Comware

Hi there,

Would *greatly* appreciate some help from anyone...

I have three subnets on 2 5406 switches:

192.168.0.0/16 - VLAN1
192.168.105.0/24 - VLAN2
192.168.110.0/24 0 VLAN3

I have a trunk running between the switches, and all the hosts in their respective subnets are quite happy and work fine. IP routing is enabled. I can ACL VLAN2 & VLAN3 to ensure they cannot see each other.

But, and here I seem to be stuck: how do I enable a host on VLAN1 (e.g. 192.168.7.1/16) to communicate with a host/hosts on either of the 2 other VLAN's?? (e.g. 192.168.105.10)

Any pointers will be hugely appreciated. I suppose I could change VLAN 2&3 to also use /24 and then use ACL, but somehow surely there must be a way and I am just missing it?

Thanks in advance!

Eugene

Hi

First of all, Vlan1 subnet includes both Vlan2 and 3 subnet, and its recommended to be each vlan on a different subnet.

Second, by default, when you enable ip routing all vlans can communicate with each other, but after you created the ACLs, maybe you forgot to enable a specific host on vlan 1 or the whole vlan to communicate with vlan 2 or 3.

If you can tell us the exact scenario you are looking for, (like block all inter-vlan traffic except from vlan1 to all other vlans ...), and also attach the config of your ACLs, we can help here to find a solution for this issue.

Good Luck !!!

Thanks so much for the prompt reply! I do appreciate it.

1) I have to admit that I wondered about the /16 vs /24 (which as you explained really contains the other... and is probably not best practice).

2) I tested the /16 <-> /24 with and without acls, I'm pretty sure I have extended ACL figured out.

3) VLAN /24 is the production one, so I don't really want to fiddle with it too much, but I am in a position 2 do one of the following:

a. Change VLAN2/VLAN3 to /16, and just specify ACL (see below)
b. Change VLAN2/VLAN3 to /12, have not tested this, but I feel this won't work (even if I assign another Class C, e.g. 10.10.x.x)? I can still change the hosts' IP's.

4) This is what I need to do:

a.All the hosts in VLAN1 need to see each other, most of them are assigned DHCP *without* gateways, as they use an ISA fw client & proxy. A few hosts in this subnet would need access to hosts in VLAN2 & VLAN3, e.g. 192.168.5.5 might beed to communicate with a host on 192.168.105.10

b. Hosts in VLAN2 and VLAN3 only need to see members of their own VLAN, and (I'm not 100% sure of the requirements at this stage), might need to communicate with one/more hosts in VLAN1.

5) I might add that I am still testing, and so for example I have a host currently in VLAN1 (192.168.16.10/16) that would need to be placed in VLAN2. It might be less of an effort to just keep things the way they are, assign VLAN2 to be (e.g.) 192.168.16.0/16, and just put ACL's to do 4a+4b? What do you think?

6) Once I have this working, I will have 10 more switches (5300's & 2800's) which will also have to route between these VLAN's.

Any suggestions or alternatives welcome!

Tx again

Eugene

Hi

For your requirements:

a.All hosts in Vlan1 can communicate normally with each other without doing anything, and for a specific hosts in Vlan1 to be allowed to access with another host in Vlan2&3, this can be done in the ACL it self.

b.Vlan2 hosts can talk to each other, also VLan3 hosts, but blocking taffic between these 2 Vlans needs an ACL.

Now, if you really need the /16 and you have that much of hosts, then i recommend you to eliminate this overlap between VLan1, and Vlan2&3,
say you need a 1022 hosts in Vlan1, then you take 192.168.0.0/22, and your IPs will be in this range : 192.168.0.1 - 192.168.3.254/22

then Vlan2 if you need 254 host, then take: 192.168.4.0/24 and your IPs will be in this range : 192.168.4.1 - 192.168.4.254/24

Vlan3: 192.168.5.0/24 and your IPs will be in this range : 192.168.5.1 - 192.168.5.254/24

And this will resolve the overlap.

now for the ACLs,
i will assume that you have these IPs for the Vlans, and give you an example of the ACLs required for the Vlans.
192.168.0.0/24 - VLAN1
192.168.105.0/24 - VLAN2
192.168.110.0/24 0 VLAN3
--------------------------------------------
SW5406(config)#ip access-list extended Vlan2
SW5406(config-ext-nacl)#permit ip host (vlan1-host ip) host (Vlan2-host ip) --- here you permit host in Vlan1 to host in Vlan2
SW5406(config-ext-nacl)#deny ip 192.168.110.0/24 --- deny Vlan3
SW5406(config-std-nacl)# permit ip any any --- permit other traffic
SW5406(config)#Vlan2 ip access-group vlan2 in

