Comware

Hi all,

Been reading through a few of the docs and responses to some of the problems people are having with setting up VLANs and we've hit a few of our problems now.

Im pretty new to VLANs so all the help in the world would be muchly appreciated.

2x HP 5308XL - Core Switches
10 x HP 2524

Firstly, our main problem is the tagging and untagging of our ports. We want to segment the current network (No VLANs) into 4 VLANs.

The ranges we have for our VLANs are as follows:

VLAN100 = 172.16.0.X/16
VLAN200 = 192.168.0.X/24
VLAN300 = 10.0.0.X/23
VLAN400 = 172.16.0.X/24

Below is the result from the 'show ip' command.

Server Cab - Switch 1(vlan-1)# show ip

Internet (IP) Service

IP Routing : Enabled


Default TTL : 64
Arp Age : 20

VLAN | IP Config IP Address Subnet Mask Proxy ARP
------------ + ---------- --------------- --------------- ---------
DEFAULT_VLAN | Manual 192.168.10.1 255.255.255.0 No
VLAN100 | Manual 172.16.0.22 255.255.0.0 No
VLAN200 | Manual 192.168.0.2 255.255.255.0 No
VLAN300 | Manual 10.0.0.2 255.255.254.0 No
VLAN400 | Manual 172.16.10.1 255.255.255.0 No

Now the problem starts when we start tagging and untagging ports.

Once we tag a port, none of the ports which have been untagged can access/ping any of the devices attached to the tagged ports.

For example...

VLAN100 - We 'tag' ports C1-C5, E1,E2,E4. These are our servers and proxy/gateways which need access from ALL the VLANs. (Is tagging these ports the correct method?)
We then 'untag' ports B1-B23, C1-C24, D1-D17 as these are all of our workstations attached to this switch.

I have enabled IP routing on the switches but still nothing can get through to the tagged devices.

Below is a list of ports which have servers and services connected to them. I have stated which VLAN needs access to each of them so hopefully this will aid the command for tagging/untagging.

C1-C5 needs access from all VLANs.
E1-E4 needs access from all VLANs.
F2 needs access from VLAN 3.

What must all the workstations and servers on VLAN100 have their default gateway set as? The IP of the switch or the Proxy/Gateway?

Help would be massively grateful if someone could walk me though this with commands.

Once again, many thanks. If you need any more information please let me know.
Hopefully someone will be able to help me out.

Thanks. :-)

Hi

I can give you the configuration for the Core and the Edge Swtiches but i need some information :

1- Network Map with ports between swtiches and servers.
2- Do you want to enable Routing on edge? or just o nthe core.
3- Whats the Internet Router IP address.
4- Whats the security policy you want to have ? do you want users to access all vlans ? or just servers ? which vlan can access all other vlans ?

If you can answer these questions and attache a simple network map, i can break out the configuration for you.

Good Luck !!!

Wow, thanks for the fast reply.

1- Network Map with ports between swtiches and servers.

I shall get this attached very shortly. Do you need to know which port is connected to what on every switch?

2- Do you want to enable Routing on edge? or just o nthe core.

Routing on the core switch preferably.

3- Whats the Internet Router IP address.

The internet routers IP address is 172.16.0.254/255.255.0.0.
All Vlans need to access this router.

4- Whats the security policy you want to have ? do you want users to access all vlans ? or just servers ? which vlan can access all other vlans ?

We just want users/workstations to access the servers they have access to. We dont want them to jump VLANs to devices they are not meant to have access to. VLAN4 is the VLAN we want to give access to all VLANs.

Hope this helps.

Hi

1- Yes i need to know whats your design, and for ports, i only need switch-to-switch ports.

2- I'm sorry, i didn't pay attention that you have 2524, this switch doesn;t have ip routing, so routing should be on the core.

3- Ok, so all vlans should access internet.

4- In this case i need to know, in which vlan you want keep the servers, and the IP addresses for them .....

Waiting for the Info ......

Good Luck !!!a

Hi Again :)
I preprared the Configuration for you, and i tried to explain as much to clear the idea.

