name "LON-WAP-003"
exit
interface 2/20
name "LON-WAP-002"
exit
interface 2/22
name "UKDJS01"
exit
interface 2/23
name "To NSA5600FW1 X2 Secondary"
exit
interface 2/24
name "To NSA5600FW1 Secondary"
exit
snmp-server community "public" unrestricted
oobm
ip address 10.50.15.37 255.255.255.0
ip default-gateway 10.50.15.1
member 1
no ip address
exit
member 2
no ip address
exit
exit
vlan 1
name "DEFAULT_VLAN"
no untagged 1/20,1/22-1/24,2/19-2/24,Trk1-Trk12
untagged 1/13-1/19,1/21,1/25-1/26,2/13-2/18,2/25-2/26
no ip address
exit
vlan 5
name "Legacy-VLAN"
untagged Trk1
tagged Trk7
ip address 192.168.0.30 255.255.240.0
exit
vlan 10
name "LDN-SRV-LAN"
tagged Trk7,Trk12
ip address 10.50.0.1 255.255.255.0
exit
vlan 11
name "LDN-Corp-LAN"
untagged 2/22
tagged Trk2-Trk12
ip address 10.50.1.1 255.255.255.0
ip helper-address 10.50.0.10
exit
vlan 12
name "LDN-Corp-WLAN"
untagged 1/20,1/22,2/19-2/21
tagged Trk2-Trk11
ip address 10.50.2.1 255.255.255.0
ip helper-address 10.50.0.10
exit
vlan 13
name "LDN-Dev-LAN"
tagged Trk2-Trk11
ip address 10.50.3.1 255.255.255.0
exit
vlan 14
name "LDN-Ops-LAN"
tagged Trk2-Trk12
ip address 10.50.4.1 255.255.255.0
exit
vlan 50
name "LDN-Mus-LAN"
tagged 2/19,Trk2-Trk12
no ip address
exit
vlan 60
name "Trusted_Guest"
untagged 1/23,2/23
tagged Trk7
no ip address
exit
vlan 70
name "LDN-Voice"
tagged Trk2-Trk11
ip address 10.50.14.1 255.255.255.0
exit
vlan 80
name "LDN-Mgnt-LAN"
tagged Trk2-Trk12
ip address 10.50.15.1 255.255.255.128
exit
vlan 99
name "Transit-Vlan"
untagged 1/24,2/24
ip address 10.50.15.242 255.255.255.240
exit
spanning-tree
spanning-tree Trk1 priority 4
spanning-tree Trk2 priority 4
spanning-tree Trk3 priority 4
spanning-tree Trk4 priority 4
spanning-tree Trk5 priority 4
spanning-tree Trk6 priority 4
spanning-tree Trk7 priority 4
spanning-tree Trk8 priority 4
spanning-tree Trk9 priority 4
spanning-tree Trk10 priority 4
spanning-tree Trk11 priority 4
spanning-tree Trk12 priority 4
spanning-tree mode rapid-pvst
no tftp server
no autorun
no dhcp config-file-update
no dhcp image-file-update
password manager
password operator
HPPROCORESW1(vlan-50)#HPPROCORESW1(vlan-50)# show ip route
IP Route Entries
Destination Gateway VLAN Type Sub-Type Metric Dist.
------------------ --------------- ---- --------- ---------- ---------- -----
0.0.0.0/0 10.50.15.241 99 static 1 1
10.50.0.0/24 LDN-SRV-LAN 10 connected 1 0
10.50.1.0/24 LDN-Corp-LAN 11 connected 1 0
10.50.2.0/24 LDN-Corp-WLAN 12 connected 1 0
10.50.3.0/24 LDN-Dev-LAN 13 connected 1 0
10.50.4.0/24 LDN-Ops-LAN 14 connected 1 0
10.50.14.0/24 LDN-Voice 70 connected 1 0
10.50.15.0/25 LDN-Mgnt-LAN 80 connected 1 0
10.50.15.240/28 Transit-Vlan 99 connected 1 0
127.0.0.0/8 reject static 0 0
127.0.0.1/32 lo0 connected 1 0
192.168.0.0/20 Legacy-VLAN 5 connected 1 0
HPPROCORESW1(vlan-50)#SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
THank you for the doc ref ACLs. As the switches (2xcore and multiple user) are stacked I can run the ACLS just from the core? What about different VLAN traffic on the same switch; will that not traverse without heading back up the trunk to the core switch?
VLAN 50 is 10.50.16.0/24
VLAN 50 is 10.50.16.0/24
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thanks for the info ref Layer 2/3. I think I understand. Is there anyway all switches (core and user) might be layer 3 and therefore core level ACL's might not accomplish the segregation requirement?
The gateway should be the same as all the other VLANs, whats the best way of checking those and then applying to VLAN 50?
Really appreciate all your help on this.
The gateway should be the same as all the other VLANs, whats the best way of checking those and then applying to VLAN 50?
Really appreciate all your help on this.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
thanks for the comprehensive explanation.
So I just need to add a gateway for VLAN 50 for example 10.50.16.1 on the core switch?
Thanks,
So I just need to add a gateway for VLAN 50 for example 10.50.16.1 on the core switch?
Thanks,
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Great. That worked! Just the ACLs on the core switch to try.
Thanks.
Thanks.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Hello,
So I've configured my first ACL on the core switch.
How do I go about applying it and I've read to apply ACLs you need to assign them to ports? I don't really want to assign to ports (big overhead when people move etc). Can I assign to trunks?
VLAN 50 (10.50.16.0) -> VLAN 10 (10.50.0.0)
Dual core switches (redundancy 1/1-24 and 2/1-24) both have a trunk to each user switch (8 switches).
How can I apply the ACL and where?
Thanks,
So I've configured my first ACL on the core switch.
HPPROCORESW1(config)# ip access-list extended "No LDN-MUS-LAN to LDN-SRV-LAN"
HPPROCORESW1(config-ext-nacl)# deny ip 10.50.16.0/24 10.50.0.0/24 log
HPPROCORESW1(config-ext-nacl)# show access-list
Access Control Lists
Type Appl Name
---- ---- ----------------------------------------------------------------
ext no No LDN-MUS-LAN to LDN-SRV-LAN
HPPROCORESW1(config-ext-nacl)# show access-list "No LDN-MUS-LAN to LDN-SRV-LAN"
Access Control Lists
Name: No LDN-MUS-LAN to LDN-SRV-LAN
Type: Extended
Applied: No
SEQ Entry
-----------------------------------------------------------------------------
10 Action: deny (log)
Src IP: 10.50.16.0 Mask: 0.0.0.255 Port(s):
Dst IP: 10.50.0.0 Mask: 0.0.0.255 Port(s):
Proto : IP
TOS : - Precedence: -
HPPROCORESW1(config-ext-nacl)#How do I go about applying it and I've read to apply ACLs you need to assign them to ports? I don't really want to assign to ports (big overhead when people move etc). Can I assign to trunks?
VLAN 50 (10.50.16.0) -> VLAN 10 (10.50.0.0)
Dual core switches (redundancy 1/1-24 and 2/1-24) both have a trunk to each user switch (8 switches).
How can I apply the ACL and where?
Thanks,
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thanks for all your help, two of my VLANS now have ACLs setup and working! I also found this very helpful from a scenario based point of view.
Procurve ACLs - a little help?
Procurve ACLs - a little help?
ASKER
Very helpful user and patient!
ASKER