Comware

 View Only

  • 1.  HP switch 5800, segmentation

    Posted Jun 29, 2015 01:39 PM

    Hello Folks, 

     

    I'm here with a problem, I have on my work 2 switch 5800 ( Core) and 7 1910 access, and I need to segment my local network: 

     

    Here is my configuration : 

     

      VLANS              REDE                              Switch Acesso            Switch Core

    ---------------------------------------------------------------------------------

    1°    Vlan 100      172.16.1.0/24                 172.16.1.252          172.16.1.253

    2°    Vlan 200      172.16.2.0/24                 172.16.2.252          172.16.2.253

    3°    Vlan 300      172.16.3.0/24                 172.16.3.252          172.16.3.253

    4°    Vlan 400      172.16.4.0/24                 172.16.4.252          172.16.4.253

    5°    Vlan 500      172.16.5.0/24                 172.16.5.252          172.16.5.253

    6°    Vlan 600      172.16.6.0/24                 172.16.6.252          172.16.6.253

    7°    Vlan 700      172.16.7.0/24                 172.16.7.252          172.16.7.253

     

    I need only one floor comunicate with himself, and hp 5800 is routing all of other VLANS, can sameone help-me with this issue ? Thanks all of us ! 



  • 2.  RE: HP switch 5800, segmentation

    Posted Jun 29, 2015 09:00 PM

     

    The basic design principle for the segmentation you are describing is to match up the logical segmentation with the physical network:

    VLAN100 is used on AccessSwitch1 only

    VLAN200 is used on AccessSwitch2 only

    etc...

     

    The core switch has all 7 VLANs, with an IP address on each. That IP address is the default gateway for hosts that reside within that VLAN/subnet.

     

    Each VLAN is trunked to a single switch, and each trunk contains a single VLAN.

     

    Your core interface configuration should look like:

    interface GigabitEthernet1/0/1

    description Link to AccessSwitch1
    port link-mode bridge
    port link-type trunk
    port trunk permit vlan 100

     

    etc...

     

    On each 1910 switch you configure it equivalently.



  • 3.  RE: HP switch 5800, segmentation

    Posted Jun 30, 2015 09:57 AM

    Nowadays i use this configuration: 

     

    All interfaces Trk1 in trunk mode ( Access Switch ) , and Core switch BridgeAgregation 1 pass only VLAN 100 , VLAN 1 , however i think switch core is routing all packages with inter vlan routing, i will attach my routing table on this answer  



  • 4.  RE: HP switch 5800, segmentation

    Posted Jun 30, 2015 07:51 PM

    By default, with IP routing enabled, the 5800 will route packets between any subnet in which it has an IP address.

     

    If you do not want inter-VLAN routing, you can either:

    1/ remove all IP addresses from the 5800 (except a management address) and trunk all VLANs to a firewall (or similar) which can properly control access between VLANs.

    or

    2/ implement access lists on the 5800 to prevent inter-VLAN routing.

     

    If you need proper security, access-lists on a switch aren't the best way to do it.



  • 5.  RE: HP switch 5800, segmentation

    Posted Jul 01, 2015 08:54 AM

    Thanks for the answer!

     

    Does you have a tutorial to help me how to make this configurations ?

    I can do it in graphical web ?

    I can't use a firewall to routing all packages, I just bought 5800 to do it, because it is a core switch.

    Why can i implement access list ?  



  • 6.  RE: HP switch 5800, segmentation

    Posted Jul 01, 2015 07:36 PM

    Maybe something like:

     

    acl number 100
    rule 20 deny ip source 172.16.1.0 0.0.0.255 destination 172.16.2.0 0.0.0.255
    rule 30 deny ip source 172.16.1.0 0.0.0.255 destination 172.16.3.0 0.0.0.255
    rule 40 deny ip source 172.16.1.0 0.0.0.255 destination 172.16.4.0 0.0.0.255
    rule 50 deny ip source 172.16.1.0 0.0.0.255 destination 172.16.5.0 0.0.0.255
    rule 60 deny ip source 172.16.1.0 0.0.0.255 destination 172.16.6.0 0.0.0.255
    rule 70 deny ip source 172.16.1.0 0.0.0.255 destination 172.16.7.0 0.0.0.255
    rule 100 permit ip

    interface VLAN100
    packet-filter 100 inbound

    acl number 200
    rule 10 deny ip source 172.16.2.0 0.0.0.255 destination 172.16.1.0 0.0.0.255
    rule 30 deny ip source 172.16.2.0 0.0.0.255 destination 172.16.3.0 0.0.0.255
    rule 40 deny ip source 172.16.2.0 0.0.0.255 destination 172.16.4.0 0.0.0.255
    rule 50 deny ip source 172.16.2.0 0.0.0.255 destination 172.16.5.0 0.0.0.255
    rule 60 deny ip source 172.16.2.0 0.0.0.255 destination 172.16.6.0 0.0.0.255
    rule 70 deny ip source 172.16.2.0 0.0.0.255 destination 172.16.7.0 0.0.0.255
    rule 100 permit ip

    interface VLAN200
    packet-filter 200 inbound

    etc..



  • 7.  RE: HP switch 5800, segmentation

    Posted Jul 02, 2015 12:55 PM

    Thanks,

     

    But Acl block is the only way to segment my network with layer 3 switch ? 

    Does i have the other way ? 

     

    however I understood layer 3 switchs cant "Stop" routing all packages and vlans ? 

     

    I'm Glad with your help Thank you so much.



  • 8.  RE: HP switch 5800, segmentation

    Posted Jul 02, 2015 10:15 PM

    I guess you could use:

     - Super VLAN

     - Private VLANs

     - VRFs

    to achieve separation between VLAN subnets as an alternative to using ACLs.

     

     



  • 9.  RE: HP switch 5800, segmentation

    Posted Jul 06, 2015 08:11 AM

    Ok I will try something, if someone know how to segment layer 3 switch by using only vlan, post here the solution

     

    Thanks so much Vince ! 



Related Content