Before we start, i just want to remind you not forget to assign points to posts you got. :)

Try to be generous man :)

-----------------------------------------------

I have a better desing for you.
Since you want to inclufe Vlan100 in your access policy, so change its IP address to something else,

maybe 10.1.1.x/24 , and then change the IP address of your Default_Vlan on switch1 to the same range of

the Internet Router, (example 172.16.0.250/16).

Then you have the default_vlan for the Routing Switch, and the Main Router, and the Servers in the same

subnet (same Vlan).

Now, configuration part based on the New IP address for Vlan1 and Vlan100, i will break it out for Edge

Swtiches, and Core Switches with explaination then the Internet Router --- the Boss :)

----
Edge
----

1- Create all the 4 vlans:
(config)# vlan 100 ip address 10.1.1.2 255.255.255.0
(config)# vlan 200 ip address 192.168.0.2 255.255.255.0
(config)# vlan 300 ip address 10.0.0.2 255.255.254.0
(config)# vlan 400 ip address 172.16.0.2 255.255.255.0

2- Enable Default Gateway, and it should be the Vlan1 IP Address on the Routing Switch (switch1),

because this edge switch need an external router to do routing between its vlans:
(config)# ip default-gateway 172.16.0.250

3- Untagg all the Ports on this Edge Switch that will connect to workstations, every port with its

corresponding vlan,
(config)# vlan 200 untag 5 ---- this will untage port 5 to be used for PC in vlan 200.

4- Tag the UPLINK port the connect this switch to the core switch 5308 (switch1) with all vlans other

than Vlan1 - the default_vlan, example, if you connect this switch to the core using port 1:
(config)# vlan 100 tag 1
(config)# vlan 200 tag 1
(config)# vlan 300 tag 1
(config)# vlan 400 tag 1

5- Repeat these steps for all edge switches, after changing Vlan ip addresses, like vlan100 we used

here 10.1.1.2 and on the core we will use 10.1.1.1, then use 10.1.1.3 and so on....

6- A PC under Vlan 100 will have IP: 10.1.1.5 255.255.255.0, Gateway is his Vlan 100 IP address on the

Routing Switch or the COre (Switch1) gw: 10.1.1.1

7- A PC under Vlan 200 will have IP: 192.168.0.5 255.255.255.0, Gateway is his Vlan 200 IP address on

the Routing Switch or the COre (Switch1) gw: 192.168.0.1

And so on ....
----------------------------------------------------------------------------------------------------

----
Core
----

1- Create all the 4 vlans:
(config)# vlan 100 ip address 10.1.1.1 255.255.255.0
(config)# vlan 200 ip address 192.168.0.1 255.255.255.0
(config)# vlan 300 ip address 10.0.0.1 255.255.254.0
(config)# vlan 400 ip address 172.16.0.1 255.255.255.0

2- Enable IP Routing between all Vlans.
(Config)# ip routing

3- Enable Route to Internet:
(config)# ip route 0.0.0.0 0.0.0.0 172.16.0.254

4- Tagg the Ports coming from each Edge with all vlans, lets say port C1 is connecting to Edge1, then:
(config)# vlan 100 tag C5
(config)# vlan 200 tag C5
(config)# vlan 300 tag C5
(config)# vlan 400 tag C5

5- Repeat this taggin for all uplink ports that connect each edge switche to the core.

6- Now in this Stage, and if you do the Internet Router configuration section (down), then All the

Vlans can route between each other, and they can access the internet and the Servers as well.

7- Security Access for Severs:
you mentioned before that ports C1-C5 and E1-E4 and F2, are conencted to the Servers and Services, so

Simply don't do anything for these ports, just keep them untagged to the default vlan1 and BE SURE they

have the Same IP address range for Vlan1 and the Internet Router 172.16.0.x/255.255.0.0 , if yo udo

this then all these servers will be accessed from all Vlans.