SW5406(config)#ip access-list extended Vlan3
SW5406(config-ext-nacl)#permit ip host (vlan1-host ip) host (Vlan3-host ip) --- here you permit host in Vlan1 to host in Vlan3
SW5406(config-ext-nacl)#deny ip 192.168.105.0/24 --- deny Vlan2
SW5406(config-std-nacl)# permit ip any any --- permit other traffic
SW5406(config)#Vlan3 ip access-group vlan3 in

SW5406(config)#ip access-list extended Vlan1
SW5406(config-ext-nacl)#deny ip 192.168.105.0/24 --- deny Vlan2
SW5406(config-ext-nacl)#deny ip 192.168.110.0/24 --- deny Vlan3
SW5406(config-std-nacl)# permit ip any any --- permit other traffic
SW5406(config)#Vlan1 ip access-group vlan1 in
--------------------------------------------

Note: you can add more permit for hosts at the top of any ACL (more specific on the top).

For you scenario, i recommend you to:
First decide the IP addressing based on the IPs required.
then decide the traffic policy you want between the Vlans.
After that you use the ACLs to implement this requirements.

Good Luck !!!

Hi,

Tx again, the ACL's were pretty much what I had this side, at least that part works. As I expected the scheme overlap is the main issue. The current setup inherited looks like this, and I cannot really change that too much, which is why I was looking at rather changing stuff on VLAN's 2,3,4,5 etc

Apologies for not making this clear enough at first:

192.168.1.0/16 = servers
192.168.3.0/16 = printers
192.168.4.0/16 -> 5.0/16 = DHCP range1
192.168.6.0/16 -> 7.0/16 = DHCPrange2

(All the above are currently in VLAN1, and should really remain there)

192.168.12.0/16 - Internet Cafe
192.168.13.0/16 - Parking Machines
192.168.14.0/16 - Time Clocks
192.168.15.0/16 - Airconditioners


(These are currently in VLAN1,but I do need now to move them each to their own VLAN. As you can see the bulf of the production network is in VLAN1, and in reality only a very few hosts will be part of the other VLAN's)

The way I see it is that I am pretty screwed with having the /16 subnet, which I inherited at this client. So, the options are:

a) Change the mask on VLAN1 (servers, printers, dhcp options ect) to /24, or maybe better /20 given current layout and then use VLAN2,3,4 etc with another... This still seems as if I need to change too many things?

b) Keep VLAN1 as is, and assign new IP's to each of the new VLAN's. All these units' IP's etc can be pretty easily changed if need be. I had in mind maybe 10.10.x.y/24. I am assuming this will get me out of the overlap dilemma because I am using another address range, am I right?

I do apprciate your assistance!

Hi

I really don't recommend you to go with this /16 setup, and i think you should change it, because you have a Vlan setup, if you don't have Vlans then maybe it will be ok, because each Vlan should be in a different subnet, and now all your Vlans in the same subnet /16.

I can suggest few things:

1-Keep enjoying the /16, and change the network numbers like 168:

Vlan1:
------
192.168.1.0/16 = servers
192.168.3.0/16 = printers
192.168.4.0/16 -> 5.0/16 = DHCP range1
192.168.6.0/16 -> 7.0/16 = DHCP range2

Other Vlans:
------------
192.164.12.0/16 - Internet Cafe - Vlan2
192.165.13.0/16 - Parking Machines - Vlan3
192.166.14.0/16 - Time Clocks - Vlan4
192.167.15.0/16 - Airconditioners - Vlan5

2- As i suggested you, count on a paper how many hosts you need in each network, and give a proper IP Subnet design.
If you started it correctly you won't face problems in the future, and especially you have Vlans, and ACLs and a its pretty big network not a small one.
So if you want something scalable maybe then the /22 is a good choice for you, so your IP ranges may be like:

192.168.1.0/16: 1.1 -> 3.254 = servers
192.168.4.0/25: 4.1 -> 4.126 = printers
192.168.4.0/25: 4.129 -> 4.254 = DHCP range1
192.168.6.0/24: 6.1 -> 6.254 = DHCP range2

192.168.12.0/24: - Internet Cafe
192.168.13.0/24: - Parking Machines
192.168.14.0/24: - Time Clocks
192.168.15.0/24: - Airconditioners

Since you mentioned that units IP's can be easily change, then i recommend you to go for option 1, and in this case you keep Vlan1 as it is, and only change other Vlans subnets.