8- Security Access for Vlans:
Create Access Control List to deny access to VLan100,200,300 and 400 from other Vlans except the

default vlan1 or Internet Traffic:

----VLAN100----

(config)# access-list 1 deny 192.168.0.1 0.0.0.255 --- deny Vlan200
(config)# access-list 1 deny 10.0.0.1 0.0.1.255 --- deny Vlan300
(config)# access-list 1 deny 172.16.0.1 0.0.0.255 --- deny Vlan400
(config)# access-list 1 permit any --- permit other traffic
(Config)# vlan 100 ip access-group 1 in --- apply ACL 1 to Vlan100

----VLAN200----

(config)# access-list 2 deny 10.1.1.1 0.0.0.255 --- deny Vlan100
(config)# access-list 2 deny 10.0.0.1 0.0.1.255 --- deny Vlan300
(config)# access-list 2 deny 172.16.0.1 0.0.0.255 --- deny Vlan400
(config)# access-list 2 permit any --- permit other traffic
(Config)# vlan 200 ip access-group 1 in --- apply ACL 2 to Vlan200

----VLAN300----

(config)# access-list 3 deny 10.1.1.1 0.0.0.255 --- deny Vlan100
(config)# access-list 3 deny 192.168.0.1 0.0.0.255 --- deny Vlan200
(config)# access-list 3 deny 172.16.0.1 0.0.0.255 --- deny Vlan400
(config)# access-list 3 permit any --- permit other traffic
(Config)# vlan 300 ip access-group 1 in --- apply ACL 3 to Vlan300

----VLAN400----

(config)# access-list 4 deny 10.1.1.1 0.0.0.255 --- deny Vlan100
(config)# access-list 4 deny 192.168.0.1 0.0.0.255 --- deny Vlan200
(config)# access-list 4 deny 10.0.0.1 0.0.1.255 --- deny Vlan300
(config)# access-list 4 permit any --- permit other traffic
(Config)# vlan 300 ip access-group 1 in --- apply ACL 4 to Vlan400

9- Now the Core Switch is ready and will deny any Vlan to access to other except the Default_Vlan

----------------------------------------------------------------------------------------------------

---------------
Internet Router
---------------

You have to give every Vlan its way back to the Core from this router, so you have to add 4 static

routes for each vlan on this router, the command is : ip route network mask gateway, now the gateway

for all vlans is the Default_Vlan (vlan1) ip address:

(Config)#ip router 10.1.1.0 255.255.255.0 10.1.1.1
(Config)#ip router 192.168.0.1 255.255.255.0 10.1.1.1
(Config)#ip router 10.0.0.1 255.255.254.0 10.1.1.1
(Config)#ip router 172.16.0.1 255.255.255.0

----------------------------------------------------------------------------------------------------

I hope that was enough information for you to run a proper Setup for your network.

Good Luck !!!

Sorry for this NEWS PAPER :)
i didnn;t expect it will be that long, i attached the configuration for you in a text file.

Don;t forget to assign points.

Good Luck !!!

wow excellent reply Mohieddin.

Thank you!!

Very nice guide... however we would really like to keep VLAN100 with the current configured IP Range/scope. This will help us considerably as our main network has just been setup and configured with 375 PC's.

Would there be any chance of getting your guide adapted a little to suit and i will ensure max points added to your posts.

Once again, thank you very much for you time and help so far... verrrrry helpful!!

Mohieddin, i have just submitted points to your name now.

I am going to try out your configuration tommorrow morning and i shall let you know how it goes.

Thanks very very very much!!

Hi

In order to keep a Management Vlan contains the Main Vlan1 IP addresses and all the Servers plus the Internet Router in ONE Subnet, which will be easier to manage,

So i changed the IP address of the Internet Router from 172.16.0.254/16 to 192.168.10.254 255.255.255.0
If you can;t do that, simply add a secondary IP address for Internet Router :192.168.10.254 255.255.255.0

Be sure to keep the Servers also in the Same Range of 192.168.10.x 255.255.255.0 network.

Check the Attachement, it has the Final Configuration, and Please check after me...

NO One Perfect :)

Good Luck !!!

Damn, this is getting confusing now. :-/ Just checked over those configs u sent...

Ideally we would like ALL servers and services in the 172.16.0.x/16 range. Would this change your config much? Could this remain as VLAN100? Also for VLAN100 to include the Internet Router too.

Is this request possible?

VLAN400 can remain the management VLAN if needs be.

Also, your step 3 in your 2nd config...

3- Enable Route to Internet:
(config)# ip route 0.0.0.0 0.0.0.0 192.168.10.254

Could we change that router IP to be 172.16.0.254

This is the IP of our router/gateway.

Would this work?

Hi

Thanks for you to check after me, SEE no one perfect, ofcourse you should change the command (config)# ip route 0.0.0.0 0.0.0.0 192.168.10.254 to (config)# ip route 0.0.0.0 0.0.0.0 172.16.0.254 -- my Mistake.

Now, for the servers, YES definitely you can keep them with their existing IP Addresses , But in this case the ACL will be more complicated, so what i need from you is:
The IP addresses for every server you want People to access, so i can modify the ACLs and exclude these server to Permit.

Again points is our Thanks :)

Good Luck !!!

Hi Chris

I have changed alot in the Configuration, so delete the old Config. file, and check this one, and follow it stpe by step from from Edge to Core to Internet Router, all the sections changed.

Remember, no one prefect :)

Good Luck !!!

I would try and avoid using the overlapping addresses on VLAN 400:

VLAN100 = 172.16.0.X/16
VLAN400 = 172.16.0.X/24

For VLAN 400 I would use another subnet such as 192.168.1.0/24 instead.

Hi Mohieddin,

Once again, thanks for your time in helping me out on this. Great help so far!!

Anyways... my Server IP's are as follows...

Server1 = 172.16.0.1 - Port E1 - Access needed from VLAN100, VLAN200 and VLAN400

Server2 = 172.16.0.2 - Port E2 - Access needed from VLAN100, VLAN200 and VLAN400

Office/Admin Server = 192.168.0.1 - Port E3 - Access only needed from VLAN200

E-Mail Server = 172.16.0.5 - Port E4 - Access needed from ALL VLANs.

Proxy1 = 172.16.0.253 - Port C1 - Access needed from ALL VLANs.

Proxy2/Internet Gateway = 172.16.0.254 - Port C2 - Access needed from ALL VLANs.

Web Development Server = 172.16.0.9 - Port C3 - Access needed from ALL VLANs.

Multimedia Server = 172.16.0.17 - Port C4 - Access needed from ALL VLANs.

Content Filtering Server = 172.16.0.7 - Port C5 - Access needed from just VLAN100.

WAP Server (DHCP) = 10.0.0.1 - Port D19 - Access from just VLAN300.


All VLANs need internet access too.

Really hope this helps you out more. If you need more info, please let me know and i can supply more.

Again, thansk very much for the time and effort. :-)

Hi

I guess then, i have to rebuild the ACLs from the beginning, but i think the configuration is correct , and since i explained to you how to do it so you better start do the configuration.

I will work on the ACL and will get to you soon, mean while you can test the latests configuration i attached without applying the ACL, leave this untill i update you with latest :)

Good Luck !!!

And i would recommend what Matt already did, to change the IP address of Vlan400 to avoide overlapping.
I noticed most of your servers are in Vlan400, so you think changing is ok with you ???

Inform me so i can build the ACLs

good luck !!!

Will do... thank you very much!

One other little hurdle I have came up with is our access points. The way we wish to set them up is so that VLAN300 is totally seperate from the rest of the network with only access to the "WAP Server (DHCP) = 10.0.0.1 - Port D19" and the Internet Gateway (172.16.0.254 on VLAN100). But the problem is we have 10 laptops which need to join VLAN100 as they use Server1 (on VLAN100)for their DHCP instead of the 'WAP Server' (on VLAN300).

So is there any way of just letting those 10 laptops access VLAN100 and deny the rest of the laptops? MAC Address method or anything like that?

Sorry for confusing matters further... it just seems to get more complex. :-(

Hi Mohieddin,

Most of the servers are all in VLAN100 on the 172.16.0.x/16 range.