If you need more help, you can find it here :)

Good Luck with subnetting, the following link maybe be helpful for your work:
http://www.subnet-calculator.com

Good Luck !!!

Hi again...

Well, I am stuck again :-(

1) I tested this to see how it works, and it's a no go. I am obviously doing something wrong. I went with solution:

VLAN1 = 192.168.0.0/16
VLAN2 = 192.160.0.0/16
VLAN3 = Not defined yet

In my test scenario I have 2 switches, with the following:

Switch1:
Host1: 192.168.1.6/16 (has def gw of 1.1/16)
PC: 192.160.100.200/16 (no gateway)
Switch VLAN2 IP=192.160.100.100/16
Switch VLAN1 IP=192.168.20.10/16

Switch2:
PC: 192.160.100.201 (no gateway)
Switch VLAN2 IP=192.160.100.102/16
Switch VLAN1 IP=192.168.20.22/16

* I have the ports for PC1, PC2 and Host1 to be VLAN1 Untagged and VLAN2 Tagged
* I can ping from PC1 <-> PC2 OK
* IP Routing is enabled on both switches.
* Keep in mind that certain hosts in VLAN1 have a def gw of 192.168.1.1, wheras others do not. (Does this make any diff?)

2 Issues:

Issue1:Simply can't get comms from VLAN1 -> VLAN2 working...
a. These are the requirements:
* Host1 in VLAN1 needs access to the whole of VLAN2
* I will add VLAN3 etc, and hosts in VLAN2,3,n should not have any comms to members of other vlans
* I will add VLAN10 later on (let's say it is a wireless AP), and those hosts may need to connect to a proxy server on VLAN1.
* Hosts in VLAN2 will need access to 1x host in VLAN1.

b. My ACL looks as follow (on both switches)
ip access-list ext vlan2
10 permit icmp 192.168.1.6 0.0.0.0 192.160.100.200 0.0.0.0
20 permit icmp 192.168.1.6 0.0.0.0 192.160.100.201 0.0.0.0
30 permit ip 192.168.1.6 0.0.0.0 192.160.100.200 0.0.0.0
40 permit ip 192.168.1.6 0.0.0.0 192.160.100.201 0.0.0.0
50 deny icmp 192.168.0.0/16 192.160.0.0/16 log
60 deny ip 192.168.0.0/16 192.160.0.0/16 log

vlan 2 ip access-group vlan2 in


Issue2: Since 192.160.0.0 is really a public IP range, I suppose I should not be using it. So this is what I had in mind for the final network:

VLAN1 = 192.168.0.1->192.168.15.254 (/20)(I need that amount of hosts, but even a /21 will do)
VLAN2 = 192.168.16.1->192.168.16.254 (/24)
VLAN3 = 192.168.17.1->192.168.17.254 (/24)
VLAN4 = 192.168.18.1->192.168.18.254 (/24)

The rules in Issue1 will still apply.

I realise that I am asking 3 questions really:

* Can I make it work with VLAN2 being /16 on another range? (i.e 160.x)
* If I do remake the IP range of VLAN1 to /21 or /22, will it work?
* Am I missing something in my ACL.. routing...?

Hope this is clear enough? Your help is (again, very much!) appreciated...

Hi Eugene

Great job you have done, i have read your last post and i have some comments and some answers for you.

1- A PC with Gateway knows to go outside its subnet but PC without Gateway

doesn't know.

2- The ACl is wrong for so many reasons, and the most important reason is you are

not allowing both Vlans to talk to each other, because the ACL is not permit this

kind of traffic.