Hi

I prepared the new ACLs that fit your requirements, but PLEASE double check them and let us know if you have any problem with them:

----VLAN100----

(config)# access-list 100 permit ip any host 172.16.0.x --- Permit Server1
(config)# access-list 100 permit ip any host 172.16.0.y --- Permit Server2

(config)# access-list 100 deny ip 192.168.0.1 0.0.0.255 any --- deny Vlan200
(config)# access-list 100 deny ip 10.0.0.1 0.0.1.255 any --- deny Vlan300
(config)# access-list 100 deny ip 172.16.0.1 0.0.0.255 any --- deny Vlan400
(config)# access-list 100 permit ip any any --- permit other traffic
(Config)# vlan 100 ip access-group 100 in --- apply ACL 100 to Vlan100

----VLAN200----

(config)# access-list 200 permit ip host 172.16.0.x any --- Permit Server1
(config)# access-list 200 permit ip host 172.16.0.y any --- Permit Server2

(config)# access-list 200 deny ip 172.16.0.21 0.0.255.255 any --- deny Vlan100
(config)# access-list 200 deny ip 10.0.0.1 0.0.1.255 any --- deny Vlan300
(config)# access-list 200 deny ip 172.16.0.1 0.0.0.255 any --- deny Vlan400
(config)# access-list 200 permit ip any any --- permit other traffic
(Config)# vlan 200 ip access-group 200 in --- apply ACL 200 to Vlan200

----VLAN300----

DHCP Server is allowed to Vlan300 since its in the came Vlan, we need to permit only Internet:

(config)# access-list 3 permit 172.16.0.254 --- Permit Internet
(Config)# vlan 300 ip access-group 3 in --- apply ACL 3 to Vlan300

----VLAN400----

(config)# access-list 400 permit ip host 172.16.0.x any --- Permit Server1
(config)# access-list 400 permit ip host 172.16.0.y any --- Permit Server2

(config)# access-list 400 deny ip 172.16.0.21 0.0.255.255 any --- deny Vlan100
(config)# access-list 400 deny ip 192.168.0.1 0.0.0.255 any --- deny Vlan200
(config)# access-list 400 deny ip 10.0.0.1 0.0.1.255 any --- deny Vlan300
(config)# access-list 400 permit ip any --- permit other traffic
(Config)# vlan 400 ip access-group 400 in --- apply ACL 400 to Vlan400
-----------------------------------------

Now for the Laptops, i prefer you reserve an IP address for each on your DHCP server using MAC addresses, and then permit them or deny them from any vlan you want, you just add to each ACL for EACH vlan the permit/deny at the BEGENNING of the ACL.

Example: access-list 3 permit host a.b.c.d
-----------------------------------------

I wish that this information are ufefull for your setup to make it proper, anyway if you have any thing let us know :)

Good Luck !!!

Hi Mohieddin,

Thanks very much for your help so far.
We have managed to configure all of VLANs, however we have hit a problem whilst trying to create the ACL for VLAN200. We get this error...


HP ProCurve Switch 5308xl# config
HP ProCurve Switch 5308xl(config)# access-list 200 permit ip host 172.16.0.1 any

Invalid input: permit
HP ProCurve Switch 5308xl(config)#

Any ideas why it is coming up with this error?

Once again, thank you VERY much for your time... its going very well at the moment.

Points assigned :-)

Hi
I want to apologize for the ACL 200 and 400 , please change the numbers and make it less than 200 like , the ACL 200 make it ACL 102 , and ACL 400 make it ACL 104.

Explaination:

<100-199> ACL numbers to Configure an extended Access Control List.

Good Luck !!!

Mohieddin, we have hit a wave of problems now. :-#(

We cant seem to get our servers or workstations on VLAN200 to communicate with any other VLAN, or gain access to the internet.

Please see attached our ACLs.

The main server on VLAN200 is running DHCP and can communicate fine with our workstations. But this fails when trying to communicate with other VLANS.

The workstations on VLAN200 need to access the following IP's...

172.16.0.1
172.16.0.2
172.16.0.5
172.16.0.12
172.16.0.254 (internet gateway)

Could you please advise.

Many thanks once again... great support from yourself. :)

Hi Chris

I think its now your mistake :)
you missed the last tne the most important line in ACL200 (or now its 102) , which is :

(config)# access-list 102 permit ip any any ,

so now since you can't edit ACL102, just drop it, and past the configuration again in CLI after adding the previous line to the end.

Please let me know you have other problems :)

Good Luck !!!

Hi again

I took another look on the config. of ACL102 and the others also, and i think it has some wrong lines.

Asper what i know from your old posts, i reconfigured the ACLs for you, see the attached file.

Good Luck !!!