3- Your ACL has another technical issues, and it should be like this (that

doesn't mean the follwing ACL is what you are looking for, but just to explain

whats wrong with it)

ip access-list ext vlan2
10 permit ip 192.168.1.6 0.0.0.0 192.160.100.200 0.0.0.0
20 permit ip 192.168.1.6 0.0.0.0 192.160.100.201 0.0.0.0

Explaination:
-------------
- Its same thing if you permit icmp, then permit ip for the same source and

destination then
- Its a Rule, after a deny and before the end of the ACL there should be a permit

otherwise this deny is useless because the ACL ends with deny any any , so

imagine your ACL with and Without lines 50 - 60 , its the same :)

4- Host 1 gateway is wrong, it should be the Vlan1 IP for Switch1 because its a

Routing Switch, so change the Gateway for Host1 to be 192.168.20.10/16

5- Your Requirements are:
Vlan2 should access only Host1 on Vlan1, and Host1 should access Vlan2.
If this is correct then you should have 1 ACL for Vlan1 to deny Vlan2 to access

Vlan1 except Host1 , and thats it :)

ip access-list extended Vlan1
10 permit ip 192.160.0.0 0.0.255.255 host 192.168.1.6/16
20 deny ip 192.160.0.0 0.0.255.255 any log
30 permit ip any any

vlan 1 ip access-group Vlan1 in

Explaination:
-------------
10 line allow Vlan2 to access host1,
20 deny Vlan2 from accessing Vlan1
30 permit other traffic (like Vlan1 to other Vlans or to internet)

6- Regarding your last questions: Vlan2 can be on the 172.16.0.0/16 or 10.1.0.0/16 or whatever you like, and believe me, make it a professional setup from the beginning at this point.
For /22 or /21 range i do prefer that you take a range gives you enough hosts and keep something for the future, and everything can be modified.
For the ACL, i fixed it up for you,
but if you add more vlans and need to do deal with them like Vlan2, then justy add the similar commands in the same ACL Vlan1.

I hope this info will help you doing your job, and if you need more help, you will find it in this forum :)

Good Luck !!!

Thanks again, was very helpful, but alas I still can't get this right. (Beginning to feel like a real dork!)

This is what I did:

Created a new VLANID=200, ensured that TR1 is tagged for it. Used 2 PC's, one on each switch. I used 172.16.1.x/24 (but tried this with 192.160.x.y/16 as well just to check). I made the default gateways of the 2 PC's the corresponding VLAN IP's on each switch (as above).
Result:
1) The 2 pc's can ping each other fine, so I know the VLAN and tagging should be OK.
2) The 2 switches can ping the VLAN if's on each other fine (172.16.1.100 & 102).
3) What I find odd is that I cannot ping the VLAN if's. (Surely this should be possible?)
4) Also, it is my understanding that because I have IProuting enabled, there should be commms between VLAN1 & VLAN200 automatically? This is not the case. I cannot ping 192.168.x.y/16 from any host on VLAN200, or vice versa. This is whilst I have the VLAn200 hosts with correct gateway, and host in VLAN1 with def gateway of the switch (192.168.20.10). I thought I needed ACL's to restrict access *because* IProuting has already allowed inter-vlan traffic?

I attach the config files, because I am stumped as to why this is happening. Pls help!

Hi

Let me clear something, i've checked the configuration you attached and couldn;t find any ports untagged for PCs in Vlan200.
I assume that you know you should untagg client's ports to corresponding Vlan.

Your configuration other than that is 100% correct, nothing more to do, except you should know that you can't ping Vlan interface unless you have some clients conencted to it, or a switch carries same Vlan traffic.
Anyway the Routing table shows clearly that you have both connected Vlans 1-200 and you should get routing between them.

What i suggest you, after checking untag clients ports in Vlan200, assign static IP address for one client in Vlan200 and Vlan100, and try after that.

What you can do also, since the link you have between both switches tagged to Vlan200 and untagged to Vlan1, you should be able to ping from switch to switch

If not success try to trace your route, and see where it going, then try ping from:

Sw1 - Vlan1 to Sw1 - Vlan1 (PC to PC in Vlan1)
Sw1 - Vlan1 to Sw1 - Vlan200
Sw1 - Vlan1 to Sw2 - Vlan1
Sw1 - Vlan1 to Sw1 - Vlan200

Good Luck !!!

Hi there!

Yip found the problem was the untagging....plus (duh), I was given the wrong ports to work with on the one switch, or rather someone on-site played around with the cables.

I have now tested all OK, as well ACL's (very basic).

Now for the next step, to ensure some hosts on non-VLAN2 can use the ISA server to proxy web requests.

Thanks a stack for your help, I feel much better now things are at least progressing. Will use another post for the routing to proxy if I run into problems.